DHS to take staged approach in move from PKI certificates to PRODA

The Department of Human Services will end the use of site and individual public key infrastructure (PKI) certificates for healthcare provider authentication by December 2020 in favour of the more secure Provider Digital Access (PRODA) system.

The announcement is part of the federal government’s response to the independent review of health providers’ access to Medicare card numbers, which was sparked by the revelation that some numbers could be bought on the dark web.

The review panel, of retired public servant Peter Shergold, RACGP president Bastian Seidel and AMA Council of General Practice deputy chair Kean-Seng Lim, recommended last year that the the government move from PKI to PRODA for authentication when accessing DHS’s Health Professional Online Services (HPOS) system.

Among the other 13 recommendations was that the delegation of authority to access HPOS to administrative staff be tightened up by requiring delegations to be renewed every 12 months, and that patients be asked for explicit consent to their Medicare data being accessed when first presenting for care.

The government has accepted all of the recommendations and promised to implement seven of them by June 30, with a further four to be fully implemented by December 31 and one by mid-2019. The remaining two require no changes to current practice.

The move from PKI to PRODA has already begun, with DHS ceasing to issue PKI individual certificates where PRODA provides the required functionality.

DHS says it is actively encouraging health professionals to revoke their PKI certificate once they have established a PRODA account.

It plans to revoke existing PKI certificates for deregistered health professionals, those with duplicate certificates and those who hold a PRODA account.

It will also cease renewals for PKI individual certificates and eventually revoke all existing PKI individual certificates and site certificates.

It hopes to have 85 per cent of individual certificates revoked within 18 months, with the rest of the individual certificates and all PKI site certificates by December 2020.

HPOS delegations to admin staff will need to be renewed every year, with a warning sent three months before the expiry date.

The one recommendation which DHS says will need further work is the phase out of telephone channels for checking Medicare numbers, except in exceptional circumstances.

DHS says it will develop a strategy to minimise usage of the telephone channel without disadvantaging particular practices or vulnerable groups.The aim is to finish the phase-out by mid-2019.

On the issue of gaining patient consent to access Medicare numbers, DHS says work to implement this has commenced and it will communicate the new requirements to health professionals through its usual information channels.

Patients will also be able to find out who has checked their Medicare numbers through an audit log.

For hospitals and large healthcare providers that download large batches of Medicare numbers, there will now be a limit of 50 card numbers per request and just one request allowed per day. DHS says it will introduce a new process for healthcare providers to apply for a higher limit.