Introduction
This Developer Guide is for the use of developers whose products connect to the Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging with a National Authentication Service for Health (NASH) PKI Certificate.
Background
NASH Improvements Project
The Agency is working closely with Services Australia, software developers, and healthcare organisations to implement enhancements to the National Authentication Service for Health (NASH). These enhancements will provide enhanced security protection for healthcare information and reduce the need for healthcare organisations to manage multiple certificates.
NASH SHA-1 PKI Certificates have been deprecated by the Australian Government Digital Transformation Agency due to known vulnerabilities. To increase security and compliance with the new Gatekeeper PKI Framework 3.1*, NASH PKI Certificates are migrating from the SHA-1 hashing algorithm to the more secure SHA-2 hashing algorithm. Access to the Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging is transitioning from NASH SHA-1 PKI Certificates to NASH SHA-2 PKI Certificates. NASH SHA-2 PKI Certificates will be utilised as the main authentication and cryptographic solution for interacting with Healthcare Identifiers (HI) Service, My Health Record (MHR), Electronic Prescribing and Secure Messaging. Services Australia will no longer issue NASH SHA-1 PKI Certificates after 13 March 2022.
Historically, connections to the HI Service used a separate HI PKI Certificate for network organisations (1.2.36.174030967.1.9.1.1) or a full-strength Medicare site Certificate for seed organisations (1.2.36.174030967.1.6.1.2) (i.e. parent organisations). Medicare PKI site Certificates will be decommissioned in March 2022 and connection to the HI Service will require the use of a NASH certificate after 13 March 2022.
Purpose and functionality changes
This guide is intended to assist developers to incorporate the following enhancements into their software product:
| Improvement | Required or Recommended | Description |
|---|---|---|
| NASH PKI Certificates to Access the HI Service | Required | Developer’s software that currently uses Medicare PKI site certificates to connect to the HI Service needs to be upgraded to use NASH certificates and ensure installed user software is upgraded and NASH certificates installed to allow connection to the HI Service after 13 March 2022. |
| Transition to NASH SHA-2 certificates | Required | Developers currently using SHA-1 certificates to access the Healthcare Identifiers (HI) Service, My Health Record or Secure Messaging will need to update their products to use NASH SHA-2 certificates and ensure installed user software is upgraded, and SHA-2 certificates installed by 13 March 2022. |
| Add automated certificate expiry warning for users | Recommended | To ensure the continuity of connection to Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging, the Agency strongly recommends building an automated warning for software users to notify them of the approaching expiry of their NASH Certificate(s). |
| Incorporate RCA and OCA installation as part of software product installation process. | Recommended | To ensure that software users will not have to install the SHA-1 (2026) OCA and the SHA-2 RCA & OCA, the Agency strongly recommends making the installation of these files as part of installation of developer’s software and/or updates. From 5 October 2021, SHA-1 and SHA-2 downloads from HPOS include the NASH certificate and chain of trust files in a single P12 file. Software developers are advised to review their installation material accordingly. |
Step 1: Familiarise yourself with the changes
1. Read this Developer Guide - This guide provides details of the changes and testing guidelines.
2. Familiarise yourself with the SHA-2 Readiness Assessment process – The Agency has a NASH SHA-2 Testing & Assessment - Developer Guide which provides a guide to how to undertake the Agency’s SHA-2 software validation process.
3. Monitor communications - The Agency will continue to communicate with you on a regular basis via emails, newsletters and through the Agency’s Developer Portal. The latest NASH system and deployment notifications can be found at Transition to NASH SHA-2 Certificates - Notifications. If you have any queries, please contact us via email at [email protected]
4. Obtain NASH Test Certificates - NASH PKI test kits for NASH SHA-1 (2026) and NASH SHA-2 can be obtained from Services Australia and are designed for your development and testing.
Existing developers can request NASH PKI test certificate(s) by emailing Services Australia Developer Support at: [email protected].
New developers need to register in the Services Australia Health Systems Developer Portal and submit their Interface Agreement to Services Australia and follow the instructions in the confirmation email to apply for the relevant test data/test certificates
NASH SHA-1 (2026) requests must be made directly with Services Australia Developer Support at: [email protected]
Step 2: Ensure your software product(s) use NASH PKI Certificates to access the HI Service
If your software currently connects (or you are planning to connect) to the Healthcare Identifiers (HI) Service, you will need to ensure that your installed software base uses a NASH PKI certificate to access this service
Software providers currently using Medicare PKI site Certificates to connect to the HI Service must update or patch their products to support both NASH Certificates if they wish to remain connected to the HI Service after 13 March 2022. This also applies to Contracted Service Providers (CSP) and General Supporting Organisations (GSO). CSPs and GSOs will need to update their software to be able to use both NASH SHA-1 PKI Certificates (1.12.1.1) or NASH SHA-2 PKI Certificates (1.22.1.1).
IMPORTANT NOTE:
If your software currently uses adaptor technology and your Medicare PKI site Certificate to access Medicare Online, ECLIPSE, DVA, AIR, PBS Online or Aged Care, this combination will not be supported after 13 March 2022. For more information please go to https://servicesaustralia.gov.au/hpwebservices
Step 3: Enhance your software product(s) to support NASH SHA-1 and SHA-2 PKI Certificates
If your software currently connects (or you are planning to connect) to the Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing or Secure Messaging using a NASH SHA-1 certificate, you will need to ensure that your software supports the use of NASH SHA-2 certificates.
To ensure a smooth transition, all software providers are required to update their products to connect to the Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging using both SHA-1 and SHA-2 NASH PKI Certificates. This also applies to CSPs and GSOs.
In addition, all healthcare organisations will need to install the SHA-2 Root CA and OCA Chain of Trust Certificates (CoT). Software providers are encouraged to rollout the SHA-1 OCA (2026) and SHA-2 Root CA and OCA to their customers by August 2021 to ensure the continuity of Secure Messaging and My Health Record transactions. These can be found at the Certificate Australia website https://www.certificates-australia.com.au/
HPOS is currently being updated with enhanced capabilities to issue either NASH SHA-1 PKI or NASH SHA-2 PKI Certificates. During the Certificate request process, the user will be taken through a wizard that determines the most suitable Certificate policy for them based on the readiness of their software.
CSPs and GSOs are still required to request SHA-1 and SHA-2 Certificates via the HW013 form.
Services Australia will commence issuing NASH SHA-2 certificates in production in September 2021 (subject to software and site readiness).
NOTE:
The SHA-1 algorithm used to generate a digest within the XML signature is not required to transition to SHA-2. This means that the Australian Technical Standard - ATS5821-2010 eHealth XML Secure payload profiles still applies in its current form.
Step 4: Develop automated certificate expiry notifications in your software
The Agency strongly encourages software providers to meet this requirement as it will ensure the continuity of connection to Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging. Develop system-generated messages to alert the system administrators prior to a Certificate's expiry within the software product.
NOTE:
Contracted Service Providers (CSP) or General Supporting Organisations (GSO): This is not applicable as certificate expiry needs to be managed by the CSP organisation to ensure continuity of connection to the HI Service and My Health Record for your clients.
Automated alerts should consist of regular alerts (such as daily) commencing two (2) months prior to certificate expiry. Keep in mind that this may differ depending on whether certificates are installed by users or the software provider. You may also wish to reference manuals and other help support. See below for a suggested warning message.
‘Your NASH PKI Certificate will expire in ### days. Please contact your Organisation Maintenance Officer (OMO) or system administrator to download and install a new NASH PKI Certificate from the Health Professional Online Services (HPOS) portal.
NASH PKI Certificates can be downloaded from under the “Certificates” tab from within the HPOS portal.’
Note:
Sample code is available below under - Sample code for automated certificate expiry notifications.
Step 5: Incorporate RCA and OCA installation as part of software product installation process.
The Agency strongly recommends that software developers make the installation of ALL of the following files a part of installation of developer’s software and/or updates:
- The SHA-1 (2026) OCA must be installed for any user who has/will renew a SHA-1 certificate after 16 May 2021.
- The SHA-2 RCA & SHA-2 OCA should be installed prior to the release of SHA-2 into production (September 2021).
- Additionally, if users do not have the SHA-1 RCA already installed, it will also require installation.
The files are available from Certificates Australia (https://www.certificates-australia.com.au/) as follows:
The files are available from Certificates Australia (https://www.certificates-australia.com.au/) as follows:
The Super Chain of Trust includes all of the above files in a single download:
Step 6: Test your enhancements & SHA-2 Readiness Assessment
The individual developer is responsible for conducting self-testing in their own Test environment for the relevant requirements and test cases.
Please refer to the NASH SHA-2 Testing & Assessment Guide for information on how to test your NASH SHA-2 software enhancements and how to submit evidence of your product’s readiness to the Agency for assessment. Developers should test the earliest supported version of their software that supports NASH SHA-2.
Step 7: Release your products
Release your Software Product into production and notify the Agency for our reference. Please ensure that:
- SHA-1 OCA and SHA-2 OCA & RCA – either automatically install these or provide instructions for your customers on how to obtain and install these.
- Rollout your updated software product - This can be done any time before March 2022; however, the Agency highly recommends completing the rollout by September 2021. Advise your customers of the software name and version being installed into their environment, as they require this information when applying for a NASH SHA-2 Certificate.
- Transition your customers to using NASH SHA-2 - As your customer’s existing NASH or Medicare SHA-1 Certificate approaches expiry, advise them to request a SHA-2 NASH Certificate in HPOS. Ensure you remind your customers of the software version installed in their environment as they will need this information when requesting the NASH SHA-2 Certificate.
- Final Reminder – Remind any customers still on non-compliant software, that they will need to install the SHA-2 compliant software and apply for a NASH SHA-2 Certificate as soon as possible.
- Be prepared – There might be customers that run into issues due to expired NASH/Medicare SHA-1 Certificates. Please ensure you continue their transition to NASH SHA-2. Have your team on standby to support these customers in a timely manner.
Sample code for automated certificate expiry notifications
Developers can implement a configuration option to change the Certificate expiry period (in days) to test the Certificate expiry alert messages. This allows the value to be changed to test activation of the alert messages. The following code can be used:
// Load Certificate
X509Certificate2 certificate = X509CertificateUtil.GetCertificate(
"Thumbprint",
X509FindType.FindByThumbprint,
StoreName.My,
StoreLocation.CurrentUser,
true
);
// Test Certificate loaded and if so, check expiry date
int alertUserIfDaysTillCertificateExpiresIsLessThan = 60;
if (certificate != null)
{
double daysTillExpire = (DateTime.Now - certificate.NotAfter).TotalDays;
if (daysTillExpire < alertUserIfDaysTillCertificateExpiresIsLessThan)
{
// Certificate less than 60 days till expires
// Raise a warning to the user
}
}
else
{
// Warn user no certificate found
} Support
The Agency’s Digital Health Help Centre
First level support and escalation to Agency subject matter experts, product and partnership teams
Phone: 1300 901 001 (Mon-Fri, 8:00-17:00 AEST/AEDT)
Email: [email protected]
Services Australia - Developer Support
First level support and escalation to technical support and product integration teams
Phone: 1300 550 115 (Mon-Fri, 8:30-17:00 AEST)
Email: [email protected]
Services Australia - Test Kit Support
Email: [email protected]
Services Australia - Online technical support HI service
Email: [email protected]
Services Australia - Online technical support My Health Record system
Email: [email protected]