Electronic patient file: No health digitization without trust
Health data should be available for research. At the same time, a high level of data protection is essential to ensure patient trust.
(Image: TippaPatt/Shutterstock.com)
Since the coronavirus crisis at the latest, it has become clear that Germany needs a new legal framework in order to be able to use health data for scientific research – At that time, the lack of sufficient regulations in national infection protection law meant that data from abroad was often used to assess the pandemic situation, which made it difficult to make reliable assessments on the ground. However, the problems in the healthcare system can also be seen in many other areas, such as the use of cancer registry data, laboratory and healthcare data, as well as in overly complex social legislation and, above all, in dealing with the use of secondary data.
It is therefore not entirely without justification that female scientists have repeatedly criticized the fact that medical research projects could not be carried out even though they would have been technically necessary. Nevertheless, we must at least take into account the fact that health data is highly sensitive and therefore requires particularly strict data security and data protection requirements. The German healthcare system is currently undergoing a significant transformation as a result of various legal changes – But what factors are needed to drive forward the digitalization of healthcare in Germany in the long term?
Healthcare digitalization by law
In order to address the previous problem of a lack of standardized data structures in the healthcare sector, the German legislator has created a new national legal framework for the use of healthcare data for public welfare-oriented research purposes and for the "data-based further development of the healthcare system" with the Health Data Usage Act (Gesundheitsdatennutzungsgesetz, GDNG), which came into force at the end of March 2024. The GDNG is supplemented by the Digital Act (DigiG) for the faster digitalization of the healthcare system, which, among other things, provides for the opt-out solution of the insured person for the electronic patient file (ePA), which means that the insured person will be provided with an ePA by the health insurance company if they do not object. This is intended to accelerate the digitization of the healthcare system and drive it forward across the board in the future, also due to the assumption that the ePA would otherwise not be able to establish itself in Germany. The health insurance companies are currently sending letters to their policyholders that regulate the opt-out.
More digital options, but also risks
Now that more digitalization and networking is being ordered by law, the challenges are also growing significantly, because it is not only about processing a large amount of particularly sensitive data, but also about the possibility of linking it with pseudonymized data from the Health Research Data Center (FDZ). As is so often the case, centralized data storage poses significantly greater risks to data security, as the FDZ Gesundheit already contains the billing data of all people with statutory health insurance in Germany.
With the ePA, pseudonymized health data will also be transmitted to the FDZ in future. The legal and technical requirements for pseudonymous and anonymous data processing have long been discussed in health data research – However, the fact is that the de-anonymization of personal data cannot be technically ruled out and therefore the processing of only pseudonymized data poses significantly greater data protection risks if this data is bundled even more in the RDC Health in the future. In addition, the practical implementation of secondary data use in the future EHDS, which is not only about research funding but also about policy-making and regulation, is still largely undefined.
Learning from other countries
The vulnerability of the healthcare sector continues to be demonstrated more than impressively by the cyberattacks that now seem to be taking place non-stop, such as the recent attack on the servers of Johannesstift Diakonie in Berlin. It is therefore understandable that patient representatives criticize the opt-out solution for the ePA: On the one hand, because it turns the principle of informational self-determination into its opposite, but also because the objection to the use of health data cannot be explained in fine-grained enough detail, for example limited to individual research projects. Time and again, it has been shown that concerns about the misuse of health data are justified. In 2024, for example, the British National Health Service (NHS) experienced a massive data breach involving millions of patient records as a result of a cyberattack.
But even in Germany, the telematics infrastructure (TI) has by no means been as cyber-secure in the past as people would have liked. The Chaos Computer Club (CCC), for example, found security gaps in the TI as early as 2019 and has also criticized the ePA in the past for the fact that the storage locations of patient data are not sufficiently cyber-secure. Last but not least, cybersecurity in doctors' surgeries has also been a recurring problem in recent years. This was recently demonstrated by a case in which IT systems containing the health data of over 100,000 patients were apparently deliberately stolen from medical practices in Hamburg. Although the German healthcare system has so far been spared an incident like the one in the UK –, this is no guarantee for the future and at least the interest of cyber attackers increases the more data is stored centrally and the greater the technical access options are.
Reasonable cyber security is important
In order to meet these challenges, Gematik has now published binding ePA specifications for the operation of the file system, which also deal with data protection and data security and are updated regularly. Fraunhofer SIT also recently published a test report (PDF) for Gematik's security concept, which also analyzes the various attack vectors and perpetrator profiles.
These include internal perpetrators, external perpetrators, which include APT groups, cyber criminals, but also hacktivists with the goal of "hacking for fame". The operators of the services could also be considered internal perpetrators. Even though the report concludes that the ePA already offers protection against numerous cyber threats, it also shows that there are still several vulnerabilities – a total of 21 in number – four of which are even of high severity. These critical vulnerabilities relate to the backup of master keys, attacks on availability by internal perpetrators, ensuring secure development processes and the assessment of vulnerabilities.
A clear recommendation for action is given for the latter aspect: Not only should the analysis period be reduced in the future, but an emergency service must also be set up to process vulnerability reports. This makes sense, as the EU Cyber Resilience Act (CRA) adopted in October 2024 also contains clear requirements for a reporting system, as well as for dealing with secure development processes. For the ePA, it is therefore not only the risks to data security that need to be considered in this context, but also the risks to availability, as critical healthcare infrastructures must not be paralyzed by DDoS attacks.
Patient trust as a decisive success factor
If we now want to further digitalize the German healthcare sector, we must also take appropriate account of the new risks that arise as a result – because we cannot afford a British-style loss of patient trust in the NHS and there can be no secure and sustainable digitalization in fast motion. The GDNG and DigiG are already addressing various of these challenges, including through new IT security requirements for statutory health insurance physicians, hospitals and the statutory health insurance funds themselves.
Furthermore, researchers with extended data access rights are not only privileged, but are also subject to new confidentiality obligations that are subject to criminal prosecution. In addition, some of the previously criticized provisions have also been made for of patients, such as the regeneration of key pairs, as insured persons regularly tend to lose or misplace their electronic health card (eGK), although alternative technical solutions could certainly be argued about here as well.
The GDNG and DigiG increase the possibilities for health data processing, but inevitably also the risks. The new legal regulations therefore address data security and data protection in various places – sometimes more, sometimes less specifically. The fact is, however, that any legal regulation is ultimately only as good as its implementation – and if we want to catch up with the digitalization of healthcare, which has been criticized as lagging in this country, we must do so at least to the same extent when it comes to data security and data protection because nobody will want to have a digital healthcare system that is built up all too quickly and later falls back on its feet with a data security debacle. This will certainly be a challenge in the coming years, but not an impossibility if science, civil society and the state pull together and jointly develop viable solutions for sustainable healthcare digitization in Germany.
Note: Prof. Dr. Dennis-Kenji Kipker is Professor of IT Security Law and Chairman of Gematik's Digital Advisory Board.
(mho)
