Health data highway: many practices could soon be left behind

Contents

At the end of the year, RSA keys with a length of 2048 bits will no longer be used. This has been stipulated by the Federal Network Agency and the Federal Office for Information Security (BSI) also recommends that they should no longer be used. According to the National Association of Statutory Health Insurance Physicians (KBV), however, this could mean that numerous practices will no longer be connected to the telematics infrastructure (TI) – the "data highway of the healthcare system".

"Secure TI operation top priority"

Gematik intends to stick to the new key lengths. When asked by heise online, Gematik stated: "Secure TI operation is Gematik's top priority. The replacement of the RSA2028 to ECC256 encryption algorithms by the end of 2025 is a key measure to ensure that TI components and services continue to meet the highest security standards in the future".

Gematik's security guidelines are based on the "specifications of the highest security authorities and internationally recognized standards. [...] The currently planned schedule is based on the recommendations of the BSI and specifications of the Federal Network Agency (BNetzA) for the qualified electronic signature (QES) to no longer use RSA<3000 bit after December 31, 2025. The QES falls within the regulatory competence of the BNetzA," says a spokesperson.

Gematik is taking the KBV's concerns about the ambitious timetable "very seriously", but the change is nevertheless important. "Everyone involved is working at full speed to push ahead with the migration from RSA to ECC as quickly as possible and to make the transition as smooth as possible".

35,000 connectors affected

According to information from the National Association of Statutory Health Insurance Physicians (KBV), 35,000 connectors are affected by the replacement, which "are only RSA-capable and have received an extension in 2023", the letter states. However, more than three years ago, hackers from the Chaos Computer Club (CCC) showed that a lifetime extension could also have been implemented on the software side, but only a few providers offered this to their customers. ECC keys are also supported by the SmartCards installed in the connectors.

In addition, around 100,000 electronic health professional cards (eHBA), 30,000 practice ID cards (SMC-B) and 160,000 device-specific cards for the card terminals in doctors' surgeries and associated software components are also affected. The majority of the affected components are located in doctors' surgeries.

However, the KBV warns that without a timely replacement, central TI applications such as e-prescription, eAU and eArztbrief – could fail, with significant consequences for patient care. In an emergency, paper would have to be used again.

The KBV also criticizes the fact that, despite repeated warnings, neither all technical specifications nor a comprehensive migration plan from Gematik are yet available. Considering the complexity and quantity of the components involved, the KBV believes that implementation by the end of 2025 is "no longer feasible". The KBV is therefore calling for an extension of the use of 2048-bit RSA keys in the healthcare sector to enable a smooth and secure transition to ECC (Eliptic Curve Cryptography). In other countries such as France, an extension of 2048-bit keys has already been decided.

CCC: "TI security updates cannot be implemented in the short term"

The CCC spokesperson says: "The KBV is the bearer of an inconvenient truth. Although software and hardware-based migration paths exist and although the end for RSA 2048 in the TI was foreseeable for a long time and has been postponed, there is an expected lack of implementation. On the one hand, this shows that security updates to the TI cannot be implemented in the short term and, on the other, it casts doubt on the practical feasibility of other major digitization projects in the healthcare sector."

(mack)