The following frequently asked questions relate to the transition to NASH SHA-2 compliant certificates by 13 March 2022. The NASH SHA-1 Certificates will no longer be issued after this date.
General Questions
- Why should I transition to NASH SHA-2 Certificate?
Services Australia will no longer issue SHA-1 PKI Certificates after 13th March 2022. In order to continue to receive & publish information in the Digital Health Services you will need a NASH SHA-2 Certificate.
- Will the Agency be providing incentives for this work?
No, the agency will not be providing incentives for this work.
- Why were we told about this so late? It will be very difficult if even possible to have this on our workplan.
The agency has sent regular messages to software developers since late 2018 advising of the need to transition to NASH SHA-2 PKI Certificates. Now that we are closer to the date, we are taking a more active approach to assist Software developers to transition.
- How will the Agency be supporting me and my customers through this transition?
The Agency will regularly engage with you throughout the transition process and develop supporting material based on your questions.
- I am concerned that my customers and I will not be able to meet the deadline.
Talk to us. We’ll work with you to ensure you and your customers are ready before the deadline. If you need support with your development, testing and deployment, please contact the Agency via: [email protected].
- Who should I contact for further information?
If you have any questions or concerns please contact the Agency via: [email protected].
Technical Questions
- I’m developing a new product. What do I need to do?
Aside from our regular process, the only change for developers is to ensure their services can use both a NASH SHA-1 and a NASH SHA-2 to connect to the Healthcare Identifiers Service, the My Health Record System, Electronic Prescriptions and Secure Messaging.
For more information on specific requirements please visit: https://developer.digitalhealth.gov.au/home and select the appropriate service.
- Where do I get a Developer Test Kit?
New developers connecting to the HI Service can obtain test kits from Services Australia by going to: https://healthsoftware.humanservices.gov.au/claiming/ext-vnd/
The Agency’s guide to HI service development is available at https://developer.digitalhealth.gov.au/developer-guide/introduction-healthcare-identifier-service
Existing developers and all others, please contact Services Australia Developer Support at [email protected] to request your NASH PKI test Certificates.
- What tests should I perform to verify my product is SHA-2 compatible?
It is the responsibility of the software developers to ensure that their product is SHA-2 ready. For existing products, we recommend that you test all your products can utilise with both SHA-1 and SHA-2 NASH PKI Certificates.
Where do I go if I have questions regarding the Healthcare Identifier (HI) Software Vendor Test (SVT) environment?
The Services Australia Health Systems Developer Portal is the best source of information about the HI SVT environment.
If you need further support please contact Services Australia Developer Support team at [email protected]
- Do we need to conduct Notice of Connection (NOC) testing again?
If you are only upgrading your product to be SHA-2 ready, you are not required to undertake NOC testing again. For all new connections the standard NOC testing process applies.
- Where can I download the SHA-2 Chain of Trust?
The Certificates Australia website contains the SHA-2 Chain of Trust.
- Is the Chain of Trust available in HPOS?
From 5 October 2021, SHA-1 and SHA-2 downloads from HPOS include the NASH certificate and chain of trust files in a single P12 file. -
What about Contracted Service Provider (CSP) and General Supporting Organisation (GSO) Certificates?
Contracted Service Provider (CSP) and General Supporting Organisation (GSO) Certificates will also be transitioning to SHA-2. NASH test certificates for GSO and CSP can be obtained from Services Australia Developer Support at [email protected]. To apply for a NASH SHA-2 production certificate from Services Australia please click here. - What will happen for Electronic Medical Records (EMR) developers?
We will work with you to ensure business continuity, please contact [email protected] if you have any queries.
- How will this affect Jurisdiction and Private Hospitals?
We will work with you to ensure business continuity. Please contact [email protected] if you have any queries.
- What do I need to specifically do to send and receive secure messages?
To send and receive secure messages, you must use a X-509 Certificate issued by a recognised Certificate Authority (CA). Currently NASH is the only nationally recognised CA. The NASH SHA-1 to NASH SHA-2 project will impact developers whose product:
- signs a Clinical Document Architecture (CDA) document to be transmitted
- signs a Secure Message Delivery (SMD) message to be transmitted
- encrypts an SMD message to be transmitted
- decrypts an incoming SMD message
- checks the digital signature on an incoming SMD message
- checks the signature on an incoming CDA
- authenticates itself to the HI Service or My Health Record services
If your solution performs any of these functions, it is vitally important that you ensure your solution has both the SHA-1 and SHA-2 Chains of Trust installed.
- What else might Secure Messaging developers be interested in?
Secure Messaging developers may be interested in some optional uses of NASH PKI Certificates. These include:
- Mutual Authentication with FHIR PD2 provider directories: While digital certificates issued by other CA's can be used for this purpose, NASH-issued certificates are the most widely used. If your solution uses NASH for either part of the mutual authentication, you will need to participate in the NASH SHA-1 to SHA-2 upgrade.
For more information, please go to:
https://developer.digitalhealth.gov.au/resources/faqs/national-authentication-service-health-nash-pki-organisation-certificate
- How do my customers get a NASH SHA-2 Production Certificate?
From 20 September 2021, NASH SHA-2 certificates are available in HPOS to request and download. Depending on site readiness, healthcare organisations may request a SHA-1 or SHA-2 certificate. Note that this is only applicable to NASH Organisation Certificates. For Contracted Service Provider (CSP) and General Supporting Organisation (GSO) NASH Certificates, please click here.
- When can I start using SHA-2 in production for Digital Health Services?
We encourage all developers to release their SHA-2 ready product as soon as possible. Your customers should be able to upgrade to your latest version and still be able to use SHA-1 Certificates until they expire (as late as 13 March 2024).
Timeframe Questions
- When will the NASH SHA-1 Certificates be decommissioned?
The NASH SHA-1 Certificates will no longer be issued after 13 March 2022.
- When must my software be ready to use the NASH Certificate for HI Service and SHA-2 NASH Certificates?
To remain connected to the Healthcare Identifiers Service, the My Health Record system, Electronic Prescriptions and Secure messaging it is the responsibility of the developer partners to ensure that they have a SHA-2 ready product released before 13 March 2022 so that their customers are not impacted by the withdrawal of support for the NASH SHA-1 Certificate in March 2022.
- When can I use a NASH Certificate to access the HI Service?
It is already possible to use a NASH Certificate to connect to the HI Service. Changes were made late 2018 to the HI Service to support this.
- What about Medicare PKI Certificates?
If your customers are currently using a Medicare PKI Certificate to access channels such as Medicare Online, ECLIPSE, PBS Online or Aged Care, they may need to transition to web services compatible software and PRODA by 13 March 2022. For more information, please go to www.servicesaustralia.gov.au/hpwebservices