ePA shortcomings: Federal Data Protection Commissioner reclaims veto right
Following an unauthorized objection to the "ePA for all", the BfDI is investigating the incident and reclaiming the former right of veto for itself and the BSI.
(Image: Have a nice day Photo/Shutterstock.com)
Last week, it became known that an unauthorized person had managed to file an objection to the electronic patient file of a stranger with the Barmer health insurance company. The Federal Commissioner for Data Protection and Freedom of Information (BfDI), Louisa Specht-Riemenschneider, is currently investigating the case. The BfDI blames the change in the law, according to which the Federal Office for Information Security (BSI) and the BfDI were deprived of their right of veto, as one reason for such incidents.
Veto right for BSI and BfDI
"The BfDI should be involved as early as possible in the examination of data processing procedures in the ePA. It would make sense if the law once again stipulated that the BfDI and BSI had to agree on the specific requirements of the ePA," says the BfDI spokesperson. Although the BSI and the BfDI were involved in the plans for the ePA, they only have to be consulted and are no longer allowed to veto any concerns.
The BfDI had already emphasized at the end of April that its authority was not an approval authority and that the ePA would have to be looked at during ongoing operations. In this context, it also referred to the security gaps in the ePA. With the law to accelerate the digitalization of the healthcare system, the BfDI and BSI lost the right of veto. The veto right was abolished in particular in the context of the introduction and design of the electronic patient file and the e-prescription. The former BfDI, Ulrich Kelber, had made use of his veto right several times until vulnerabilities were remedied.
Identity verification by health insurance companies
Barmer Krankenkasse should actually have "ensured the identity and authorization of the person making the declaration". "Ensuring the identity and authorization of the declaring person is a prerequisite so that subsequent data processing (in this example: the deletion of the electronic health record) can be carried out correctly and lawfully. The authentication of the person making the declaration is the responsibility of the respective health insurance company under data protection law," says the BfDI spokesperson.
According to Barmer, it is not possible to object to the ePA of a third party without assistance or consent. "The filing of an unjustified objection or unjustified request for deletion has not been recorded to date," Barmer said when asked. The case mentioned by the Handelsblatt is therefore "an access initiated with the help of the authorized persons themselves". In addition, revocations "since the nationwide rollout on April 29, 2025 [...] have been subject to a 28-day deadline" if insured persons have not previously proven their identity beyond doubt. Insured persons should be able to prove their identity in the branch by showing their ID card, for example, or by using their health ID to object in the Barmer eCare app. It is still unclear why Barmer has linked the introduction of the 28-day period to the regular operation of the ePA.
Videos by heise
In the third week of April,a whistleblower working as a service provider for the health insurance companies succeeded in lodging an objection to a third-party electronic patient file. Among other things, he had only entered the name of the insured person in a Barmer objection form and signed –. It was not necessary to enter the insured person's number. This has changed in the meantime, and it is now necessary to enter the policyholder number.
Possible vulnerabilities known
Security experts from Fraunhofer SIT had already warned in advance of a large number of attack vectors for "unauthorized objection submission". One of the criticisms was that there were no "minimum security requirements" or "security checks" for either the procedure for submitting or withdrawing objections. An objection to the patient file should lead to its immediate deletion.
"Attackers could misuse the objections to delete patient files in a targeted manner," the report states. Gematik "explicitly points out that the process is not part of the specification." They therefore recommend defining a process for payers "on how an objection can be lodged. In this way, minimum security requirements are taken into account and a standardized process is established."
(mack)
