Skip to main content

ANAO audit highlights security and data risks at Medicare

by Andrew Starc •
Subscriber preview

The Australian National Audit Office (ANAO) has highlighted security risks, data inaccuracies and the sub-par performance of an Online Claiming system as part of an audit of Medicare’s Pharmaceutical Benefits Scheme (PBS).

Released 24 May, the audit details a series of ICT issues facing the PBS, which has experienced continued growth in volume and cost since the introduction of the Online Claiming system in 2005, a networked system through which pharmacies can assess and log patient details and prescriptions.

The audit raised a number of concerns regarding the security of the system, namely the standards with which data integrity was being held against as well as issues regarding the onus of responsibility for security.

“IT security continues to be an area with growing threats, it would be prudent for agencies to explicitly address this issue,” states the report.

The audit called for the Quality Care Pharmacy Program, which provides a financial incentive for pharmacies, to adhere to an IT quality standard with regard to information security.  It was“not sufficient to provide meaningful assurance that patient information is adequately protected.”

According to the findings, Medicare has not sought assurance from pharmacies that these information standards are being met, claiming that it is the responsibility of the pharmacists themselves to implement basic computer and network security controls, including firewalls and anti-virus protection.

The audit also deemed Medicare, which has been prone to recommend the use of internet protection tools such as virus and firewall protection in its documentation about the Online Claiming system; is “not in a position to mandate the use of these type of controls to pharmacists”.

When asked their respective positions on the security of patient records on pharmacy computer systems, Medicare advised that they were “not responsible for the privacy and security of data entered by the pharmacist onto their computer system.”

The audit also called attention to system-generated error warnings, designed to stop processing of prescriptions if certain criteria remains unsatisfied, that can be easily overridden by pharmacists.

“A prescription can be entered into Online Claiming for PBS and have an invalid prescriber name and number, and trigger system warnings only.  The pharmacist can then subsequently supply the PBS medicine to the customer and register the prescription in Online Claiming for PBS,” states the report.

In light of these practices by pharmacists, Medicare advised that there are; “some situations where it is appropriate for pharmacies to have the capacity to ignore a warning message.”  The ANAO was informed by Medicare that a review of warning messages has now been completed and that “relevant changes implemented”. The detail of those changes, however, was not provided as part of that advice.

It was also found that Medicare did not have in place any processes for the systematic monitoring of the occurrence of warning and error codes at a state or national level, nor is there any trend analysis undertaken.

The audit detailed that there is currently no system to quarantine or reject claims that fail to meet the stated criteria. Further, there are no warnings in the Online Claiming system to alert staff to claims that do not conform with requirements.  

“Consideration of the validity of claims against these requirements is not routinely a part of Medicare Australia’s claims processing,” states the report.

The audit also found data quality issues with the Safety Net Threshold system, which requires patients to keep a record of their expenditure on PBS medicines and seek to register for the PBS Safety Net, through a pharmacist, when they believe they have qualified.  

“Medicare Australia does not capture every medicine purchase that might count toward the Safety Net Threshold, such as those which do not attract a PBS payment.   Therefore, without capturing further data, it cannot necessarily identify in all cases the time when a patients’ expenditure makes then eligible for the Safety Net,”

In their recommendations, the ANAO suggests Medicare examine how data capture arrangements could be enhanced to enable patients to be advised when they have reached the PBS Safety Net Threshold.  In response to the recommendation, the Department of Health and Ageing stated their disagreement with the measure, citing that “the matter of an automated safety net is a policy issue with significant program design and cost implications and is a matter for Government to consider.”

The full report can be accessed here.

Already a subscriber? Sign in here to keep reading

Want more content like this? Contact our team today for subscription options!

  • Stay up-to-date on hot topics in government
  • Navigate your business with executive level horizon outlooks
  • Get deep public sector ICT insights on our Market Watch series
  • Federal
  • auditor general
  • Medicare
  • Pharmaceutical Benefits Scheme