Review pins blame for Medicare ID breach on you. All of you

Gov wants us to protect Medicare numbers. In return it will protect something

Comment The Australian government's review of an incident that saw health care customer numbers offered for sale on a Tor “darknet” site has recommended retaining the numbers as acceptable proof of identity.

Australian adults are all issued a "Medicare card" entitling them to government-funded healthcare. The cards bear the unique customer numbers that made their way onto Tor. The problem faced by the “Shergold review” (here, with individual documents downloadable as Word files) was therefore simple: Medicare cards are everywhere (there are more than 14 million of them), they're embedded in Australia's health system, and they are trusted as a secondary identifier to do things like open bank accounts.

However, reading the recommendations of the review, it's hard to credit that the panel truly understands security or identity, nor that it's properly attributed the cause of the problem.

The report is shot through with the idea that individuals can somehow protect the integrity of their Medicare card number, even though the number is accessible on pretty much any computer in the health system.

For example: in Recommendation 2, individuals should be urged to “protect their Medicare card”; in Recommendation 4, individuals should give doctors their consent to access their Medicare card number; and in Recommendation 5, people would get a right to see an audit log of accesses of their card number.

Loading up individual responsibility is useless where people lack agency: if you're in front of a doctor needing treatment, “consent” is all-but forced.

Or take the idea of individuals checking their logs: the report notes more than 600 million services claimed against the 14 million cards in 2016-2017, an average of more than 40 Medicare services per card, annually.

How many of us keep records of our visits to medical services with sufficient granularity to allow the question “why are there 44 services in the log? I only used the card 42 times”. How many of us understand the labyrinthine workings of the health system well enough to understand that such a discrepancy could be a feature, not an error?

None of which would solve the problem of an insider abusing a valid login to the Health Professionals Online System (HPOS).

As to Recommendation 3, that “health professionals should be required to take reasonable steps to confirm the identity of their patients when they are first treated”, we're still a long way from anything that protects a Medicare card number from a breach.

The review only arrives at security measures at Recommendation 7, with the suggestion that HPOS logins shouldn't last forever: “It is recommended that delegations within HPOS should require renewal every 12 months, with a warning to providers and their delegates three months before the delegation expires.”

The review also recommends limiting batch requests from providers, updating authentication from PKI to “Provider Digital Access” (PRODA) within three years, suspending inactive accounts, streamlining account management, discouraging telephone access, and beefing up the security of phone checks.

These, at least, make sense, but what are we to make of this: “organisations that accept Medicare cards as evidence of identity ... utilise the DVS to confirm that the card and/or number being presented corresponds with a valid and current record held by the Department of Human Services” (DVS is the government's Document Verification Service).

Let's reiterate: the Medicare card numbers offered for sale were valid card numbers. If someone offered that number as a secondary identifier, and if a bank (for example) checked it with the Department of Human Services, it would have been told the number was valid. ?


Biting the hand that feeds IT ? 1998–2017

<rt id="haujiCA"></rt>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<rt id="haujiCA"></rt>
<rt id="haujiCA"><small id="haujiCA"></small></rt>
<acronym id="haujiCA"></acronym>
<tr id="haujiCA"><optgroup id="haujiCA"></optgroup></tr>
<acronym id="haujiCA"></acronym>
<rt id="haujiCA"></rt>
<rt id="haujiCA"><optgroup id="haujiCA"></optgroup></rt>
<rt id="haujiCA"></rt>
  • 107351295 2018-02-18
  • 9487041294 2018-02-18
  • 7763841293 2018-02-18
  • 5836761292 2018-02-18
  • 615581291 2018-02-18
  • 5081161290 2018-02-18
  • 321961289 2018-02-18
  • 776731288 2018-02-18
  • 9075261287 2018-02-18
  • 3005511286 2018-02-18
  • 867341285 2018-02-18
  • 2234581284 2018-02-17
  • 1507351283 2018-02-17
  • 4371991282 2018-02-17
  • 6759701281 2018-02-17
  • 5507351280 2018-02-17
  • 44561279 2018-02-17
  • 1884971278 2018-02-17
  • 8364991277 2018-02-17
  • 713261276 2018-02-17