eHealth Security and Authentication

In order to safely share and manage access to information in the healthcare system, it is essential to be able to authenticate users, i.e. organisations and people. In the eHealth record system this is achieved through the use of digital certificates that conform to the Australian Government endorsed Public Key Infrastructure (PKI) standard.

Other measures, including access controls (such as usernames and passwords), are also required to provide a comprehensive approach to the security of shared electronic healthcare information, whether it is stored on computers in your practice, in the eHealth record system, or exchanged electronically in other ways that have been enabled through the development of national eHealth standards and initiatives.

The National Authentication Service for Health (NASH) makes it possible for healthcare providers and supporting organisations to securely access and exchange health information.

NASH provides Public Key Infrastructure (PKI) Certificates that help you or your organisation to:

  • Access the Personally Controlled Electronic Health Record (eHealth record) system.
  • Send and receive messages securely using software that meets the requirements of Secure Message Delivery.

NASH PKI Certificates can be issued to healthcare providers and supporting organisations that are registered in the Healthcare Identifiers (HI) Service. For more information about NASH, including information on how to apply for a certificate, go to the Department of Human Services website.

Healthcare providers and organisations need to have a National Authentication Service for Health (NASH) Public Key Infrastructure (PKI) certificate to access the national eHealth record system

NASH plays a critical role in authenticating healthcare organisations and people who use the national eHealth services and solutions, and in protecting the clinical information that is exchanged through data encryption. Should a message be intercepted by a party not involved in the exchange (i.e. not the sender or receiver), for example, then that party will not be able to read the message’s contents.

PKI enables users to know:

  • Who sent (or uploaded) the information – authentication;
  • That the information content has not been altered in any way between sending (or uploading) and receiving (or downloading) – integrity;
  • That the sender (or uploader) cannot at some later stage dispute they created and sent (or uploaded) the information – non-repudiation; and
  • That only the person the information is directed to can open it – confidentiality.

Your organisation may already be using PKI certificates for your electronic interactions with the Department of Human Services (Medicare) for claiming and other business and commerce related functions. These certificates will continue to be required for those purposes.

The table below outlines the types of PKI certificates that are necessary for the different requirements in your organisation.

NASH PKI / Medicare PKI Organisation Certificates
PKI
Certificate
Type
What you
will receive
from Medicare
Medicare functionseHealth Functions
HI ServiceeHealth Record SystemSecure
Message
Delivery (SMD)

DHS (Medicare) Site Certificate
(also known as Location or Organisation Certificate)

CD for installation on your PC and/or Local Network

Access to Health Professional Online Services (HPOS) portal for Medicare-related practice management activities (e.g. claim Medicare benefits)

Certificate can be enabled for use with the Healthcare Identifier (HI) Service through HPOS to maintain organisation HI details

No function

No function

NASH Certificate for Healthcare Provider Organisations

CD for installation on your PC and/ or Local Network

No function

No function

Access to the eHealth record system through eHealth conformant clinical software (for a list of conformant clinical software, check the 'Software Products using eHealth' page)

Used with Secure Messaging Software to send messages securely to other Healthcare Provider Organisations and Providers

NASH PKI / Medicare PKI Individual Certificates
PKI
Certificate
Type
What you
will receive
from Medicare
Medicare functionseHealth Functions
HI ServiceeHealth Record SystemSecure
Message
Delivery (SMD)

DHS (Medicare) Individual Certificate
with Healthcare Identifiers (HI) Service added (also known as RO/OMO PKI Certificate)

USB Token or Smartcard (with Smartcard Reader)

Access to Health Professional Online Services (HPOS) portal. Can only perform Medicare and HI Service activities (e.g. to maintain healthcare provider organisation and individual HI details)

Certificate can be enabled for use with the Healthcare Identifier (HI) Service through HPOS to maintain organisation/individual's HI details

No function

No function

NASH Certificate for Healthcare Provider Individuals

USB Token or Smartcard with Smartcard Reader

No function

No function

Required to access the National Provider Portal through the ehealth.gov.au website

No function

The PKI certificate requirements for Electronic Transfer of Prescriptions (ETP) are determined by the vendors. Please speak to your vendor for more information.

For more information on PKI certificates, please visit:

Read more on Public Key Infrastructure

For organisations and individuals in the healthcare system, robust security practices are required to both meet legal obligations and to protect personal health information. Greater collaboration and exchange of health information also creates new business risks that need to be addressed.

No matter how large or small, all organisations involved in the provision of healthcare need to carefully manage the security of information systems and allow information to be available to the right person, at the right time and in the right form.

There are two important and related initiatives for security and access control that are relevant to medical practices for their participation in the national eHealth system. These are:

The RACGP has developed the CISS to work concurrently with the NESAF, because they share the same goal of implementing safe security measures to protect patient information held and transmitted by electronic healthcare records. While the NESAF covers the whole of electronic infrastructure across Australia's healthcare network, the CISS has been designed specifically for medical practices. If Australian medical practices comply with the CISS they can be confident that their processes and policies also comply with the higher level requirements of the NESAF.