Australia’s Digital Health system is rapidly growing and evolving and as part of that evolution, the Agency is working closely with Services Australia, software developers, and healthcare organisations to implement enhancements to the National Authentication Service for Health (NASH). These enhancements will provide enhanced security protection for healthcare information and reduce the need for healthcare organisations to manage multiple certificates.
NASH SHA-1 PKI Certificates have been deprecated by the Australian Government Digital Transformation Agency due to known vulnerabilities. Connections to the Healthcare Identifiers (HI) Service, the My Health Record system, Electronic Prescribing, and Secure Messaging are migrating from NASH SHA-1 to NASH SHA-2 certificates. The Agency is working with developers to enhance their software with SHA-2 support.
Services Australia will no longer issue NASH SHA-1 PKI Certificates after 13 March 2022, so software developers need to have upgraded their software product(s) to be NASH SHA-2 compliant and ensure that their customers have upgraded to SHA-2 compliant software by 13 March 2022.
The Agency has developed the following information and toolsto support developers through this transition:
- NASH SHA-2 Certificates - Developer Guide
Provides guidance for developers whose products connect to the Healthcare Identifiers (HI) Service, the My Health Record system, and/or Secure Messaging using a National Authentication Service for Health (NASH) PKI Certificate to upgrade their software product(s) to be NASH SHA-2 compliant.
- NASH SHA-2 Testing & Assessment - Developer Guide
Provides guidance for developers to test their software product(s) are NASH SHA-2 compliant and how to submit evidence of their enhancement testing to the Agency for assessment.
- Frequently Asked Questions (FAQs)
Questions relating to the transition to NASH SHA-2 compliant Certificates.
- Transition to NASH SHA-2 Certificates - Notifications
The latest system and deployment notifications for PKI SHA-1 OCA, PKI Certificate Chain of Trust (otherwise referred to as the new SHA-1 OCA), NASH PKI Certificates and SHA-2 OCA.
The TrustChainChecker is sample code that the Agency has developed for software developers to use to support their users. It allows verification that the correct OCA & Root CA certificates are installed in the windows key store. It will also show if any NASH & Medicare PKI Certificates are installed with that chain of trust.
Code is available here.
- Super Chain of Trust (SCoT)
The SCoT is a p12 file designed to make it easier for software developers and their customers to install all Root Certification Authority (RCA) and Organisation Certification Authority (OCA) certificates required to ensure connection to the Digital Health Services using the Healthcare Organisations NASH PKI certificate. Services Australia will continue to update and maintain the SCOT by adding any future RCA and OCA certificates.
The SCoT can be found at the Certificates Australia website https://www.certificates-australia.com.au/ and comprises the following five Medicare Australia certificates:
- NASH SHA-1 RCA Certificate valid 10 July 2006 to 10 July 2026
- NASH SHA-2 RCA Certificate valid 19 October 2016 to 19 October 2036
- NASH SHA-1 OCA Certificate valid 13 March 2012 to 13 March 2022
- NASH SHA-1 OCA Certificate valid 15 May 2021 to 3 July 2026
- NASH SHA-2 OCA Certificate valid 19 October 2016 to 19 October 2026
Installation of the above SCoT certificates will depend on how software developers’ individual products are configured to use NASH PKI Certificates for authentication, encryption, and digital signing. Note that the password for the SCoT is “Pass-123”.
- NASH Improvements webinar (Recording & Presentation)
The Agency hosted a webinar on 7 July 2021 to provide software developers with information on NASH Improvements including the transition from SHA-1 to SHA-2.
A recording of this webinar can be found here and a copy of the presentation slides here.
For a list of support contacts go here.
Key milestones dates
|The HI Service commenced accepting NASH PKI certificates in preparation for the decommissioning of Medicare PKI certificates|
|October 2018||NASH PKI certificates issued online instead of by CD|
|The Agency advised the software industry of the requirement to complete transition to SHA-2 production certificates by March 2022|
|April 2019||Services Australia NASH SHA-2 Test Certificates became available for the SVT Test environments|
|The Agency advised the software industry of the need to include the new SHA-1 OCA (2026) and SHA-2 Root CA and OCA in product updates in preparation for transition to SHA-2.|
16 May 2021
|Services Australia commenced issuing new SHA-1 (2026) production certificates with a two year expiry from date of issue. Previous SHA-1 NASH certificates (expiring 13 March 2022) are no longer issued.|
|Software providers are encouraged to rollout the SHA-1 OCA (2026) and SHA-2 Root CA and OCA to their customers by August 2021 to ensure the continuity of Secure Messaging and My Health Record transactions.|
|Commenced issuing of SHA-2 NASH production certificates subject to software and site readiness.|
|From this date, SHA-1 and SHA-2 downloads from HPOS include the NASH certificate and chain of trust files in a single P12 file.|
|Services Australia will cease issuing any further SHA-1 NASH production certificates. All organisations must update to SHA-2 compatible software and ensure their software uses NASH certificates to connect to the HI Service before this date. Existing SHA-1 NASH certificates will remain valid until expiry.|
|Simplified renewal for NASH Certificates.|
NASH SHA-2 transition webinar
A recording of this session is available here and a copy of the presentation here. The webinar held on the 7th of September 2021 was to inform PHNs, clinical peak organisations and other teams about the transition to NASH SHA-2 and present the new Health Professional Online Services (HPOS) certificate renewal workflow.