Electronic patient record: "E-Rezept-Enthusiasten" present position paper

Contents

The association of "E-Rezept-Enthusiasten" – which was founded in 2022 with members from IT, pharmacies, the medical profession and private individuals –, sees the electronic patient record (elektronische Patientenakte, ePA) as having the potential to significantly improve the coordination of care. Although over 70 million electronic files have already been created, only around 3.4 million insured individuals actively use the ePA.

The association sees major problems with the identification procedure, which prevents many patients from using it. Identification takes place via the ID card, PostIdent, "Video-Ident in a third-party application (recently possible), or identification via eGK + PIN", according to the position paper. These procedures are "technically demanding, inflexible, not adapted to the digital everyday life of the population, and dependent on further activities (such as applying for an eGK PIN)".

Identification via pharmacies, GPs and co. required

The enthusiasts therefore want simpler access options, initially via the GP, at the health authority, or in the pharmacy. A corresponding option to identify oneself in pharmacies has not been implemented "for various reasons". These options will later be replaced by a state-supported digital identity platform.

Anyone with an ID card PIN will be able to identify themselves quickly. In the future, it should be possible to reset the PIN online; according to the Federal Ministry of the Interior, a corresponding draft regulation is currently being prepared. The association is also calling for greater information and involvement of insured individuals. With improved authorization management, insured people should be able to control which doctor sees a document and for how long.

According to e-prescription enthusiasts, a consistent focus on patient centricity is key. Mandatory, automatic filling with relevant data, for example via prescriptions and medication lists, is crucial for this. The enthusiasts see particular potential in the new architecture of the ePA 3.x, which will enable data storage and secure data processing in the future. For example, AI-supported analyses, medication checks or intelligent summaries of findings could be created in the protected area of the telematics infrastructure – always with the consent of the insured person. Gematik is therefore calling for specification extensions for secure “processing services within the TEE (Trusted Execution Environment)”.

ePA must be more than a "digital filing cabinet"

"The ePA can, should and must be more than a digital filing cabinet. It must enable complex and computationally intensive AI-supported data evaluation and processing in a secure protected space in the trusted application environment," demands Christian Klose, board member of the e-prescription enthusiasts. The association is therefore also pushing for "the use of AI-based algorithms for pattern recognition, decision support and semantic summaries". According to Gematik, the ePA is already "AI-ready", but there still seem to be difficulties with implementation. A lot is planned for the future, as can be seen from a current roadmap.

"Chaos Computer Club points out deficits"

The enthusiasts see no acute need for improvement compared to other construction sites. "In any case, this is where we see the least need for improvement. [...] There is never perfect security, it has to be constantly reworked. [...] When in doubt, the Chaos Computer Club points out deficits [...]. Ultimately, it's always about bringing the technology up to the state of the threat situation. And from our perspective, this is an established process that no longer requires any effort," says Klose. However, this does not mean that it is secure. It is a continuous improvement process.

When asked about the current security of the ePA, Bianca Kastl, who was involved in both IT security reports at the ePA, replied: "The ePA still uses methods for authentication that do not comply with the recognized rules of technology. So to speak, security here is more a matter of luck".

It appears that data protection is being taken less and less seriously by some representatives of the healthcare industry. Christoph Straub, CEO of Barmer, recently described data protection as a major obstacle. For the BSI and the then Federal Commissioner for Data Protection and Freedom of Information, "the highest military security level is just sufficient". He hopes that the handling of health data will become less complicated.

(mack)