Electronic patient file: Federal government leaves many questions unanswered

The electronic patient file 3.0 (ePA) was originally due to be introduced nationwide in mid-February, but the new launch date in April does not appear to be feasible. Although all those with statutory health insurance have already received an ePA, it has hardly been tested to date. It is also unclear what the IT security of the ePA will be like. The Left Party MPs Kathrin Vogler, Anke Domscheit-Berg and Susanne Ferschl and others had submitted a minor question on this. The answers provided by the federal government are not very helpful; Gematik had already answered a small number of the questions.

Most of the 41 questions were answered vaguely or not at all, such as the question about changes to authorization management. The federal government also left unanswered which security risks remain despite the security measures implemented to date. However, an answer from Gematik shows that it is rather unlikely that doctors in the test regions will go to the trouble of launching a mass attack. Nevertheless, it is possible that criminals will attempt to do so, as was demonstrated at the 38th Chaos Communication Congress.

At the same time, the German government claims that the infrastructure for the ePA is even quantum-proof, when asked about "the risk of an attack on the central structure": "The special measures to exclude potential internal perpetrators ("Confidential Computing", trusted execution environment – VAU) or the cryptographic measures already implemented to resist quantum computing attacks should be emphasized here".

No veto right for BfDI and BSI

When asked why the weaknesses, which have been known since August 2024, were not rectified immediately, Gematik recently replied that it had misjudged the risk. Although the Federal Office for Information Security (BSI) and the Federal Commissioner for Data Protection and Freedom of Information (BfDI), Prof. Louisa Specht-Riemenschneider, had been directly involved, they only had to be consulted and were no longer allowed to veto the decision.

At the beginning of the year, the BfDI emphasized to heise online that it had informed both Gematik and the BMG "at an early stage of the high risk potential of the vulnerabilities and urgently recommended immediate measures to reduce the associated risks. The Federal Office for Information Security and the BfDI recommended a solution to Gematik that could mitigate the vulnerability," explained a BfDI spokesperson.

When asked whether the security gaps were due to implementation or architectural errors, the federal government replied that it was not due to the specifications and that the attack could only occur "if unauthorized access to the telematics infrastructure was obtained. This is punishable by law."

Not armed against attacks by government organizations?

It also remains unclear how attacks by government actors are to be prevented. Although the Federal Office for Information Security and the Fraunhofer SIT consider the risk to be relevant, "it was determined in consultation with Gematik that attacks by government organizations are not relevant".

The German government's answer to the question about the risk posed by attacks from state actors is evasive and ambiguous. It explains that foreign state actors and their attack vectors are certainly taken into account in the security analyses, but the attack resources of such actors were excluded from the formal assessment. This implies that the EPA infrastructure may not be resilient to sophisticated, resource-intensive attacks by state actors.

The reason for excluding these attack resources from the assessment is that a level of security would be required that would not be practicable with the standard software and hardware currently in use. Nevertheless, the German government emphasizes that great efforts are being made to counter threats from foreign state actors and refers to secure supply chains for issuing electronic identities, connectors and card readers. However, the question of whether the measures provided for by law are sufficient to ward off targeted attacks, particularly by state actors, remains unanswered.

In its answers, the German government regularly emphasizes that all personal data, including medical information, is subject to strict security measures. Gematik also intends to increase the security of the ePA through additional measures. These include the involvement of external experts and security researchers to identify potential weaknesses at an early stage. In this context, the German government also refers to the bug bounty program launched by Gematik in October 2022.

(mack)