Despite security concerns: "sanction-proven use" of the e-patient file is coming

Contents

Meanwhile, all people with statutory health insurance who have not objected to this have an electronic patient file. Doctors throughout Germany will soon be able to use them; until now, this was only possible for doctors who had been authorized to do so. The BMG intends to publish a rollout plan for this. "We will roll out the electronic patient file in stages before 2025, from a nationwide test phase to mandatory use subject to sanctions," says the coalition agreement of the next federal government. However, the "traffic light" health minister Karl Lauterbach –, who will probably be replaced by Tino Sorge –, recently said that doctors will not have to fear any penalties for now if they are unable to fill in the ePA.

According to the National Association of Statutory Health Insurance Physicians (Kassenärztliche Bundesvereinigung), most practices already have the ePA module. However, according to representatives of the Westphalia-Lippe Association of Statutory Health Insurance Physicians (KVWL), there are still many individual errors in the implementation of the ePA. Tanja Galla, IT project manager at KVWL, explained this at a DMEA event entitled "The ePA in everyday healthcare – Successes, opportunities and experiences". Where the ePA works, it is described as intuitive, but also as cumbersome. According to Jakob Scholz, Head of IT at KVWL, the Allowlist, on which doctors in the test regions are listed for access to the ePA, will soon be switched off. In some cases, e-files could not be accessed or loading times were long. "The experience of the first use of the electronic patient file (ePA) in the course of testing in the three model regions has revealed numerous technical improvement needs, so that a nationwide mandatory introduction would currently be unjustifiable," according to a press release from the German Medical Association.

ePA more of an obstacle

It will be interesting when the systems surrounding the ePA are fully utilized. The ePA still poses a challenge for hospitals and medical care centers. According to Scholz, the focus should be on the usability of the ePA. So far, the ePA has been more of an obstacle and has caused delays in practice operations. Doctors see the medication list as a game changer. However, due to the circumstances, they are not pursuing active work any further. However, according to Scholz, the further expansion of the ePA and the conversion from PDF documents to structured formats, for example for patient short files or laboratory findings, must continue to take place gradually. The panel doctors are therefore relieved that the test phase has been extended.

While the panel doctors welcome the gradual rollout announced by Lauterbach, the medical association Medi Geno has criticized Lauterbach's statements on the IT security of the ePA. "When Mr Lauterbach claims at the digital trade fair that the security problems identified by the CCC have been resolved, this is at least window-dressing – if not downright misleading," criticizes Medi Chairman Dr Norbert Smetak.

CCC demands not yet reflected

Together with the Federal Association of Psychosomatic Medicine and Medical Psychotherapy (BDMP), the Medi-Verband organized an event on the ePA, which was also attended by security researcher Martin Tschirsich. According to Tschirsich, none of the demands of the Chaos Computer Club have been "reflected" and the risks have been accepted by Gematik. "It is commendable that the situation of children and young people is being given special consideration with regard to data protection, but older young people and adults are just as affected by the risks, especially patients with particularly sensitive diagnoses. For them, too, depression or drug addiction can lead to stigmatization and disadvantages due to unprotected access to data," adds Christian Messer, Deputy Chairman of the Medi-Verband and specialist in psychosomatic medicine and psychotherapy.

"The security deficiencies of the electronic patient file demonstrated at 38C3 continue to exist. The updates announced so far are fundamentally unsuitable for compensating for the shortcomings in the security architecture that have been uncovered. The promised updates are merely an attempt to limit the damage caused by one of the many attacks we have demonstrated," Bianca Kastl and Martin Tschirsich told heise online. The two security researchers have been pointing out security gaps in the ePA for years. The security gaps would have enabled full access to the files of around 70 million people with statutory health insurance.

"Updates are unsuitable"

This means that electronic patient files can still be attacked with little effort. According to Tschirsich and Kastl, the updates announced so far are "fundamentally unsuitable for compensating for the discovered flaws in the security architecture. The promised updates are merely an attempt to limit the damage caused by one of the many attacks we have demonstrated". They are calling for "uncompromising clarification and transparency, which has not yet taken place".

In the past, they had already called for an independent and reliable assessment of security risks as well as transparent communication of security risks. They describe the statements on security made about the ePA to date as "hollow phrases that have too often proved to be insubstantial to inspire lasting confidence". A test report on the ePA from the Federal Office for Information Security has not yet been published.

At the beginning of the year, representatives of civil society wrote an open letter to Health Minister Karl Lauterbach. Among other things, they demanded more say, independent security audits and the consideration of criticism in the further development of the ePA. Furthermore, the publication of all source texts, a test environment and transparent communication of updates are necessary. The open letter was signed by organizations such as the Björn Steiger Foundation and the CCC.

(mack)