Expert opinion on electronic patient files: security concept put to the test

Contents

Gematik has had its security concept for the electronic patient file (ePA, elektronische Patientenakte) reviewed by Fraunhofer SIT. It then announced as the result of the report: "The ePA for everyone is secure". A glance at the researchers' 93-page report raises doubts – about attacker typologies and vulnerabilities that could lead to security gaps and "document-based problem areas".

Testing the concept for formal security vulnerabilities

The researchers did not examine a running ePA system with all its components, but a complex paper tiger – "the documented architecture as well as the requirements for the implementation of the individual components". The aim was "to identify possible security gaps and any need for improvement".

The implementation of the ePA introduces new risks and challenges in terms of data security and protection, the researchers state, and list a total of 21 vulnerabilities in their security analysis, of which 4 are classified as high, 6 as medium and 11 as low. In addition, the researchers also point out "unclear or contradictory requirements or vulnerabilities that can be assumed to be merely deficiencies in the documentation".

From technical experts and financially motivated authorized users

In stage 1 of their "high-level check", the researchers first look at attacker types that "could potentially have an impact on the EPA system". The attackers are categorized according to external and internal perpetrators, their motives (power, destruction, fame, money, knowledge), means and possibilities for carrying out the crime. Finally, their relevance as attackers is assessed.

The report lists a total of 18 stereotypes of attackers. These include government organizations, hackers, cybercriminals, crackers, hacktivists, the manufacturers of the services, Gematik employees, manufacturers of the primary system, insured persons or their representatives, service providers, payers and the ombudsman offices of the health insurance funds.

Gematik employees are considered possible internal perpetrators with the aim of financial gain and damage to their own employer: as their technical expertise is only in the middle of the field, and they only develop the concept for the TI and ePA, their relevance as attackers is rated low.

The relevance of service providers as attackers is rated as medium: "The most likely motive for service providers is financial benefits. Service providers do not have any special skills." Due to their "extensive access authorizations" to files, service providers are "an interesting target for outsiders" who have more technical knowledge than they do.

Alternatively, if the service provider cannot be manipulated, is financially greedy and can be bought, the primary system they use could be insecure and vulnerable. "An inadequately secured primary system is sufficient to cause a loss of data, even if the persons concerned were never actually treated by the service provider in question". The report points out that primary systems are "a central player in the interaction with the ePA" and that there are no mandatory security requirements. "The software quality is unknown and at the same time, service provider institutions (such as hospitals) are repeatedly the victims of cyberattacks".

Gematik has designed the security requirements to be employee-friendly, especially at weekends and on public holidays. Providers of telematics infrastructure services (including record systems) then have up to 72 hours to assess vulnerabilities. This time period also benefits criminals, who like to act when the risk of detection is lower. "Since countermeasures can only be implemented after the vulnerabilities have been assessed depending on their criticality, it could happen that a vulnerability with a CVSS rating of 9.0 or higher is only remedied after a delay of 72 hours."

"The data in your ePA is safe and secure", promises Gematik in its list of benefits of the electronic patient file. An internal or external perpetrator with the authorizations of an internal perpetrator or ransomware could delete production and backup data at the same time, the report warns. As there is no obligation for a backup in the form of an offline data backup, everything would then be lost. Apart from that, if there was a compromise, "the requirements for backup and recovery processes (...) are only superficially defined." There is a lack of "a clear process (...) when and by whom a restore is triggered".

The report also points to an overall "unclear relationship between BSI basic protection and gematik requirements". The question of what to do if Gematik requirements deviate from the BSI's basic protection recommendations needs to be clarified.

Not only the common cybercriminal is an external perpetrator. There are also government organizations that are "interested in collecting confidential information about citizens, attacking the infrastructure of other states or gaining intelligence information". In a brochure on the subject of HUMINT (Human Intelligence), the Federal Office for the Protection of the Constitution warns that foreign intelligence services are basically interested in recruiting anyone – "the decisive factor here is possible access to certain information." In order to "persuade" or coerce people to cooperate, previously "captured sensitive personal data" is also used.

The relevance of this type of attacker is rated as "high" by the Fraunhofer researchers in the report. However, "after consultation with Gematik, it was determined that attacks by government organizations are not relevant". Not relevant for Gematik with high relevance according to the report is not the same as not existing in reality, because government organizations also engage in espionage.

Vulnerability analysis using attack trees

The report presents 17 possible attack scenarios using attack trees and calculates the risk of an attack with probabilities. The different types of attacker can pursue the following objectives:

• Unauthorized reading of the file
• Unauthorized manipulation of the file
• Unauthorized deletion of the file
• Denial-of-service attack on the file
• Detection of treatments and diseases

The attack tree for unauthorized objection submission is the most extensive, with a large number of attack vectors. If an objection becomes active in the system, the patient file is deleted. Recovery is impossible. There are no minimum security requirements for either the procedure for submitting or withdrawing objections, nor are there any security checks. Gematik "explicitly points out that the procedure is not part of the specification" – so it is not their problem.

Structural analysis using clusters and AI

For the security analysis of the components of the ePA, the researchers relied on AI in stage 2 of their "high-level check". The first AI grouped all Gematik security requirements into logical clusters "to efficiently group and categorize the large number of requirements". The second AI used was a "specially developed gematik GPT". This was "an advanced Retrieval Augmented Generation (RAG) pipeline" with which "precise and context-related information can be extracted and analyzed from gematik's extensive specification data set".

Without grouping the requirements into clusters, it would be "hardly possible to create an overview by purely manual observation" or to make a "comparison with similar clusters in other components" in order to ensure uniform implementation of standards in the entire ePA system. The Gematik specifications are not only extensive, but also too complicated to penetrate and understand without technical support. This is why AI was needed to help, but it cannot simply be trusted. Even with RAG-based LLMs, side effects can occur in the form of incorrect or incomplete answers.

Dr. Steven Arzt, an expert in secure software engineering at Fraunhofer SIT, explains: "We didn't want to blindly trust the AI here, but instead checked all the AI's results. That's still faster than doing everything manually." It's good for anyone who needs this kind of technical assistance to help them understand Gematik documents and specifications.

Without trust, there can be no digitalization of healthcare. "The ePA for all is fundamentally secure in the areas tested", explains Gematik. This sentence could come closer to being true if Gematik does its homework, which the experts from Fraunhofer SIT have written down in the form of 30 recommendations for action. Gematik has "already taken the first steps to implement the suggestions for improvement within its area of responsibility". It has "taken note" of what lies outside its regulatory jurisdiction.

(mho)