Review pins blame for Medicare ID breach on you. All of you

Comment The Australian government's review of an incident that saw health care customer numbers offered for sale on a Tor “darknet” site has recommended retaining the numbers as acceptable proof of identity.

Australian adults are all issued a "Medicare card" entitling them to government-funded healthcare. The cards bear the unique customer numbers that made their way onto Tor. The problem faced by the “Shergold review” (here, with individual documents downloadable as Word files) was therefore simple: Medicare cards are everywhere (there are more than 14 million of them), they're embedded in Australia's health system, and they are trusted as a secondary identifier to do things like open bank accounts.

However, reading the recommendations of the review, it's hard to credit that the panel truly understands security or identity, nor that it's properly attributed the cause of the problem.

The report is shot through with the idea that individuals can somehow protect the integrity of their Medicare card number, even though the number is accessible on pretty much any computer in the health system.

For example: in Recommendation 2, individuals should be urged to “protect their Medicare card”; in Recommendation 4, individuals should give doctors their consent to access their Medicare card number; and in Recommendation 5, people would get a right to see an audit log of accesses of their card number.

Loading up individual responsibility is useless where people lack agency: if you're in front of a doctor needing treatment, “consent” is all-but forced.

Or take the idea of individuals checking their logs: the report notes more than 600 million services claimed against the 14 million cards in 2016-2017, an average of more than 40 Medicare services per card, annually.

How many of us keep records of our visits to medical services with sufficient granularity to allow the question “why are there 44 services in the log? I only used the card 42 times”. How many of us understand the labyrinthine workings of the health system well enough to understand that such a discrepancy could be a feature, not an error?

None of which would solve the problem of an insider abusing a valid login to the Health Professionals Online System (HPOS).

As to Recommendation 3, that “health professionals should be required to take reasonable steps to confirm the identity of their patients when they are first treated”, we're still a long way from anything that protects a Medicare card number from a breach.

The review only arrives at security measures at Recommendation 7, with the suggestion that HPOS logins shouldn't last forever: “It is recommended that delegations within HPOS should require renewal every 12 months, with a warning to providers and their delegates three months before the delegation expires.”

The review also recommends limiting batch requests from providers, updating authentication from PKI to “Provider Digital Access” (PRODA) within three years, suspending inactive accounts, streamlining account management, discouraging telephone access, and beefing up the security of phone checks.

These, at least, make sense, but what are we to make of this: “organisations that accept Medicare cards as evidence of identity ... utilise the DVS to confirm that the card and/or number being presented corresponds with a valid and current record held by the Department of Human Services” (DVS is the government's Document Verification Service).

Let's reiterate: the Medicare card numbers offered for sale were valid card numbers. If someone offered that number as a secondary identifier, and if a bank (for example) checked it with the Department of Human Services, it would have been told the number was valid. ®