38C3: Major security flaws uncovered in electronic patient file 3.0

Contents

There have been security flaws in the electronic patient file (elektronische Patientenakte, ePA) for years – Security experts keep finding loopholes. Now also for the ePA, which comes automatically for all those who do not object. Those responsible always emphasize that the ePA is absolutely secure. But the "ePA for all" cannot keep this promise. Martin Tschirsich and Bianca Kastl demonstrated this at the 38th Chaos Communication Congress in Hamburg using a series of simple security loopholes that can be exploited by outsiders. They easily managed to gain access to the "ePA for all". This was possible due to flaws in the specifications, among other things. They were able to create access tokens for the files of any insured person – without inserting the electronic health card.

Security gaps known for years

The uncontrolled issuing of health cards is a "perennial issue" and a central point. Researchers were able to order electronic health cards in other people's names by making simple phone calls to health insurance companies. The time required for these attacks is astonishingly short: it took 10 to 20 minutes to order a third-party health card. Access to medical practices could also be obtained within a few hours to days. This is due to deficiencies in the issuing processes, the application portals and the handling of the cards "in the practice".

The cryptographic identities stored on the chip cards are intended to guarantee the security of access to electronic patient records. "However, these are not used to prove the authenticity of the card. This means that the presence of any card can be faked", Tschirsich explains to heise online.

Access to ePA 3.0 without a PIN

As the new version of the electronic patient record no longer requires a PIN for access in the practice, it is no longer even necessary to physically possess such a card to access the corresponding patient record from version 3.0. According to Tschirsich and Kastl, the combination of these various vulnerabilities enables access to all 70 million patient files. It is particularly critical that many of these vulnerabilities have been known for years. At 36C3, André Zilch also demonstrated how easy it is to obtain electronic health professional ID cards, including for the practice identity (SMC-B), according to Tschirsich.

Tschirsich and Kastl were able to attack the card issuers' portals using SQL injection. This was achieved by buying used card terminals on classified ads –, sometimes even with SMC-B on demand. In this way, the membership numbers could be manipulated and manipulated at will. They were also able to gain access to the systems through fake IT support. A single compromised practice access point allowed access to around 1,000 to 1,500 patient files. The fact that these fundamental security problems still exist in the latest version of the electronic patient record shows fundamental problems in the development and security process of the system.

Transparent communication of risks required

The experts are therefore calling for independent and reliable assessment of security risks and transparent communication of risks to those affected. To date, insured persons have not been sufficiently informed about the risks associated with electronic patient records. According to Tschirsich and Kastl, an open development process over the entire life cycle of the "lifelong EPR" is also necessary. Kastl believes that sensible, digital and state solutions are needed "that also function sensibly as a public infrastructure". To achieve this, everyone would have to pull together because nobody wants an ePA from Doctolib.

Gematik has since commented on the security flaws and describes the "practical implementation in reality" for one of the attacks mentioned as "not very likely". The former Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, has also responded to Gematik's reaction on Mastodon.

Security researchers have already shown that the ePA already has security flaws. In addition, access to the ePAs "including those outside the context of a doctor's treatment [...] should not even be possible due to the system architecture and is therefore a design flaw", says Kelber. Kastl also points out that the security flaws are not unrealistic, but have been proven. Furthermore, Tschirsich thinks it is a shame that Gematik has only commented on one of the flaws.

Gematik is in contact with security authorities

At the same time, Gematik states that it is "in close contact with the relevant security authorities such as the Federal Office for Information Security (BSI). Technical solutions to prevent attack scenarios have already been designed and their implementation has begun. The electronic patient files of all insured individuals are "well protected" nationwide, as the ePA will initially only be launched at service providers in the model regions.

(mack)