Introduction
This Developer Guide is for the use of developers whose products connect to the Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging with a National Authentication Service for Health (NASH) PKI Certificate.
Background
NASH Improvements Project
The Agency is collaborating with Services Australia, software developers, and healthcare providers to upgrade the National Authentication Service for Health (NASH). These upgrades will strengthen security for health information and simplify certificate management for providers.
NASH SHA-1 PKI Certificates have been deprecated by the Australian Government Digital Transformation Agency due to known vulnerabilities. To increase security and compliance with the new Gatekeeper PKI Framework 3.1*, NASH SHA-2 PKI Certificates will be utilised as the main authentication and cryptographic solution for interacting with Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging.
Purpose and functionality changes
This guide is intended to assist developers to incorporate the following enhancements into their software product:
| Improvement | Required or Recommended | Description |
|---|---|---|
| NASH PKI Certificates to Access the HI Service | Required | Developer software must use a NASH SHA-2 certificate to connect to the HI Service. As of 24 March 2024, the HI Service no longer supports NASH SHA-1 or Medicare PKI certificates. |
| Add automated certificate expiry warning for users | Recommended | To ensure the continuity of connection to HI Service, My Health Record, Electronic Prescribing and Secure Messaging, the Agency strongly recommends building an automated warning for software users to notify them of the approaching expiry of their NASH Certificate(s). |
| Incorporate RCA and OCA installation as part of software product installation process. | Recommended | The Australian Digital Health Agency (the Agency)strongly recommends making the installation of the chain of trust part of installation of developer’s software and/or updates. The chain of trust can be obtained here SCoT(link is external). The chain of trust files are also included in a single P12 file when healthcare provider organisations download their NASH SHA-2 certificate from HPOS. |
Step 1: Obtain NASH test certificates
Obtain NASH SHA-2 Test Certificates - NASH PKI test kits for NASH SHA-2 can be obtained from Services Australia and are designed for your development and testing.
If you’re an existing developer, request NASH PKI test certificate(s) by emailing Services Australia Developer Support at: developerliaison@servicesaustralia.gov.au.
New developers need to register in the Services Australia Health Systems Developer Portal and submit their Interface Agreement to Services Australia and follow the instructions in the confirmation email to apply for the relevant test data/test certificates.
Step 2: Ensure your software product(s) use NASH SHA-2 PKI Certificates to access the HI Service
If your software currently connects (or you are planning to connect) to the Healthcare Identifiers (HI) Service, you will need to ensure that your installed software base uses a NASH SHA-2 PKI certificate to access this service.
Step 3: Develop automated certificate expiry notifications in your software
The Agency strongly recommends that software providers comply with this requirement to maintain uninterrupted access to the Healthcare Identifiers Service, My Health Record, Electronic Prescribing, and Secure Messaging. Implement system-generated alerts to notify system administrators before a certificate expires within your software.
NOTE: Contracted Service Providers (CSPs) and General Supporting Organisations (GSOs): This guidance does not apply as your organisation is responsible for managing certificate renewals to maintain connection to the HI Service and My Health Record for your clients.
Set up automated, regular alerts, such as daily notifications, commencing two months before the certificate's expiration date. Keep in mind that this may differ depending on whether certificates are installed by users or the software provider. You may also wish to reference manuals and other help support. See below for a suggested warning message.
‘Your NASH PKI Certificate will expire in ### days. Please contact your Organisation Maintenance Officer (OMO) or system administrator to download and install a new NASH PKI Certificate from the Health Professional Online Services (HPOS) portal.
NASH PKI Certificates can be downloaded from under the “Certificates” tab from within the HPOS portal.’
Sample code for automated certificate expiry notifications
Developers can implement a configuration option to change the Certificate expiry period (in days) to test the Certificate expiry alert messages. This allows the value to be changed to test activation of the alert messages. The following code can be used:
// Load Certificate
X509Certificate2 certificate = X509CertificateUtil.GetCertificate(
"Thumbprint",
X509FindType.FindByThumbprint,
StoreName.My,
StoreLocation.CurrentUser,
true
);
// Test Certificate loaded and if so, check expiry date
int alertUserIfDaysTillCertificateExpiresIsLessThan = 60;
if (certificate != null)
{
double daysTillExpire = (DateTime.Now - certificate.NotAfter).TotalDays;
if (daysTillExpire < alertUserIfDaysTillCertificateExpiresIsLessThan)
{
// Certificate less than 60 days till expires
// Raise a warning to the user
}
}
else
{
// Warn user no certificate found
} Step 4: Incorporate RCA and OCA installation as part of software product installation process.
The Agency strongly recommends that software developers make the installation of ALL of the following files a part of the installation of software and/or updates:
- The SHA-1 (2026) OCA
- The SHA-2 RCA & SHA-2 OCA
These files are available in a single download called the The Super Chain of Trust.
Alternatively you can obtain each file individually from Certificates Australia (https://www.certificates-australia.com.au/) as follows:
Support
The Agency’s Digital Health Help Centre
First level support and escalation to Agency subject matter experts, product and partnership teams
Phone: 1300 901 001 (Mon-Fri, 8:00-17:00 AEST/AEDT)
Email: help@digitalhealth.gov.au
Services Australia - Developer Support
First level support and escalation to technical support and product integration teams
Phone: 1300 550 115 (Mon-Fri, 8:30-17:00 AEST)
Email: developerliaison@servicesaustralia.gov.au
Services Australia - Test Kit Support
Email: developerliaison@servicesaustralia.gov.au
Services Australia - Online technical support HI service
Email: HI.OTS.HELPDESK@servicesaustralia.gov.au
Services Australia - Online technical support My Health Record system
Email: Myhealthrecord.otshelpdesk@servicesaustralia.gov.au