How many of us would know if a staff member with Medicare lookup ability was compromised by a Criminal gang??
I reckon that I have access to a heap of systems where Medicare lookups via HPOS is available to ALL staff using site PKI in a web browser. It is quite common.
I see many instances of doctors ‘authorising’ staff to look up billed items (eg care plan items) in patient billing history via HPOS (via Proda credentials).
I saw many, many instances where the doctor had ordered a personal PKI dongle that lived in the practice manager’s desk draw with the passwords. Often staff would access HPOS pretending to be the doctor without the doctors explicit knowledge. This still happens with Proda access.
It was recently revealed that on the dark web, you can purchase Medicare Card details with a full name + DOB.
This blog about the above article includes this quote
It’s possible that OzRort has compromised a healthcare organization and has access to computer with the digital certificate.
How do we get logs of who has accessed HPOS using our certificates? We would need to see who’s Medicare card details were searched for and when, as well as who by, and from which local IP address as well as internet IP address. I’ve not seen this as possible.
In HPOS >> My Details >> My Access history, it looks like all users accessing via a site certificate are shown as the principle contact (i.e. the doctor that owns the clinic), with access details recorded as ‘Find a patient – Patient name and date of birth’. With ten of those lines for yesterday alone, how could the business owner know which patients were actually checked.
I can’t remove myself as authorised person from PIP, PNIP, location PKI as I no longer work with organisations. Once I’ve realised this, I go out of my way not to ever become the authorised person in the first place. I still have three organisations where I am listed as either the Responsible Officer (RO) or an Organisation Maintenance Officer (OMO) of a seed organisation, as shown under my Proda login >> My programs.
I see that this entire HPOS system was poorly implemented, and that it is entirely possible that the business owner way well be liable, but completely unaware that someone on their staff could be selling details of non-patients to the criminal underworld.