More and more experts warn against electronic patient records

Contents

Shortly before the launch of the electronic patient file, criticism is getting louder and louder. Tabea Rößner, Chair of the German government's Digital Committee, is now also issuing a warning. Although the electronic patient file "could have many advantages, such as improving the treatment of people or even saving lives if, for example, all the data is available in an emergency situation", health data is particularly sensitive information, according to Rößner. It is essential to prevent this information from being misused as a result of data leaks.

First close security gaps, then get started

At the 38th Chaos Communication Congress, security researchers pointed out serious shortcomings. "The technical architecture of the ePA reflects the complicated healthcare system in Germany. However, it must be prevented that the different access paths are exploited for attacks. In addition to technical improvements, this also requires further training for medical staff, who must be trained in IT security issues in order to prevent attack vectors," Rößner demands. She described it as "negligent" to launch the ePA before closing the security gaps.

"Further improvements are possible; as digital politicians, we had already called for this in the parliamentary process." Rößner could only recommend the ePA once "patients' sovereignty over their data is secured". She therefore advises citizens to object for the time being. The head of the German Medical Association, Klaus Reinhardt, had previously expressed a similar opinion. He could not recommend the ePA with its current weaknesses.

Citizens must be informed

The Professional Association of German Psychologists (BDP) is also calling for security loopholes to be rectified and for a "transparent information policy for those with statutory health insurance". In the past, the association has repeatedly pointed out data protection problems, "particularly in the area of highly sensitive data such as psychotherapeutic findings or discharge letters from psychiatric and psychosomatic clinics, as well as problems with information policy, education and user-friendliness".

The punishability of the attacks is always emphasized. "Unfortunately, fines or prison sentences are of no use to patients with statutory health insurance if their highly sensitive health data, for example from psychiatric-psychotherapeutic treatments, has been made available through illegal data access," explains BDP Vice President Susanne Berwanger.

"Fraunhofer SIT writes in a security report that 'after consultation with Gematik, it was determined that attacks by government organizations are not relevant'. Gematik's statement on the 38C3 presentation stated that accessing ePA data is illegal and therefore punishable and not permitted. Anyone who does not consider access to data by secret services and other organized criminals or unauthorized institutions has a structural deficit and endangers us all in times of hybrid threats," explains Manuel Atug, spokesperson for the KRITIS working group. At the same time, Lauterbach says that Meta, Google and OpenAI are very interested in the files. "He repeatedly emphasizes that patient data should primarily be made available for research, but tech companies like Meta and Google don't make their money from medical research."

The BDP has been calling for transparency with regard to data protection risks for years and agrees with the demands of security researchers Bianca Kastl and Martin Tschirsich for an "independent and reliable assessment of security risks". The association is also calling for fine-grained authorization management, which was abolished with the new ePA. "The concerns of patient organizations must also be taken seriously during further development," says Manuel Hofmann from Deutsche Aidshilfe. He is therefore also calling for easier "control of the visibility of medical information in the ePA. In the meantime , we support patients in making well-informed decisions for themselves." The BDP is currently examining "which recommendations in connection with electronic health record objection rights are ethically sensible and legally justifiable for association members", according to the association.

Consideration of the BfDI, BSI and civil society

"Politicians should understand that we are talking about digital infrastructure with the ePA. Digital infrastructure must be considered more carefully and in the long term than lighthouses, individual projects or time periods limited to legislative periods," digital politician Sabine Grützmacher told heise online at 38C3. "Binding and future-proof standards" are therefore important for the development of such an architecture. "In my opinion, the BMG has ensured that the valuable technical contributions of the BSI and the BfDI to this architecture do not have to be taken into account. In particular, the technically independent contributions of civil society, which warned us of the problems in the ePA in good time, should also have to be taken into account in future," says Grützmacher.

Grützmacher considers "decentralized storage and patient-specific encryption of health data, which has been abolished for access to health data by researchers" to be necessary and without alternative. "We cannot afford to prosecute people who tell us that the door lock or other important security measures have been forgotten in architectures such as the ePA. A reform of the hacking paragraph is therefore just as necessary," explained Grützmacher.

(mack)