What does one do when an online system that lets tens of thousands of people in the health sector look up Medicare numbers is being abused for profit and to support identity crime? Call in Peter Shergold.
The Australian Federal Police are already on the case but now the federal government has secured the prominent public administration expert to review the “accessibility by health providers of Medicare numbers” through Health Professionals Online Services as well.
Soon after The Guardian exposed a black-market online service offering scammers the ability to look up anyone’s Medicare number based on a few basic personal details of their “mark” it became apparent that the eight-year-old HPOS system was likely being abused.
The system was introduced in 2009 with an “enhanced lookup function” added the following year, and allows health providers look up the Medicare card numbers of patients using only their name and date of birth. “They can access it through a secure online system or over the existing telephone network” and providers collectively do so about 45,000 times a day, according to a statement from Minister for Health Greg Hunt and Minister for Human Services Alan Tudge.
— James Elton-Pym (@JamesEltonPym) July 4, 2017
The ministers report HPOS has not been “significantly altered” in the past eight years and have a set a high bar for a future upgrade. In the wake of the high-impact news report, they say it needs to be “both convenient and utterly secure” at the same time. That’s where Shergold comes in.
He will work with Australian Medical Association president Dr Michael Gannon and Royal Australian College of General Practitioners president Dr Frank Jones, supported by a secretariat from the Department of Human Services, Department of Health and Attorney General’s Department. They will publish an interim report by August 18 and finalise their views on the following by September 30:
- The type of identifying information that a person should be required to produce to access Medicare treatment in both urgent and non-urgent medical situations
- The effectiveness of controls over registration and authentication processes at the health provider’s premises to access Medicare card numbers.
- Security risks and controls surrounding the provision of Medicare numbers across the telephone channel, and the online connection between external medical software providers and HPOS.
- The sufficiency of control by patients and the appropriateness of patient notification regarding access to their Medicare number.
- The adequacy of compliance systems to identify any potential inappropriate access to a patient’s Medicare number.
- Any other identified area of potential weakness associated with policy, process, procedures and systems in relation to accessibility of Medicare numbers.
The government wants Shergold, Gannon and Jones to come up with “immediate practical improvements to the security of Medicare numbers” without making it harder for patients to get medical care without their card. The review team may also make medium to long-term recommendations for future improvements or simply flag issues for further attention. They will work in consultation with state, territory and federal public servants as well as bodies representing health consumers and professionals.
“The review follows recent public discussion about an alleged breach related to a small number of Medicare card numbers,” said Tudge and Hunt, playing down the significance of the dark web service for identity fraudsters.
“We re-emphasise that a Medicare card number alone does not provide access to any medical or clinical records,” the ministers add.
“Medicare cards and Medicare numbers have always been sought by criminals. This review will identify options to improve the security of Medicare numbers while continuing to support the accessibility of medical care.”
According to the joint statement, HPOS was introduced so “people in an emergency situation could get treatment immediately even if they did not have their card with them” and this is “particularly important for vulnerable Australians” — which may be laying it on a trifle thick.
Tudge and Hunt say the AMA and RACGP both strongly support the system “due to its convenience and ability to provide immediate patient care” but also say the online system is an “alternative avenue” to checking a patient is entitled to Medicare benefits over the phone.