heise PlusAbo
Anzeige

Electronic patient file: Insured persons too little informed about risks

Electronic patient file for around 70 million people with public health insurance is criticized. It's allegedly insecure, and patients know little about it.

listen Print view
According to Health Minister Karl Lauterbach, the electronic patient file should enable telemedicine.

(Image: greenbutterfly/Shutterstock.com)

5 min. read
By
Contents

With the nationwide launch of the new electronic patient record (EPR), criticism of it is also growing. In addition to IT security, the focus is also on the communication surrounding the ePA. So far, only a small proportion of the population is sufficiently informed. Yet, the electronic patient record should actually ensure that patients are “empowered”.

However, this is not possible without information and transparency. The nationwide rollout and communication surrounding the ePA has been sharply criticized from various directions. “The nationwide launch of the ePA is premature because the technical security gaps have not been credibly and verifiably eliminated,” Manuel Hofmann from Deutsche Aidshilfe told heise online. In addition, the launch is not transparent, as patients cannot know “whether the respective practice can already access the ePA”. This makes it all the more important to provide good information.

Read also

Consumer advocates criticize lack of information

The German Federation of Consumer Organizations (vzbv)has also criticized the inadequate information on offer. “Patients must be able to make an informed decision for or against the ePA. In our view, there has been too little information provided so far, particularly about the potential risks of the EPC. A low objection rate for the EPC is not a clear sign of broad approval; it can also be an expression of a lack of information and education. We expect the Ministry of Health and the health insurance companies to do more here,” says Lucas Auer, health expert at vzbv.

Videos by heise

Originally, the ePA was to be rolled out in February and become mandatory for doctors after a four-week test phase. This caused a great deal of resentment among doctors due to various shortcomings, so there is now a “soft launch”, as it is now called by those involved. Doctors are to be obliged to do so in October, with sanctions from 2026.

Uncertainties in practice

“In terms of company organization, however, the 'de-obligation' will not make the challenge any less. Rather, the new ambiguities in the practice-specific decision as to when, and whether at all, to deal with the ePA will pose new communication and organizational challenges for the management of medical care centers and practices,” can be read on the website of the Federal Association of Medical Care Centres. In addition, those responsible in practices and MVZs would have to sort through the excess of detailed information.

Dr. Silke Lüder from the independent medical profession also voices harsh criticism: “We call on those responsible to stop this nonsensical billion-euro project – to at least protect citizens through proper risk information and to guarantee genuine voluntariness (opt-in model) for patients and doctors”. Actual control over the data is only possible with difficulty for patients due to complex technical processes.

ePA actually still in the test phase

Before the launch of the ePA, the German Health IT Association also stated that many practices had not yet created the conditions for the ePA. “We need clear responsibilities, uniform standards and greater involvement of expertise from the digital industry. The ePA must be easy to use, barrier-free and compatible with all systems – Isolated solutions must not remain an obstacle,” says Bitkom CEO Dr. Bernhard Rohleder on the ePA launch.

Security gaps remain

To increase the security of the ePA, the number of authorizations for ePA access is to be limited to a plausible level in the future. At least from the operators' standpoint, the large-scale attack scenario on the ePA has now been ruled out. “The only thing that has been made more difficult is mass access to health data, and that too with measures that are not really suitable,” said Linus Neumann from the Chaos Computer Club recently on ZDF television. In addition, targeted access to the data of individuals is still possible without the electronic health card having to be inserted into the card terminal at the doctor's surgery. However, according to Gematik, knowledge of the card number alone is no longer sufficient; for example, the card insurance number and other information is also required. “The combination of these measures prevents possible attack scenarios. The package of measures offers effective protection against a possible attack on numerous patient files,” promises Gematik.

During the test phase, Gematik had placed participating doctors in the pilot regions on an allowlist, a positive list for the so-called institution cards. This list has now been removed. In addition, many practices are not sensitized to the issue of IT security. The National Association of Statutory Health Insurance Dentists provides tips on what practices can do to improve IT security (PDF). According to Gematik and its shareholders, they are also working to improve awareness. “There are also additional measures in place to prevent the further use of stolen or sold practice ID cards,” says Gematik.

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten