Medicare Australia Site Certificates Communities Ofinterest (Coi) Certificate Policy (CP)

Short Form Certificate Policy

Medicare Australia Site CertificatesCommunitiesof

Interest (CoI) Certificate Policy (CP)for Site Certificates issued under theMedicareAustraliaOrganisation Certification

Authority (Medicare Australia OCA)V1.6

February 2007

CopyrightNotice:

This document contains information protected by copyright.© Commonwealthof Australia

Thiswork is copyright. Youmay download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial use or use within your organisation. Apart from any use as permitted under the Copyright Act 1968, all other rights are reserved. Requestsand enquiries concerning reproduction and rightsshould be addressed toTheManager, Media, Marketing and Communications Branch, Medicare Australia National Office, PO Box 1001 Tuggeranong DC ACT2901.

Contact

Medicare Australia

Locked Bag 6666

TuggeranongDC ACT 2901

AUSTRALIA

This Document has been authorised by the MedicareAustralia Policy Management Authority:

Date:

General Manager or nominee, Information Technology Services Division, Medicare Australia

Introduction

This is the Certificate Policyfor Site Certificates issuedto practicesand entities known to Medicare Australia (for example, government departmentsand agencies; health and welfare services providers) to enable them to conduct secure transactionsand data exchange with Medicare Australiaand other parties in relationto programs authorised orapproved by

Medicare Australia orwithin an entity’sCommunityof Interest recognised by Medicare Australia.

The document is structuredand numbered accordingto the GatekeeperShortFormCertificate

Policy Template.

This CPshould be read in conjunction with the Medicare Australia Organisation Certification

Authority Certification Practice Statement (Medicare Australia OCACPS).

Terminology

Site CertificatemeansaCertificate issued under this CP.

Site means:

a) the site location of any practice registered by Medicare Australia for a Medicare Australia program.The practice may bereferred toas a RegisteredMedicare Australia Practiceor practiceand includes Pharmacies andagedcare providers (however described); and:

b) any site of anentity, where that entity is recognised by Medicare Australia as a

member of aMedicare Australia recognisedCommunity of Interestand is known to

Medicare Australiaand where MedicareAustralia is the Relationship Organisation.

•Certificate Policy Clauses

CP Identification

Certificates issued under this CP shall bear the PolicyOID:

1.2.36.174030967.1.6.1.1

(where “174030967” is the last 9 digits of Medicare Australia’s Australian Business Number).

1. INTRODUCTION

Practices andentities whowish to undertakesecure electronic transmissions:

•with Medicare Australia and/or access to data held byMedicare Australia;and / or

•within a Community of Interest

may require a site certificate (Site Certificate).

TheRelationship model (also referred to as Known Customer PKI) streamlines the enrolment of practices andentities for a Site Certificate.

The Site Certificate hasa unique PolicyOID.

TheRelationship Organisation for this CPis MedicareAustralia. TheRelationship Organisation Units (ROU) are:

•program area(s) in Medicare Australia responsible forprogramsaccessible by practices using Site Certificates; and

•entities whoare membersof a Community of Interest.

TheRelationship Organisation Unit Operators (ROUOs) are:

•Medicare Australia personnel (for Medicare Australia)who accept and manage the registrationof practices); or

•personnel of the entities who are members of the Community of Interest who accept

and manage the registration of entities

to participatein a programusing the practice or entity’s Site Certificate.

1.1 PKI Participants

1.1.1Certification Authority

All Certificates issued under this CP shallbe produced by the Medicare AustraliaOrganisation

Certification Authority (Medicare Australia OCA).

Refer to theMedicare Australia OrganisationCertification AuthorityPractice Statement

(Medicare Australia OCA CPS) for further information on applicablepractices andprocedures for

Certificates issued under this CP.

1.1.2. Relationship Organisation

Medicare Australia is theRelationship Organisation (Medicare Australia RO) in the Health Sector

PKI.

1.1.3. Relationship Organisation Unit

Thereare separately identified Relationship Organisation Units (ROUs) within the Medicare Australia RO,usuallyone ROU for eachCommunityof Interest(CoI) in the Health Sector PKI operated by Medicare Australia.

TheROU hasresponsibilities in the CoIinmanaging the Subscribers in that CoI.

The various program areas in MedicareAustraliaarethe ROUs forthe participating practices. The entities in a MedicareAustralia recognisedCoI are the ROUs for the participating entities.

1.1.4CertificateControllers

Certificate ControllersareMedicare AustraliaRO personnel with responsibilitiesfor management of Certificates.

All CertificateControllers operating underthis CP are duly authorised representatives of

Medicare Australia.

Certificate Controllers maynot be located within the various program areas ofMedicare Australia. Certificate ControllersareMedicare Australia personnelwho may belocated outside of the program areas.

1.1.5Relationship Organisation Unit Operators

Relationship OrganisationUnit Operators (ROUOs) who areMedicare Australiapersonnel within the relevantprogram CoIare located within Medicare Australia.

ROUOs who are personnelof an entity within a relevant CoI are located withinthat entity. ROUOs withinany CoI arenot Certificate Controllers.

All ROUOs operate inaccordance with the processes and procedures set out inthe Medicare

Australia OCA CPS and this CP.

1.1.6. Subscribers

All Subscribers for Site Certificates shall be either:

•practices registered with aMedicare Australia program and knownto MedicareAustralia assuch according to an application for participation ina Medicare Australia program,or

•an entity which is knownto Medicare Australia and isa member ofa recognised

Medicare Australia Community of Interest.

A person, who is authorised by a practice or entitytobind the practice or entity, must enter into the Subscriber agreement for a SiteCertificatewhich is knownas theMedicareAustralia CommunitiesofInterestSiteCertificateTermsandConditionsofUse.

1.1.7. Relying Parties

TheRelying Party under this CP, in relation toMedicare Australia program CoIs, is Medicare

Australia,as receiver of transactionssecured using the Site Certificates.

TheRelying Party under this CP, in relation to entitiesknown to Medicare Australia and who are in a recognised Medicare Australia CoI, is theother entity in the CoI who is thereceiver of transactionssecured usingthe Site Certificates.

There is noRelying Party Agreement under this CP.

Parties who rely on Certificates issued under this CPand who do not have a written agreement with Medicare Australia relating to transactionswith Medicare Australia,or who undertake transactionsthat are notauthorised orapprovedbyMedicare Australia relyonsuch certificates at theirown risk.

1.2Certificate Use

1.2.1Appropriate Certificate Uses

Key PairsandCertificates issued under this CP aretobe used by Sites to securetransactions for programsandservices authorisedor approved by Medicare Australia.

1.2.2Prohibited Certificate Uses

Thereare noprohibited certificate uses.Partiesusingthe Site Certificates for any transaction other than transactions authorisedor approved by Medicare Australia do so attheir own risk.

1.3Definitions and Acronyms

Definitionsand Acronymsare in the Health Sector PKI Glossary at

2. IDENTIFICATIONAND AUTHENTICATION OF USERS

2.1Naming of Subscribers

Subscribers(termed ‘Certificate Subjects’in the x.509definition) under this CP will be named (and the uniqueness of their nameswill be assured) consistent with the name recognised by Medicare Australia throughits relationship with the Subscriber.This may include the name by which Medicare Australia has recognisedthe entityasa member ofa CoI or the name under which the entity is registered asa Subscriber.

2.2Identification and authentication of the Subscriber at registration

Subscribers under this CPwill be identified and authenticated by:

•Medicare AustraliaROUs responsible for registeringpractices forMedicare Australia programsandservices; or

•In each CoI,the entity’sROU responsible forregistering that entityfor a Site Certificate in the HealthSector PKIoperated by Medicare Australia.

2.3Identification and authentication of the Subscriber at renewal

Subscribers under this CP shall be identifiedand authenticatedand the Certificate renewed automaticallyprovided that

•if the Site isa Registered Medicare AustraliaPractice, its registrationstatus with the relevantROU has not changed, or

•if the Site is an entity recognised by Medicare Australia in aMedicare Australia

CoI, its registrationstatuswith that entity’s ROU hasnot changed.

Note:all certificate renewals under thisCP involve re-keying.

2.4Identification and authentication of revocation request

Revocation ofcertificates under this CP shall only be requested by:

•ROUOs in theevent that the Subscriberbecomes ineligible to remain asa Registered Medicare Australia Practice or entity recognised by Medicare Australia as a member ofa Medicare Australia recognised CoI; or

•The Subscriber by writtennotice;or

•Certificate Controllers.

3.CERTIFICATE LIFE-CYCLE OPERATIONAL REQUIREMENTS

3.1.Certificate creation

3.1.1. Enrolment process and responsibilities

Wherea Siteis a Registered Medicare Australia Practice, theSite may be enrolled automatically for Certificates by Certificate Controllerson the basis of that registration.

Wherea Siteis a not aRegisteredMedicare AustraliaPractice, thepracticemayapply to the relevantROU for the CoI of the Medicare Australia program orservice to be registered for that program orservice and to be enrolled for Site Certificates when registration asa Registered Medicare Australia Practice occurs.

Wherea Siteis a not aRegisteredMedicare AustraliaPractice, theentity, beinga member ofa Medicare Australia CoIandresponsible for thatSite, may apply tothe MedicareAustralia RO Certificate Controllersto be enrolled forSite Certificates.

All applications madea practice and an entity arethe responsibilityof the practice or entity through its authorised contactperson (however described).

3.1.2. Publication of the certificate by the CA

Certificates issued under this CP will bepublished in the HealthcarePublic Directory.

Revocation statusof Certificates issuedunder this CPwill be published in the Healthcare Public

Directory.

3.2.Key Pair and Certificate Usage

3.2.1 Key pair generation and installation

The Subscriber Key Pairsand Certificates issued under this CP shallbe generated by a

Certificate Controller usingaccreditedsoftware.

Thesigning key and Certificate will bestored in a password protected PKCS#12 file separate from the encryption key and Certificate.These PKCS#12 files arestored in electronic medium1 and posted as instructed by the ROUO.

1‘electronicmedium’includesfloppy disk.CD or othermediuminwhich data can bestored electronically.

A passphrase to access the keysand Certificates will be generated and postedseparately to the

Subscriber.

3.3.Certificate renewal

Certificates issued under this CP shall be renewedautomatically bythe Certificate Controllers. In the case ofa RegisteredMedicare Australia Practice, the Certificate shall be renewed

automaticallyafter checking its status oron advice from the ROUOs, provided the status of the

Registered Medicare AustraliaPractice has not changed.

In the case ofan entity, the Certificate shall be renewed automatically after checking its status or on advice from the ROUOs, provided the status ofthe entity has not changed.

Refer to clause 2.3 for details of identificationand authentication.

3.4.Certificate revocation

Certificates issued under this CP may be revoked byMedicare Australia in its absolute discretion, including but not limited to:

•after loss, destruction or theft of the Site Certificate;

•intheeventofde-registrationofthepractice(howeverdescribed)whetherinrelation toparticipationinanyMedicareAustraliaprogramornot;

•intheeventofanyApprovals(howeverdescribed)relatingtothepracticebeing cancelledbyMedicareAustralia;

•in the eventany ApprovalNumber(s) (however described) relatingto the practice being cancelled by Medicare Australia;

•in the event that theentityceasesto exist or be recognised by Medicare Australia or ceases tobe a memberof a Medicare Australia recognised CoI.

3.5Certificate status services

3.5.1Operationalcharacteristics

Detailsof Operational Characteristicsare not provided.

3.5.2Service availability

Service availability for theCertificateRevocation List(CRL) issubstantially 24 x7 at

3.5.3Optional features

Detailsof Optional Features are not provided.

4.REGISTRATION OPERATIONAL CONTROLS

4.1Personnelcontrols

All CertificateControllers under this CP shall be authorised representatives ofMedicare

Australia.

4.2Logical and Technological controls

Certificate requests will be processed bythe authorised CertificateControllers ofMedicare

Australia in accordancewith the securityprovisions ofthe Medicare Australia OCA CPS.

4.3Physical controls

Certificate requests will be processed byAuthorised Certificate Controllers inaccordancewith the security provisionsof the MedicareAustralia OCACPS.

4.4Business continuity of the RelationshipOrganisation

As MedicareAustralia (theRelationship Organisationunder this CP) is astatutory agency under the MedicareAustralia Act1973,its continuation depends on continuance in force of the Medicare Australia Act1973or by otherActs ofthe Commonwealth Parliament made pursuant to government policy.

Changes in legislation or government policy willprovide for business continuityof the RO in accordance with policy as determined bythe government.

4.5Relationship Organisation termination

As MedicareAustralia isastatutoryagency under theMedicareAustraliaAct1973,its termination or change of entity status is through amendment to the MedicareAustraliaAct1973or by other Acts ofthe CommonwealthParliament made pursuantto changes ingovernment policy.

5. CERTIFICATE, CRL AND OCSP PROFILES

5.1 Certificate profile – Site Encipherment Certificate

5.2 Certificate profile–Site Signing Certificate

2TheseCertificate extensionOIDreferencesare expectedto be commontoall CoI Certificate Policies, and may haveapplicability to this CoI.

3TheseCertificate extensionOIDreferencesare expectedto be commontoall CoI Certificate Policies, and may haveapplicability to this CoI.

5.3 Medicare Australia OCA CRL Profile

5.4 Medicare Australia OCA OCSP Profile