heise PlusAbo
Anzeige

Electronic patient record comes nationwide from April 29

The Federal Ministry of Health considers the proven safety problems to have been resolved. The objection rate remains at around five percent.

listen Print view
A doctor with a stethoscope around his neck holds a pile of paper. All that can be seen of the doctor is his upper body in a white coat and two hands carrying the pile of paper.

The electronic patient file, which has been under development for years, should save a lot of paperwork.

(Image: Billion Photos/Shutterstock.com)

5 min. read
By
Contents

In two weeks' time, things will get serious with the electronic patient record (elektronische Patientenakte, ePA): After a test phase lasting several months in model regions, the nationwide roll-out is set to begin on April 29. On Tuesday evening, the Federal Ministry of Health (BMG) sent a letter to Gematik, which is responsible for implementation, requesting that the ePA be made available nationwide from the deadline.

Those responsible hope that the ePA will significantly improve healthcare for the almost 75 million people with statutory health insurance. "After more than twenty years, it is now time to enter the decisive phase," says the letter from outgoing Federal Minister of Health Karl Lauterbach (SPD).

Anyone who does not want the ePA for themselves or co-insured individuals such as children must object to this with their health insurance provider. This can be done informally, but should be clearly formulated. Partial objections are also possible, for example to the forwarding of pseudonymized data for research purposes by third parties such as pharmaceutical research. So far, around one in 20 people with statutory health insurance has made use of this "opt-out" option.

Read also

Ministry: security problems solved

"The security of the ePA is a top priority", Lauterbach's letter to Gematik continues. In coordination with the Federal Office for Information Security (BSI), further security measures have been implemented, which would be a prerequisite for nationwide use.

However, how secure the ePA actually is in terms of design and implementation was the subject of lengthy debate. Gematik, BSI and BMG had already emphasized last autumn that the system was secure. Embarrassingly for those involved: at that time, security researchers from the CCC had already identified several security vulnerabilities.

One of these could have enabled a large-scale attack on the ePA data, which led to hectic reworking by the operators and resulted in an extension of the test phase, which was originally only supposed to last until mid-February.

During this period, Gematik only operated the ePA with an allowlist, a positive list for the approved so-called institution cards. According to Gematik, "the encryption of the health insurance number (Krankenversichertennummer, KVNR) is also intended to prevent random ICCSNs from being tried out without knowledge of the corresponding KVNR".

Security issues remain

The number of authorizations for ePA access is also to be limited to a plausible number in future to prevent unauthorized access. From the operators' perspective, the large-scale attack scenario on the ePA has now been ruled out.

However, it is unclear whether all gaps have actually been closed. Just a few days ago, CCC-affiliated security researchers criticized the fact that there was still no technical check of access authorization. However, they criticize that anyone who gains access to an ePA can access individual patient data.

In principle, the data is stored centrally by the health insurance companies for their respective policyholders. It remains to be seen whether the data there is actually sufficiently secure against actors such as foreign intelligence services: such attack scenarios have only recently been considered realistic by political decision-makers.

Videos by heise

Mandatory for doctors and hospitals

According to the Ministry of Health, the ePA will now be used on a large scale in the coming months and potential problems that have not yet been identified will be identified. From the end of April, findings from doctors' surgeries and hospitals are to be increasingly automatically written from the practice and hospital administration systems into the file if approval has been granted with the health card.

From October 1, filling in the electronic patient file is to be mandatory for service providers such as doctors and hospitals, and from the beginning of next year it will even be punishable by law: service providers for SHI-insured patients who do not comply will be asked to pay. Whether this deadline can actually be met remains to be seen, given the experiences in the test regions.

The digital file will be managed by the health insurance funds. However, they will not be able to access the content. In principle, insured people can manage the content themselves in their health insurance company's ePA app. For example, doctor's letters, discharge bills, medication plans or findings can be deleted or hidden. Patients can also block individual players such as doctors' practices or object to the storage of data in individual cases.

(vza)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten