After security researchers Bianca Kastel and Martin Tschirsich demonstrated a large number of security shortcomings in the electronic patient file at the 28th Chaos Communication Congress, the Federal Ministry of Health (BMG) still wants to stick to the nationwide rollout of the electronic patient file from January. 15th. When asked, a BMG spokesperson said they were in touch with the CCC about the “problem”.
Advertisement
“The theoretical problem described by the CCC will be resolved before the launch of the EPA for all. BSI will officially confirm this in due course. The pilot phase will begin as planned on January 15. The launch of the EPA for all will take place,” the statement said. “We meet all the high level safety standards which are also endorsed by BSI and BFDI.”
BFDI “strongly recommends” safety measures
The Federal Commissioner for Data Protection and Freedom of Information (BFDI), Luisa Specht-Rimenschneider, expressed herself in a more subtle way in response to Heise Online’s question: She told Zematic, which is responsible for digitalization in the healthcare system , and BMG “reported the high risk potential of the vulnerabilities at an early stage and recommended immediate measures to reduce the associated risks. The Federal Information Security Office and BFDI reported the vulnerabilities Zematic’s solution is recommended to reduce the can,” a spokesperson for BFDI explained to Heise online.
Protective measures are in progress
The Federal Office for Information Security (BSI) responded to our query in detail. A BSI spokesperson said it conducted the analysis together with Zematic and “immediately developed additional protective measures and made arrangements to implement them” to prevent “access by unauthorized persons to any patient data stored at EPA”.
Additionally, BSI states that this attack requires access to a card terminal, a valid SMC-B (secure module card of the business location type), which also includes a pin and connector for connection to the telematics infrastructure – also known as the “health data highway”. Security researchers found the necessary infrastructure through, among other things, classified advertisements, but according to the BSI, “related infrastructure and device cards were disposed of” in “health care facilities ” who are “re-sensitized accordingly and are aware of their obligations.” Zematic’s response to the security issues presented had some shortcomings Reference is made to fines and prison sentences if criminals obtain means of access illegally.
According to a BSI spokesperson, the path to further attack requires “uninterrupted access to the mentioned terminal along with technical know-how” via “an activated card terminal on site at the healthcare facility”. “To prevent such manipulation, the operating environment of card terminals should be chosen in such a way as to prevent unauthorized physical access by healthcare personnel at any time. This is set out in the requirements for the installation of card terminals. Related The tools’ deliberately chosen design makes it difficult for “attacks to be carried out quickly as well,” BSI explains.
Further protective measures are in progress
According to the BSI spokesperson, the pilot phase for the introduction of electronic patient file is planned to be launched in 300 health facilities in three model areas. Further protective measures are in the works. Accordingly, “a white list will be introduced for participating health facilities so that only these practices have access to the EPA”.
To bridge the security gap, Zematic wants to additionally encrypt health insurance numbers and expand “oversight measures such as surveillance and anomaly detection.” Zematic also wants to take a closer look at the “secondary market for practice infrastructure.” Access and attacks can be detected by the corresponding practice detection, which will not prevent criminals from gaining unauthorized access to the infrastructure.
BSI wants to re-evaluate further measures
BSI uses a variety of measures to “limit the risks of a successful attack on the scope of participating healthcare facilities” and evaluates technical and organizational measures (TOMs) as mitigating. Nevertheless, further ToM should be implemented in the “short and medium term” that minimizes the risk of a successful attack. The Federal Ministry of Health (BMG) and Zematic will decide on the beginning of a nationwide rollout in due course. “The measures implemented were also re-evaluated by BSI,” the spokesperson said.
Thilo Weichert, former state data protection officer for Mecklenburg-Western Pomerania, considers the EPA’s planned rollout “a huge risk to the data protection of health data stored there”. He would not like to take responsibility for this. “I understand that politicians see this differently, also taking into account the well-established expectations associated with the EPA. If this is a start, then in an informative and honest way, so that those affected are informed about their opt-out. Asked by Heise online, Kastel and Tschirsich “demonstrated effectively” that the EPA has only limited protection.
End of EPA experiments
CCC Following publication of the lecture, calls were made to “end EPA experiments on living civilians.” The independent medical profession is calling for an immediate halt to the rollout plans. The security gaps identified mean that “access to the sensitive medical data of 70 million people with statutory health insurance” is possible with little effort. According to Silke Lüder, general practitioner and deputy federal president of the Free Medical Association, the “narrative of a safe EPA” failed shortly before its launch on January 15, 2025. According to Lueder, “This rollout is absolutely irresponsible given the existing systemic security flaws.” What’s particularly bad is that “some errors in the security design have been known for years and have yet to be apparently corrected by Zematic in the current specification,” Luder added. He described Zematic’s response to the hiatus as “absurd”.
From the point of view of Patrick Breyer of the Pirate Party, it is “contrary to the law and data protection” that the electronic patient file should be launched in mid-January, “even though according to him entry of gematic Mega security gap remains and security standards have not yet been implemented. “Above all, this approach destroys trust and can have consequences for the health of those affected,” explains Breyer. He demands that the Federal Data Protection Commissioner “put an end to this irresponsible game with our health.” Stop” because “the safety of our mental and physical health (…) is “non-negotiable”.
(Mac)
