Skip to main content
Guide
DG-3080
Version
1.0
Status
Active
Created
Updated

Introduction

This Developer Guide is for the use of developers whose products connect to the Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging with a National Authentication Service for Health (NASH) PKI Certificate.

Background

NASH Improvements Project

The Agency is working closely with Services Australia, software developers, and healthcare organisations to implement enhancements to the National Authentication Service for Health (NASH). These enhancements will provide enhanced security protection for healthcare information and reduce the need for healthcare organisations to manage multiple certificates.

NASH SHA-1 PKI Certificates have been deprecated by the Australian Government Digital Transformation Agency due to known vulnerabilities. To increase security and compliance with the new Gatekeeper PKI Framework 3.1*, NASH SHA-2 PKI Certificates will be utilised as the main authentication and cryptographic solution for interacting with Healthcare Identifiers (HI) Service, My Health Record (MHR), Electronic Prescribing and Secure Messaging.

Purpose and functionality changes

This guide is intended to assist developers to incorporate the following enhancements into their software product:

ImprovementRequired or RecommendedDescription
NASH PKI Certificates to Access the HI ServiceRequiredDeveloper software must use a NASH SHA-2 certificate to connect to the HI Service. As of 24 March 2024, the HI Service no longer supports NASH SHA-1 or Medicare PKI certificates.
Add automated certificate expiry warning for usersRecommendedTo ensure the continuity of connection to Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging, the Agency strongly recommends building an automated warning for software users to notify them of the approaching expiry of their NASH Certificate(s).
Incorporate RCA and OCA installation as part of software product installation process.RecommendedThe Agency strongly recommends making the installation of the chain of trust part of installation of developer’s software and/or updates. The chain of trust can be obtained here SCoT. The chain of trust files are also included in a single P12 file when healthcare provider organisations download their NASH SHA-2 certificate from HPOS.

Step 1: Obtain NASH test certificates

Obtain NASH SHA-2 Test Certificates - NASH PKI test kits for NASH SHA-2 can be obtained from Services Australia and are designed for your development and testing. 

Existing developers can request NASH PKI test certificate(s) by emailing Services Australia Developer Support at: [email protected].

New developers need to register in the Services Australia Health Systems Developer Portal and submit their Interface Agreement to Services Australia and follow the instructions in the confirmation email to apply for the relevant test data/test certificates

Step 2: Ensure your software product(s) use NASH SHA-2 PKI Certificates to access the HI Service

If your software currently connects (or you are planning to connect) to the Healthcare Identifiers (HI) Service, you will need to ensure that your installed software base uses a NASH SHA-2 PKI certificate to access this service.

Step 3: Develop automated certificate expiry notifications in your software

The Agency strongly encourages software providers to meet this requirement as it will ensure the continuity of connection to Healthcare Identifiers (HI) Service, My Health Record, Electronic Prescribing and Secure Messaging. Develop system-generated messages to alert the system administrators prior to a Certificate's expiry within the software product.

Sample code for automated certificate expiry notifications

Developers can implement a configuration option to change the Certificate expiry period (in days) to test the Certificate expiry alert messages. This allows the value to be changed to test activation of the alert messages. The following code can be used:

// Load Certificate  
            X509Certificate2 certificate = X509CertificateUtil.GetCertificate( 
                "Thumbprint", 
                X509FindType.FindByThumbprint, 
                StoreName.My, 
                StoreLocation.CurrentUser, 
                true 
                ); 
  
            // Test Certificate loaded and if so, check expiry date 
            int alertUserIfDaysTillCertificateExpiresIsLessThan = 60; 
            if (certificate != null) 
            { 
                double daysTillExpire = (DateTime.Now - certificate.NotAfter).TotalDays; 
                if (daysTillExpire < alertUserIfDaysTillCertificateExpiresIsLessThan) 
                { 
                    // Certificate less than 60 days till expires 
                    // Raise a warning to the user 
  
                } 
            } 
            else 
            { 
                // Warn user no certificate found 
            } 

Step 4: Incorporate RCA and OCA installation as part of software product installation process.

The Agency strongly recommends that software developers make the installation of ALL of the following files a part of installation of developer’s software and/or updates:

  • The SHA-1 (2026) OCA 
  • The SHA-2 RCA & SHA-2 OCA 

These files are available in a single download called the The Super Chain of Trust.

Alternatively you can obtain each file individually from Certificates Australia (https://www.certificates-australia.com.au/) as follows:

Support

The Agency’s Digital Health Help Centre
First level support and escalation to Agency subject matter experts, product and partnership teams
Phone: 1300 901 001 (Mon-Fri, 8:00-17:00 AEST/AEDT)
Email: [email protected]

Services Australia - Developer Support
First level support and escalation to technical support and product integration teams
Phone: 1300 550 115 (Mon-Fri, 8:30-17:00 AEST)
Email: [email protected]

Services Australia - Test Kit Support
Email: [email protected]

Services Australia - Online technical support HI service
Email: [email protected]

Services Australia - Online technical support My Health Record system
Email: [email protected]