Australian Government Smart Card Project

Introduction

These are some comments on the Australian Government's access card Health and Social Services project. It may be of use to students of "Information Technology in Electronic Commerce" at the Australian National University (COMP3410/COMP6341) and others. It is not intended as a detailed analysis. Comments, corrections and suggested additions would be welcome.

Access Card Proposal

The Australian Government provided details of a health and social services access card (or "smart card") in the 2006/2007 budget. The project is more formally known as the "Health and Social Services smart card initiative" ("HSS initiative", or colloquially the "smart card project").

The introduction of the new access card will cut some of the red tape involved in obtaining health and social services benefits, whilst delivering a more convenient, efficient and secure system for obtaining Government health and social services benefits.

The inclusion of a digital photograph on the access card will significantly enhance the identity security elements of the card, protecting the cardholder's identity and reducing opportunities for fraud. So if your card is lost or stolen it can't be used by anyone else.

From: Access Card to cut red tape for Health and Social Services, Media Release, Human Services Minister Joe Hockey MP, 9 May 2006

An analysis of the proposal by consultants, was released by the Government on 6 June 2006. The report recommended the project be implemented, starting in 2008 and be use for social services and health benefits.

• a health and social services access card system be implemented;
• a uniform registration process should start in 2008 and continue over a 24 month period;
• the access card should be required to access Centrelink benefits, Medicare rebates or PBS benefits and prove entitlement to concessions; and
• a biometric photograph should be placed on the card and in the chip.

... 'The access card project will be conducted in an open and transparent manner'.

From: KPMG business case backs health and social services access card, Media Release, Human Services Minister Joe Hockey MP, 6 June 2006

Formatting of the Access Card Report

The report, "KPMG Access Card Business Case" (February 2006), consists of 105 pages, distributed in electronic format as a PDF document. Unfortunately the report was provided in the form of a bitmap image of each page (much like a fax). The text of the report was not provided in a machine-readable format, as is done with other PDF documents on the Department of Human Services web site.

The format of the report limits access. Because of the lack of machine-readable text, the report cannot be found using a web search, the text cannot be searched internally using PDF's built in search mechanisms and excerpts cannot be easily copied from the report for comment. As a result there may be errors in the sections of the reported quoted here, which were transcribed by hand or using optical character recognition.

Because of the lack of machine-readable text, the report is inaccessible to those with limited vision. Providing the report in this way is contrary to the Australian government policy on the use of accessible formats for the disabled, and may breech the Disability Discrimination Act. The requirements for accessible document formatting are well known to web professionals and are discussed in a presentation to the Beijing Olympic 2008 committee.

Overview of the report

The report's authors point out that it is not an audit or a comprehensive review of operations and depends on estimates provided by the Australian Government. The report was prepared for the Minister for Human Services in February 2006.

The report is divided into two volumes:

1. Business case
2. Detailed costing

The detailed costing and attachments to the report were deleted before public release, for commercial reasons.

The business case is divided into six parts:

• A. Executive Summary
• B. Description of the HSS initiative
• C. Current and future benefits of the HSS initiative
• D. How the HSS initiative will help fraud and leakage exposures
• E. Costs and benefits
• F. Implementation and governance

Outline of the HSS initiative

The project aims to change service access arrangements for health benefits and social services:

• The introduction of a new chip based health and social services access and entitlement card to replace the Medicare card and numerous other DHS agency cards and vouchers
• The introduction of substantially improved proof of identity arrangements to obtain the card and improved proof of identity information on the card and in the chip in line with the Attorney General's Department strengthened proof of identity requirements
• The introduction of a comprehensive uniform registration program, for all consumers wishing to obtain the card which will involve up to 16 million Australians with the maximum number of eligible citizens registering over a 24 month period
• The introduction of a new supporting registration service and common basic customer record which can be accessed by all DHS agencies. This record is called the Secure Customer Registration Service (SCRS) for the purpose of this business case. This will mean consumers only need to register once for a DHS service and only notify DHS agencies once of changes in household circumstances such as change of address.

From: "KPMG Access Card Business Case", KPMG, February 2006

The aim of the initiative is to improve service delivery by better access to services and entitlements, make the system more efficient, easier to use and to lessen fraud. However, it should be noted that the authors were only briefed to carry out an analysis of the one option presented by the Government. They were only asked to make a business case of how well a smart card would work, not to see if there were better alternatives. As an example making payments direct to bank accounts, rather than in cash and the use of the financial system to identify recipients might provide sufficient fraud control, without the need to build a new IT system and saving administrative costs.

The smart card initiative assumes no change to eligibility or entitlement criteria, nor rationalization of the agencies which administer the programs (apart from creating a new agency to administer the smart card). It is assumed that separate agency databases will continue to exist (but with some interconnection for identification information of the smart card) and that the public will continue to need to interact with the different agencies.

As the report points out, the smart card will allow a person to register once, but they will still need to "... continually provide relevant asset, income and family composition information as per the existing policies of DHS agencies". Identification makes up only a small part of the information provided to the agencies. As a result the smart card is unlikely to greatly reduce the burden on the public of having to provide information to the government and will not greatly improve the efficiency of agencies. The report does not investigate other initiatives which could achieve greater savings. As an example improvement to agency web sites and the use of mobile phone technology might reduce the burden on the public while at the same time reducing administrative costs.

Rationale for change

The report lists as key drivers for change:

• The upfront access arrangements for health and social services are unnecessarily inefficient, complex, fragmented and inconvenient for consumers
• The service systems, and in particular, inconsistent POI arrangements, provide significant opportunities for fraud. Given the size of expenditure, this represents a present and ongoing risk and exposure to Government
• There are major changes in technology forecast over the next decade which will ultimately drive some rationalization of the present system.

From: "KPMG Access Card Business Case", KPMG, February 2006

Taking each of these points in turn:

1. Improving Upfront Access Arrangements: Identification makes up only a small part of access. Therefore, introduction of a smart card will make a minimal difference to the efficiency of access arrangements for health and social services.

2. Reducing Opportunities for Fraud: Having one Point of Issue (POI) would reduce opportunities for some fraud. However, this will also introduce a single point of failure. Failure of the smart card security would expose the system to a risk of widespread fraud. Increased security could instead be achieved by using existing identification means in the financial and telecommunications industries and strengthening those means. For example, if payments are made to bank accounts, rather than in cash, the risk of fraud is reduced. If a transaction card is used to purchase subsidized medicine, this can be used as part of the identification.

   It should be noted that the mock up of a Government smart card demonstrated by the Minister is one designed for a GSM mobile phone ("The card we had to have? Human Services Minister Joe Hockey", Picture by Edwina Pickles, The Sydney Morning Herald, June 13, 2006). Many already carry a Subscriber Identity Module (SIM) card, issued by their mobile phone carrier. These could be used to help reduce fraud, without the need to build a new infrastructure for issuing cards or reading them.

3. Coming Changes in Technology: Forecasts of technological change are often wrong. Early adopters pay more and may be left with orphan technology. The Australian Government, along with most of the IT industry, failed to see the development of the Internet in the 1990s, resulting in wasted investment:

   ... In the 1980's and early 1990's significant effort went into developing open systems standards, particularly for interconnecting incompatible systems. Open Systems Interconnection (OSI) development began overseas in 1977. The IESC was given the task of developing the Australian GOSIP (Government Open Systems Interconnection Profile) in 1988 and the policy was promulgated in November 1990. The final version, GOSIP 3, was published in August 1993. By 1995 it was clear that there was a lack of compliance with GOSIP. The Internet standard TCP/IP had become a marketplace reality and GOSIP and open-systems policies were dropped from whole-of-government IT strategies.

   From "Electronic Service Delivery, including Internet Use, by Commonwealth Government Agencies", Australian National Audit Office, 1999

Problems with the current system

The report outlines problems with fragmentation, duplication and inconvenience with the current health and social services delivery.

• Consumers are confronted with an array of different service standards, ... access points and ... POI in each agency
• There are multiple registration points with some consumers having to repeat the same information to different agencies and often provide the same proof of identity (POI) information to the same agency if they want a different service
• There are 520 forms in Centrelink alone, all of which require the consumer to provide information on their identity.' This makes the system onerous for customers and inherently prone to error
• There are multiple cards for different concessions and entitlements, many are paper based. ...

From: "KPMG Access Card Business Case", KPMG, February 2006

However, these problems have little to do with identification technology, but are due to a lack of coordination between agencies and administrative complexity. They could be solved by rationalization of the administrative processes, without the need for a smart card.

The report asserts that a smart card will meet the requirements of the Australian Government Authentication Framework (AGAF). However, the AGFA includes a checklist for government, to be used in planning and setting up systems that employ e-authentication. The smart card project does not appear to have been assessed against the checklist. Also the report does not consider if the proposed smart card will fit within the Australian Government Smartcard Framework.

The AGAF checklist recommends reusing credentials issued by another party, such as another government agency or a bank, rather than issuing new credentials. This option does not appear to have been assessed seriously by the smart card project, as this was outside its brief.

The Department of Industry Tourism and Resources is undertaking the VANguard project, to provide online validation, authentication and notary services for Federal, State and Local government agencies via a single entry point. It is not clear to what extent the services of VANguard will be used for health and social services.

The report envisages that the smart card could, in future, be used to carry digital keys for the cardholder to 'digitally sign' data. No details are provided how this would provide a benefit over the digital signatures already issued by other government agencies and the private sector. It is claimed that as card readers attached to PCs become available this will allow social service claims to be made on-line. However, some government transactions, such as tax returns are already submitted on-line without using card readers.

Opportunities for fraud

The report's authors were tasked with examining opportunities for fraud in the current health and social services systems and how a smart card might prevent it. Unfortunately this section of the report has not been made public for security reasons. It is therefore not feasible to assess it.

However, the report discusses, in general terms, fraud through identity theft, false claiming of entitlements, failure to notify changes which affect entitlements, and leakage arising from mistakes due to incorrect and outdated data. A series of examples is provided.

• Medicare and Centrelink have reported leakage losses of $252 million and $1.1 billion respectively in 2004-05. These amounts are based largely on known, detected leakage, including fraud, and it is likely that the underlying level of fraud is substantially higher
• A person can obtain a Medicare card, a PBS concession or Centrelink entitlement and not be required to produce any photographic identification to obtain the card. This is in stark contrast to other systems such as passports and drivers licences
• A person can present a Medicare card or a health card and claim those benefits at a doctor's surgery or pharmacist without authenticating whom they are or that they are the cardholder
• The current cards carry little or no information, including photographic or other biometric data about the customer, that robustly demonstrates the relationship between the cardholder, the card and the benefits to which the cardholder is entitled
• There is no uniform system to check current concessional status, and PBS concessions in particular are open to significant abuse as a result. Also, paper based cards issued with a three month expiry date do not always reflect a persons current concessions. An estimated 25% of concessional status were cancelled by Centrelink before the expiry date on the card
• A recent ANAO report found that up to 30% of customers POI information recorded in Centrelink's customer database is not sufficiently reliable to uniquely identify or substantiate the identity of customers, and that inaccurate customer information could inhibit fraud detection.
• The same report notes that Centrelink's database contains records for almost 1.5 million customers, where those records contain a date of death. Assuming benefits are still being paid to 0.5% to 1% of these customers, Centrelink could be overpaying between $75 million to $150 million annually.
• The present system is overly weighted to compliance and detection rather than prevention and deterrence
• The respective databases of the various DHS agencies are an aggregate of years of differing standards of POI, different rules which at the very least make the system prone to error. At worst, the present data on simple demographic information lacks the integrity necessary for effective fraud prevention and detection.

From: "KPMG Access Card Business Case", KPMG, February 2006

While these are problems in the existing health and services systems, they do not necessarily point to a smart card as the answer. Addressing some of the points:

1. leakage losses: Medicare and Centrelink leakage can be detected using Analytics (data mining) techniques on the existing data. The Australian National University and CSIRO have developed techniques to data mine, while respecting the privacy of the records. The Australian Taxation Office is using Australian developed open source Analytics software for fraud discovery.
2. photographic identification not required: If there is an unacceptable risk in photographic identity not being required to collect a Medicare card, the obvious solution would be to change procedures to require such identification.
3. claiming at surgery or pharmacist: Procedures could be changed to require the name on the Medicare or a health card to be checked. If the current cards do not provide sufficient authentication, then other forms of identification could be used. This needs only done the first time the person presents to a particular surgery or pharmacy. If more than one person attempts to use the same card at the same place, the fraud is likely to be detected. In addition, if a transaction card is used for payment, then the credit or EFTPOS card provides a means of identification. Doctors and pharmacists have an incentive to check identity for financial transactions, to ensure they are paid. If smart cards are introduced by financial institutions, this would strengthen the identification without the need for a government smart card.
4. relationship between a cardholder and benefits: No off-line system, including as a smart card, can hold up to date information on benefits the card holder is entitled to. The entitlements can change after the smart card is updated. Therefore, any system relying on an off-line system will be out of date. A cost/benefit risk management strategy must be used to assess how out of date the information can be and still be acceptable. One risk mitigation strategy is to make payments to a bank account. Another approach is to use an on-line system, which does not necessarily require a smart card.

Technology drivers

The report avoids the mistake of driving the whole strategy from a technology imperative. However, some technology drivers are listed as reasons for a smart card approach.

• Smart card technology will be common place in the financial services sector. By the end of 2007 it is estimated that 75% of EFTPOS terminals will be chip card compatible
• There is a move away from magnetic stripe cards in the financial services sector because of the high risk of fraud and failure
• There is already wide acceptance of chip card technology in Australia, through the use of mobile phones, pay phone shared value cards, and in the transit area, eTags
• There is widespread recognition of the need for greater security in public information and processing environments
• A number of state agencies are considering smart cards for travel and drivers licences. It is important that there is not a myriad of different platforms, systems and standards. Such a scenario would add considerable cost and risk to any single initiative.

From: "KPMG Access Card Business Case", KPMG, February 2006

Addressing these points:

1. Smart card technology common place: While most EFTPOS terminals may be smart card compatible, there appear to be few cards issued for them to read. If such cards are in common use by 2007/2008, this may obviate the need for a government smart card. The financial industry smart cards can instead be used for authenticating health and social service recipients.
2. Move away from magnetic stripe cards: Magnetic stripe cards have a high risk of fraud and failure. However, the financial services industry is using a range of techniques to supplement, rather than replace magnetic stripe cards. One of these is the use of a smart card chip on the magnetic stripe card. Others are lower technology options, such as including a non embossed number printed on the card and offering incentives to merchants to use on-line payment.
3. wide acceptance of chip card technology in Australia: Mobile phone smart cards do not indicate a wide acceptance by the customer, as many will be unaware of the existence of the card inside the phone. However, the widespread use of these cards offers an alternative form of identification to a government card.
4. widespread recognition of the need for greater security in public information and processing environments: The need for improved computer security does not imply an acceptance of smart cards. As an example the recent case of an ADF officer leaving a sensitive CD-ROM in a public computer would not be overcome by a smart card. Had the employee instead left their smart card in a public computer, the security lapse could have been far more serious.
5. state travel and driver licences: The adoption of smart card drivers licences would provide an alternative for identifying health and social security recipients, without the cost of an additional federal smart card. The proposed investment in the federal card could instead be provided to state governments as an incentive to adopt a nationally standardized card.

Risk in the Smart Card Project

It should be noted that the government's proposal is for a smart card project. Therefore, much of the analysis here is of that smart card proposal. Alternative approaches to achieving the projects stated aims are discussed. But the intention is not to propose an overall alternative strategy.

Any strategy needs to address the problems common to any large IT project, as well as those with smart cards. IT projects have a high risk of failure. Standards Australia estimated 50 to 90% of projects go over time, over budget, or fail to meet expectations of productivity or efficiency benefits.

Estimates of project underperformance vary, but it is generally recognized that somewhere between 50 and 90% of projects go over time, over budget, or fail to meet expectations of productivity or efficiency benefits. Part of this standardization process will be to discover the missing elements in existing methodologies as a contribution to global management knowledge.

The magnitude of expenditure, and the rate of 'failure', of information systems projects are staggering. One report found that 75% (US$26.8 billion) of the software budget spent by the US Department of Defense was either never used or cancelled prior to delivery, and a further 23% (US$8.2 billion) could only be used after modification.

From: "Fact Sheet - IT Management and Governance", Standards Australia, Committee IT-030.

Others put the failure rates for IT projects as high as 97%. But then point out such figures miss the point that it is the benefit derived from the effort which is important, rather than a "success/fail" flag.

As ICT has a significant effect on organisational performance and introduces significant financial and operational risks - it is core to good corporate governance. Various studies show that ICT promises are rarely fulfilled - with failure rates as high as 97% being quoted for particular types of projects. This figure is of course sensational. The issue is not how many projects or ideas succeed or fail - but the cost and benefits derived from the effort.

Information and Communication Technology is intrinsic to current business practices and continues to be a driver for change. With effective systems organisations can receive and process customer requests in a timely manner and be paid efficiently. The analysis of Information about the transactions can provide useful information to help organisations improve their business processes.

From: "Governance of ICT", Marghanita da Cruz, Ramin Communications, 2006.

Definitions of failure may range from not delivering on time and budget, to total abandonment of a project.

Failure is defined in terms of the Ewusi-Mensah and Przasnyski (1991) definition of total abandonment, where a project is terminated before full implementation. This definition is consistent with Sauer's (1993) definition of failure where development of an information system ceases, leaving supporters' interests unsatisfied. For the purposes of this study, success is limited to "non-failure" as defined above. Although this definition clearly excludes several known categories of failure and success, it means that failure and success can be objectively declared and is considered to be an acceptable limitation for this study.

From: "Conflict as a Factor in Information Systems Failure", Warne, L., 8th Australasian Conference on Information Systems (ACIS 97), 1997.

However, even allowing a generous definition of success, such as implementation of the system within double the budgeted cost in double the time frame envisaged, the smart card project would appear to have little chance of success. A reasonable estimate of success would be 25%. This is not to suggest the project should not be undertaken, but that the project's sponsor (the Minister) and developers need to acknowledge this is a high risk project and take steps to minimize the risk.

Projects risks can be lessened through formal project management processes. As an example the Australian Department of Defence Project Wedgetail.

... One of the country's largest and most software-intensive projects, known as Project Wedgetail, recently received a Practical Software and Systems Measurements (PSM) award in Colorado, United States.

The Department of Defence received the award at the international Seventh Annual PSM Users Conference for outstanding efforts in implementing PSM into a complex and diverse environment - Project Wedgetail's Airborne Early Warning and Control System (AEW&C). ...

From: "DEFENCE'S AIRBORNE EARLY WARNING AND CONTROL SOFTWARE RECEIVES INTERNATIONAL RECOGNITION", Defence, PACC 317/03 Tuesday, 4 November 2003

Apart from formal project development techniques, risk can be reduced by limiting the scope of a project. As an example, the smart card project envisages a number of uses of the card beyond the core of identification for health and social services. While these extra uses might be useful in gaining support for the concept, they complicate the project and increase the risk of failure.

One use proposed for the smart card is the storage of patient records. This is a "safety critical" application, where failure of the system could result in death or serious injury. It requires more stringent development techniques, which will result in higher costs for the system. It also exposes the developers, consultants, testers and their sponsors, including the Minister, to criminal prosecution if the system fails. It may be best to drop this use from the requirements.