Australia’s Digital Health system is rapidly growing and evolving and as part of that evolution, the Agency is working closely with Services Australia, software developers, and healthcare organisations to implement enhancements to the National Authentication Service for Health (NASH). These enhancements will provide enhanced security protection for healthcare information and reduce the need for healthcare organisations to manage multiple certificates.
NASH SHA-1 PKI Certificates have been deprecated by the Australian Government Digital Transformation Agency due to known vulnerabilities. Connections to the Healthcare Identifiers (HI) Service, the My Health Record system, Electronic Prescribing, and Secure Messaging are migrating from NASH SHA-1 to NASH SHA-2 certificates. The Agency is working with developers to enhance their software with SHA-2 support.
Services Australia will no longer issue NASH SHA-1 PKI Certificates after 13 March 2022, so software developers need to have upgraded their software product(s) to be NASH SHA-2 compliant and ensure that their customers have upgraded to SHA-2 compliant software by 13 March 2022.
The Agency has developed the following information to support developers through this transition:
- NASH SHA-2 Certificates - Developer Guide
Provides guidance for developers whose products connect to the Healthcare Identifiers (HI) Service, the My Health Record system, and/or Secure Messaging using a National Authentication Service for Health (NASH) PKI Certificate to upgrade their software product(s) to be NASH SHA-2 compliant.
- NASH SHA-2 Testing & Assessment - Developer Guide
Provides guidance for developers to test their software product(s) are NASH SHA-2 compliant and how to submit evidence of their enhancement testing to the Agency for assessment.
- Frequently Asked Questions (FAQs)
Questions relating to the transition to NASH SHA-2 compliant Certificates.
- Transition to NASH SHA-2 Certificates - Notifications
The latest system and deployment notifications for PKI SHA-1 OCA, PKI Certificate Chain of Trust (otherwise referred to as the new SHA-1 OCA), NASH PKI Certificates and SHA-2 OCA.
The TrustChainChecker is sample code that the Agency has developed for software developers to use to support their users. It allows verification that the correct OCA & Root CA certificates are installed in the windows key store. It will also show if any NASH & Medicare PKI Certificates are installed with that chain of trust.
Code is available here.
- NASH Improvements webinar (Recording & Presentation)
The Agency hosted a webinar on 7 July 2021 to provide software developers with information on NASH Improvements including the transition from SHA-1 to SHA-2.
A recording of this webinar can be found here and a copy of the presentation slides here.
For a list of support contacts go here.
Key milestones dates
|The HI Service commenced accepting NASH PKI certificates in preparation for the decommissioning of Medicare PKI certificates|
|October 2018||NASH PKI certificates issued online instead of by CD|
|The Agency advised the software industry of the requirement to complete transition to SHA-2 production certificates by March 2022|
|April 2019||Services Australia NASH SHA-2 Test Certificates became available for the SVT Test environments|
|The Agency advised the software industry of the need to include the new SHA-1 OCA (2026) and SHA-2 Root CA and OCA in product updates in preparation for transition to SHA-2.|
16 May 2021
|Services Australia commenced issuing new SHA-1 (2026) production certificates with a two year expiry from date of issue. Previous SHA-1 NASH certificates (expiring 13 March 2022) are no longer issued.|
|Software providers are encouraged to rollout the SHA-1 OCA (2026) and SHA-2 Root CA and OCA to their customers by August 2021 to ensure the continuity of Secure Messaging and My Health Record transactions.|
|Services Australia will commence issuing SHA-2 NASH production certificates subject to software and site readiness.|
14 March 2022
|Services Australia will cease issuing any further SHA-1 NASH production certificates. All organisations must update to SHA-2 compatible software and ensure their software uses NASH certificates to connect to the HI Service before this date. Existing SHA-1 NASH certificates will remain valid until expiry.|
|Simplified renewal for NASH Certificates.|