Expensive intensive care for a dead horse: The TI connector replacement

Inhaltsverzeichnis

(Hier finden Sie die deutsche Version des Beitrags)

"Trustworthiness" is a much-used word in health telematics. So far, however, only cost explosions, delays and embarrassing mishaps of all kinds seem certain. All medical practices, clinics and pharmacies in Germany must be connected to the telematics infrastructure (TI) via "specially secured hardware routers" – so-called connectors. Refusal to do so will result in ever-increasing fines.

Technically, the connectors are comparable to a DSL router, but are supposed to offer a significantly higher level of security. There are only three connector providers: the two market leaders Secunet and CGM as well as RISE. The connectors are the heart of the TI – but only of the TI 1.0. The commissioning of this lighthouse project of the health system digitalisation was legally planned for the first of January 2006 (sic!) at the latest. It then took a little longer: until 2018.

At the beginning of 2021, Gematik realized: Lighthouses and TI 1.0 may have been innovative two millennia ago, but now we need a TI 2.0 without connectors. The changeover was to take place gradually until 2025. Against this background, the Federal Ministry of Health (Bundesministerium für Gesundheit, BMG) logically wanted to avoid a physical connector exchange:

The connectors contain device-specific "Security Module Cards" - gSMC-K for short. In principle, this is a crypto-co-processor in SIM format that simultaneously contains several cryptographic identities. Their lifespan is usually limited by the validity of the identity-creating crypto certificates they contain. In the case of the gSMC-K, the lifetime is five years, of which at least four years must still be left when a connector is delivered.

Lots of electronic waste

This means that from 2022, certificates in the gSMC-K will expire, and the affected connectors will become expensive paperweights. For this reason, Gematik had proposed a lifetime extension of the certificates via a software solution. Instead of the expired certificates of the gSMC-K, the connectors would have passed on longer valid certificates to the communication partners. This solution had the approval of the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) and was authorised by a Gematik resolution on 30 June 2021 – including the immediate commissioning of Arvato with the necessary preparations. To the best of our knowledge, Arvato also completed this work on time by January 2022.

Then on March 17, 2022, the turnaround: A hardware connector exchange is decided. "To ensure continuity of operation during the transition to TI 2.0 and to avoid costly interim solutions, a hardware replacement has emerged as the safest solution overall in the coordination of all parties involved," says Gematik.

Wait a minute! The BSI had agreed, hadn't it?

So "safest solution" here cannot mean the dimension of IT or information security. What other uncertainties could there be? Is it uncertain whether the technical complexity can be mastered and whether the system will not be shipwrecked again, as it was when the keys were exchanged in May 2020? Is it uncertain whether the connector manufacturers want to provide the software solution and forego an extensive, lucrative hardware business as a result of the replacement?

Both could and should have been clarified before the decision on June 30, 2021 and the commissioning of Arvato. Or are there uncertainties as to whether TI 2.0 will be ready in time for 2025? Because at the start of 2025, the Federal Network Agency will require longer keys for public-key cryptography for security reasons. The old gSMC-K cannot do this, which is why the BSI had limited its approval of the software solution to the end of 2024. Based on our experience, we would not deny the BSI pragmatism, but we also understand very well against the background of TI 1.0 that the BSI does not want to engage in a slippery slope of endless "short" extensions.

Questions upon questions

Fortunately, the manufacturer CGM has already taken precautions in 2021 and procured tens of thousands of connectors for millions of euros and can deliver the KoCoBoxes to be replaced this year. What, considering the decision situation in 2021, must have seemed like gross entrepreneurial irrationality, today turns out to be incredible clairvoyant abilities. And also the new KoCoBox could have been a risky investment ...

How much is the fun?

For the connector replacement of a KoCoBox, CGM offers a package at a price of around 2,300 euros. We take this as a starting point because so far, the prices of the three suppliers have differed little from each other and especially from the official financing amounts – a pricing that perhaps deserves the attention of the Cartel Office. Around 130,000 connectors to be exchanged at 2,300 euros each – about 300 million euros! And we haven't yet discussed the follow-up costs for the practices, which are to be expected based on experience to date.

But let's take a more complete look at the cash flow: The initial equipment for small practices for the TI connection cost around 3,000 euros – more for larger group practices. Added to this are 9,000 euros in additional costs per practice. If we assume at least 130,000, we arrive at costs in the billions. Since 2005, the Social Health Insurance funds have been paying for the operation of Gematik – according to our calculations, about one billion euros so far. The other shareholders also pay – considering the majority distribution, probably a good billion euros as well.

Time is money

In January 2006, the BMG put the misuse of insurance cards at two billion euros a year. Since 2003, the Verax list has been available to reduce the misuse of patient insurance cards. It provides the same level of protection as the TI's Insured Master Data Management (Versichertenstammdatenmanagement, VSDM) and became the first victim of the TI's innovation-inhibiting effect. The Verax list was not used because the legal introduction of the TI, including the VSDM, was scheduled for January 1, 2006. In this context, the VSDM does not perform any better than the Verax. Project delays have such resulted in losses of around 30 billion euros.

This does not yet consider the replacement of defective devices (around two percent per year is in line with specifications), or the equipment costs of pharmacies and hospitals. The software companies of the practices, pharmacies and hospitals also want to be paid for the implementation of the TI functionalities, which is likely to increase the license costs. In addition, there were several flanking research projects that were paid for out of various funds.

Procurement costs beyond five billion euros and delay damages around 30 billion euros are therefore plausible. On top of this, there are ongoing flat rates of over a thousand euros per practice - another 150 million euros a year in doctors' practices alone. Even if considering an error rate of over 25 percent, we are prepared to estimate 1.5 billion euros per year as avoided insurance card misuse, the payback horizon is well beyond 20 years - and then there should be no further costs from TI 2.0! Other benefits? Not a chance! Regardless of who pays what, this money is missing from the healthcare system, whether in health insurance benefits or in the ability of practices to invest in digital diagnostics.

No alternative?

There is no alternative to the connector replacement, they say. We immediately think of two alternatives: We recently analyzed a boot-unable KoCoBox - the details will follow in one of the next c't issues. But this much can already be revealed:

1. The pure hardware value is a few hundred Euros and since the connector software is already developed and its maintenance is financed by quarterly contributions, we cannot understand the 2300 Euros for the exchange of a KoCoBox.
2. The gSMC-K are plugged into card sockets in the KoCoBox and can be replaced without much technical knowledge because the casing has no tamper monitoring. In any case, we do not see any obstacle - on the contrary: After our intervention, the connector booted flawlessly again. Backing up the connector settings, replacing them with new gSMC-K with modern cryptography methods and corresponding key lengths, and restoring the backup should give a KoCoBox another five years of life.

"If you are riding a dead horse...

... then get off." Of course, one can ignore the sage advice of Dakota Indians and experienced project managers and prescribe expensive resuscitation measures. But to take care of public health, it would be wiser to dispose of the carcass before it causes further damage. After Corona, our health care system has more burdens to bear, is under constant stress and overloaded. Wouldn't it be time to provide relief and end the force-feeding of sickening TI? To invest the resources – money and time – thus freed up in improving about health care personnel and to bring about a social consensus on what our health care system of the future should look like? A few large hospitals and medical care centers (Medizinische Versorgungszentren, MVZ) and long distances for patients, or rather decentralized with short distances? In the hands of profit-oriented large investors, in public hands or independent physicians?

Open competition needed

Once it is clear where the journey is headed, an open competition of ideas can start in various regions: in terms of organizational forms, financing and, of course, digitization. Only in this way, without gigantic investment and approval hurdles, can innovative ideas be tested and improved and ultimately prevail. The diversity of ideas prevents oligopolies, as in the connector market. It is enough to set guidelines, such as open standards, open protocols, interoperability requirements and the security requirements to be met in the future - because in a phase of pure voluntariness and informed consent, it is perfectly possible to take risks that would not be acceptable in a mandatory system.

Such an approach – we are convinced – would quickly produce a set of high-quality solution candidates whose mutual competition would generate real quality and real progress. A productive plurality in contrast to the monopoly of the TI, which represents not only a tragic brake on innovation, but a backward IT. It is also interesting to ask whether the TI shutdown would even be noticed by the reader.

(mack)