E-patient file: Letter to Ministry of Health reveals implementation shortcomings
Despite major shortcomings, the e-patient file shall be introduced on January 15. But the “banana software is not even light green”, says a letter to the BMG.
(Image: Day Of Victory Studio/Shutterstock.com)
Despite the security risks and existing implementation deficiencies that have recently been highlighted once again, the Federal Ministry of Health (Bundesministerium für Gesundheit) is sticking to the launch of the test operation of the “electronic patient file for all” (ePA 3.0) in model regions on January 15. A few days ago, Federal Health Minister Karl Lauterbach announced that “we will only launch the ePA once all hacker attacks, including those by the CCC, have been made technically impossible”.
A letter from the German Health IT Association (Bvitg) to those responsible at the BMG and Gematik now reveals that there are further challenges. The letter summarizes the agreements from a previous discussion with the stakeholders and states that the test operation will apparently only start with one of the planned two file systems because one was not ready in time. In addition, the two file systems from IBM and RISE behave very differently, which makes interoperability more difficult.
In addition, the Federal Office for Information Security (BSI) has yet to review the measures proposed by Gematik to address the security deficiencies of the ePA.
“Mass rollout” only after risks have been completely eliminated
According to the letter, the associations will only recommend that their member companies equip participants in the model regions with ePA modules in good time once the BSI supports Gematik's approach with a limited number of ePA-approved institutions. It has also been made clear that the certificates of conformity are not affected by the security gaps addressed by the CCC.
Nevertheless, “the complete elimination of the technical risks identified by the CCC, as confirmed by the BSI, was defined as a binding criterion for the start of the mass rollout”. This point is largely in line with the Federal Minister of Health's statement, even if the elimination of the gaps identified in no way means that “hacker attacks will be made technically impossible”. However, the original schedule of extending the ePA 3.0 to the whole of Germany four weeks after its launch in the model regions is no longer tenable.
Considering this, the Bvitg expressed understanding for the urgency of the launch date on January 15, but it was “important for further development to know what the medium and long-term planning for ePA 3.1.1 ff” looks like. Forward-looking time planning is essential for companies.
(mack)
