E-patient file: Civil society writes open letter to health minister

After Bianca Kastl and Martin Tschirsich discovered significant security gaps in the electronic patient file (ePA) at the 38th Chaos Communication Congress and thus full access to the files of all 70 million people with statutory health insurance, concerns about the launch of ePA 3.0 are growing. Civil society stakeholders have therefore written an open letter to Health Minister Karl Lauterbach in which they demand, among other things, to be allowed to participate in the development process of the ePA. They also express “considerable concerns currently [...]” regarding the ePA launch.

“Rolling out the ePA in its current state is the wrong decision given its worrying security issues. Because the claim that the ePA is secure is not true. The fact that Federal Health Minister Karl Lauterbach is untruthfully and brazenly claiming this denies the proven and demonstrable weaknesses,” says Calvin Baus, spokesperson for the Chaos Computer Club (CCC).

Weaknesses unresolved

According to the authors, major weaknesses “in the environment of the ePA” remain “unresolved, such as processes for issuing health cards. All justified concerns must be credibly and verifiably resolved before the nationwide launch of the ePA. Closing the security gaps that have now been identified is a fundamental prerequisite for this, but is not sufficient on its own,” it continues. The provision of a test instance and the test phase are welcome. It is important to identify gaps before the launch and not “as with similar projects in the past” only during operation.

For the “long-term success” of the ePA, civil society stakeholders are calling for the implementation of five measures. These include ensuring that the launch in the model regions only takes place subject to additional security measures, which must be communicated transparently. Another demand is the honest communication of the risks posed by the ePA – as security gaps can never be 100 percent ruled out.

“The architecture of the ePA must consider the reality that medical practices have neither sufficient budgets nor the necessary expertise to guarantee IT security at a high level. Patient-specific end-to-end encryption, on the other hand, would make it possible to give less weight to the security level of medical practices and service providers in the risk assessment,” says the KRITIS working group, which is also one of the co-signatories.

Another requested measure is to take criticism from various organizations seriously, such as criticism of the change in authorization management. This means that insured individuals can no longer share individual files only with certain doctors or institutions. According to Thomas Moormann, Head of the Health and Care Team at the Federation of German Consumer Organizations, who also signed the open letter, it is “imperative” that the ePA allows patients to decide for themselves which doctors can view which diagnoses and treatment measures.

Real right of civil society to have a say

In addition to an “open process of further development” and the “greatest possible benefit for insured persons”, the authors call for a “genuine right to have a say” and not just for “individual organizations in the Gematik committees”. In addition, the ePA should only be introduced nationwide once all parties involved have given the tests a positive assessment. Experts from science and digital civil society should also be able to carry out a “reliable assessment of security risks”, for example by “publishing all source texts, providing a test environment and communicating updates transparently”, as stated in the letter. It is also important that the work of security experts is safeguarded. Independent security checks must also be carried out.

“Only a secure ePA that focuses on the concrete added value for patients will really benefit everyone. At the same time, some questions about the ePA are difficult to solve: For example, while a complete medication overview could improve treatment, this very list reveals sensitive information that patients do not want to share with all doctors. Think of HIV medication or psychotropic drugs. This example shows that to establish good solutions in the long term, different perspectives and interests must be reconciled. To do this, however, offers of discussion must also be accepted,” explains Manuel Hofmann, Digitalization Officer at Deutsche Aidshilfe.

Other co-signatories of the open letter include the medical association MEDI Baden-Württemberg, the Björn Steiger Foundation, the Alliance for Data Protection and Confidentiality, the CCC, D64 – Center for Digital Progress, Deutsche Aidshilfe, the Innovationsverbund Öffentliche Gesundheit (InÖG) and the SUPERRR Lab.

(mack)