heise PlusAbo
Anzeige

Security flaws in e-patient files: Ministry of Health sticks to launch

At 38C3, security researchers demonstrated a number of security flaws in the electronic patient file. The BMG is sticking to the ePA rollout.

listen Print view
A person is sitting at a laptop. In front of it is an icon for an open folder. Surrounded by various files, also as icons.

(Image: Noom_Studio/Shutterstock.com)

7 min. read
By
Contents

After security researchers Bianca Kastl and Martin Tschirsich demonstrated a number of security flaws in the electronic patient file at the 38th Chaos Communication Congress, the Federal Ministry of Health (BMG) still wants to stick to the nationwide rollout of the electronic patient file from January 15. When asked about "the problem", a BMG spokesperson said that they were in contact with the CCC.

"The theoretical problem described by the CCC will be solved for everyone before the ePA is introduced. The BSI will officially confirm this in due course. The pilot phase will start as planned on January 15. The ePA for all will meet all high security standards at the start, which are also supported by the BSI and BfDI," the statement reads.

BfDI has "strongly recommended" security measures

The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Louisa Specht-Riemenschneider, made a more nuanced statement in her response to the request from heise online: she had "pointed out the high risk potential of the vulnerabilities to Gematik, which is responsible for digitization in the healthcare sector, and the BMG at an early stage and urgently recommended immediate measures to reduce the associated risks. The Federal Office for Information Security and the BfDI recommended a solution to Gematik to mitigate the vulnerability," a spokesperson for the BfDI told heise online.

Protective measures in progress

The Federal Office for Information Security (BSI) responded to our query in great detail. Together with Gematik, it has carried out analyses and "immediately developed additional protective measures and arranged for their implementation" to prevent possible "access by unauthorized persons to the data of any patients stored in the ePA", a BSI spokesperson said.

Videos by heise

At the same time, the BSI explains that this attack requires access to a card terminal, a valid SMC-B (Secure Module Card of the type "Betriebsstätte") including pin and connector for connection to the telematics infrastructure – also known as the "health data highway" –. According to the BSI, "the disposal of the corresponding infrastructure and device cards" is the responsibility of the "healthcare institutions", which were "once again sensitized accordingly and made aware of their obligations". In its reaction to the security deficiencies presented, Gematik had referred to fines and imprisonment if criminals illegally obtain means of access.

According to the BSI spokesperson, a further attack route "via the active card terminal on site in a healthcare facility" requires a great deal of "technical expertise and unhindered access to the said terminal". "In order to prevent such manipulation, the environment in which the card terminals are used must be selected in such a way that unauthorized physical access can be prevented by healthcare staff at any time. This is stipulated in the requirements for the installation of the card terminals. The deliberately chosen design of the devices also makes it more difficult to carry out the attack quickly," explains the BSI.

Further protective measures in progress

According to the BSI spokesperson, the pilot phase for the launch of the electronic patient file is initially planned in 300 healthcare facilities in the three model regions. Further protective measures are currently being developed. Accordingly, "a white listing will be introduced for the participating healthcare facilities so that only these practices will have access to the ePA".

To close a security gap, Gematik also wants to encrypt the health insurance numbers and expand "monitoring measures such as monitoring and anomaly detection". Gematik also wants to keep a close eye on the "secondary market for practice infrastructure". Access and attacks can be traced back to the respective practice identity, which will not prevent criminals from gaining unauthorized access to the infrastructure.

BSI wants to re-evaluate further measures

With various measures, the BSI considers the risks of a "successful attack on the group of participating healthcare facilities to be limited" and assesses the technical and organizational measures (TOMs) as mitigating. Nevertheless, further TOMs must be implemented "in the short and medium term" to "further reduce the risk of a successful attack". The Federal Ministry of Health (BMG) and Gematik will decide on the start of the nationwide rollout in due course. Before then, the measures implemented up to that point will also be reassessed by the BSI," said the spokesperson.

The former federal data protection commissioner for Mecklenburg-Western Pomerania, Thilo Weichert, considers the planned rollout of the ePA to be a "huge risk for the data protection of the health data stored there". He would not want to take responsibility for this. "I understand that politicians see this differently, also considering the justified expectations associated with the ePA. If there is to be a start, then it should be informative and honest, so that those affected can make a conscious decision about their opt-out option," explained Weichert when asked by heise online. Kastl and Tschirsich had "impressively demonstrated" that the ePA only had limited security. This needs to change.

End the ePA experiments

Following the publication of the presentation,the CCC called for an "end to ePA experiments on living citizens". The independent medical profession is calling for an immediate halt to the rollout plans. The security gaps identified mean that it is possible to access "the sensitive medical data of 70 million people with statutory health insurance" with little effort. According to Silke LĂĽder, general practitioner and deputy federal chairwoman of the Independent Medical Association, "the narrative of the secure ePA" failed shortly before the rollout on January 15, 2025. According to LĂĽder, the rollout is "absolutely irresponsible given the existing systematic security gaps". It is particularly bad that "some errors in the security design have been known for years and yet have apparently not been closed by Gematik in the current specification", LĂĽder continued. She described Gematik's reaction to the loopholes as "absurd".

In the view of Patrick Breyer from the Pirate Party, it is "contrary to the law and data protection" that the electronic patient file is to be launched in mid-January, "even though, by gematik's own admission, the mega security gap remains and security standards have not yet been implemented. Above all, however, this approach destroys trust and can have health consequences for those affected," explains Breyer. He demands that the Federal Data Protection Commissioner should stop the "irresponsible gamble with our health", as "the security of our mental and physical health [...] is not negotiable".

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten