It Seems Some Facts Are Rather Easily Forgotten. The Medicare Card is not a Trustworthy Token.

I am sure at least some readers will be amazed that it is now almost exactly four years since I posted the first blog.

As I type on 6 March 2010 it seems fitting to repost the first post to see how I have gone:

Health IT Introduction

The intent for this blog is to provide commentary, feedback and information on the e-health activity, processes, industry, politics and governance in Australia.

The aim is to provide clarity and transparency for all involved as to what is going on, who is doing what with whom and what is driving what is happening.

Enjoy

David

Posted by Dr David More MB, PhD, FACHI at Sunday, March 05, 2006 0 comments

I will leave it to others to say what they think but I think I have stuck pretty closely to the goals I set out with.

Certainly the readership has continued to grow as you can track from the little counter on the left of the main text.

Since the blog started there have been over 142,000 visits to the site with in excess of 240,000 page views.

As I was looking at the first few entries this one struck me.

Thursday, March 09, 2006

Card Confusion and Mis-Identity

The main news today is the revelation from the Sydney Daily Telegraph of the scope of the rorting and the degree of fraud and identity fakery going on with the current Australian Medicare card.

To quote the article:

"A STAGGERING 500,000 Medicare cards have been lost or stolen in the past 12 months, with some being used to create fake identities and make fraudulent benefit claims.

In a bid to tackle identity fraud, Human Services Minister Joe Hockey called for a photo of the holder to be included on Medicare cards, which currently only contain a person's name and Medicare number.

Criminals are using the lost or stolen cards to set up fake identities, open bank accounts and claim Medicare benefits and prescription medicine subsidies that they are not entitled to."

What is clear here is that the system simply lacks the robustness required, and to be made fit for purpose (i.e. to prevent fraud and to permit accurate identification of individuals) a large investment will be required.

Recently a UK expert suggested that the total cost of identifying each citizen reliably with appropriate biometrics is of the order of $250 per individual. Even if it is just 1/2 this we are talking billions of dollars and with the loss rates of the Medicare card - huge ongoing replacement and renewal costs.

One hopes the business case for taking on this expenditure is sound - and that all the parts of government involved in identification schemes (Health, Human Services, Attorney General and Immigration) are co-ordinating their activity to minimise waste and to preserve privacy.

David

----- End Extract.

Sadly the links no longer work but there is a lot of information on the reliability of the Medicare Card to be found here:

http://www.efa.org.au/Publish/efasubm-dhstf-regist-200704.html

Now while I am sure things have improved the fact that the card is apparently as unreliable as it is must be a cause for concern.

“The Discussion paper states:

"Similarly there needs to be greater information provided about the encryption of signatures so as to minimise the security risks associated with copying of signatures from lost or stolen cards.

This is especially relevant to lost or stolen Medicare cards (some 500,000 each year); especially as such cards figure in something like one-half of all cases of identity fraud. Current Medicare cards, of course, do not carry either a photograph or a signature."

Section 5.

The following I have to say – from the same document fair took my breath away.

4.1(d) Use of Medicare Cards to establish bank accounts etc

"At present, if you lose your Medicare card, it is very easy for someone to take that and use it to claim benefits in your name. They can even use it as proof of identity to establish such things as bank accounts in order to perpetrate identity theft." (DHS Supp Subm)

The Medicare Card is what the AFP call a 'breeder document' since it can be used to produce higher forms of identity documentation. (DHS Supp Subm)

Drivers licences and birth certificates are also breeder documents and that is why the Attorney-General's Department is developing the Document Verification Service, to enable breeder documents to be verified with the document issuer.

Moreover, it appears that the existing Medicare card will not be able to be used as a breeder document, nor as an EOI document, after December 2007, at least not in the banking/financial services industry. As a result of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act), the existing 100 Point ID check system (under which Medicare cards are worth 25 points) will cease to exist.

New Rules made pursuant to s229 of AML/CTF Act[40] were issued by AUSTRAC[41] on 30 March 2007 and will come into effect from December 2007. The Rules include safe harbour provisions detailing the types of evidence of ID documents which financial institutions may use in order to be covered by the safe harbour protection. Medicare cards are not included in list of acceptable identification documents (see Clause 4.2.11) and also do not meet the definitions of the various types of acceptable ID documents.

Hence, the ability to use a forged or stolen/lost Medicare card to open bank accounts etc will apparently cease from December 2007, whether or not it is replaced by an Access Card. In addition, use as a breeder document is likely to be significantly reduced if other sector organisations continue the practice of referring to financial sector rules in deciding which types of identification documents they will accept.

----- End Extract.

So the Card is OK to act as a key for Health Identifiers but NOT OK to set up and access bank accounts. Priorities seem to be a bit confused here!

I wish I had remembered all this when I was doing my submission to the Senate.

David.

0 comments:

Post a Comment