ePA security: BSI had warned of risk
Now that the CCC has again revealed security gaps in the electronic patient record (ePA), the BSI has also made a statement.
(Image: PopTika / Shutterstock.com)
In response to the security gaps discovered and reported by the Chaos Computer Club just one day after the launch of the electronic patient record (ePA), the German Federal Office for Information Security has given the all-clear. In response to a query from heise online. Unlike the attack that was made public at the Chaos Communication Congress in December, the current case did not directly involve mass access to electronic patient files. Instead, a more targeted attack was needed, in which the digital retrievability of the electronic replacement certificate (eEB) could be used by practices to obtain all the data that would then have been necessary to access individual patient files. The security researchers from the CCC environment had also informed the CERT-Bund, which is based at the BSI, about the vulnerability they were aware of in this case on Tuesday evening. As a result, the eEB module was switched off by the operator yesterday for the time being.
BSI had warned of residual risk
In its assessment of the scenario that became known yesterday, the BSI therefore assumes "high technical hurdles". In particular, the need for hardware from the healthcare system and valid proof of identity is a hurdle that also entails a risk of detection. However, the following also applies: "Whether the additional patient information required for the attack scenario is structurally adequately protected is beyond the remit of the BSI," a spokesperson for the Bonn-based authority said in response to an inquiry. The IT security authority also points out: "The BSI had pointed out an existing residual risk of targeted attacks on the ePA through such a potential scenario and informed its stakeholders about this before the nationwide ePA rollout."
The BSI thus clearly sees the responsibility as lying with the operators of the electronic patient record infrastructure: "The nationwide rollout of the ePA is being closely monitored by our security teams together with the BSI," the managing director of Gematik, whose main shareholder is the federal government, explained yesterday. The Federal Office for Information Security is involved in the creation of the technical guidelines in accordance with the relevant regulations of the German Social Security Code V. The BSI does not have to approve ePA security.
Videos by heise
BSI does not have to approve ePA security
However, contrary to what might be assumed, this only provides for "consultation", which must be established with the BSI. However, the formulation of "agreement" would legally provide for genuine testing or approval obligations. The BSI would then also be able to prohibit the operator from operating the system or independently tighten requirements. However, in the course of the strong political will to finally launch the ePA after 20 years of discussion, despite possible reservations, such means for data protection authorities or the BSI were ruled out.
As a result of the structural security gap made public in December, the BSI was requested by the Federal Ministry of Health to carry out a so-called security assessment. This will continue to be updated by the IT security specialists from Bonn, according to the BSI. However, these assessments are not mandatory for Gematik to implement. "The security assessment shows that if all mitigation measures are fully implemented, the electronic patient record can be operated in an appropriately secure manner", the BSI spokesperson explains. However, Gematik remains responsible for implementation as the operator of the infrastructure and creator of the technical specifications.
(nie)
