A study by Germany’s Chaos Computer Club (CCC), weekly news magazine Der Spiegel, and broadcaster NDR has uncovered major security weaknesses in Germany’s EHR system, the eGK.
The findings, revealed Friday December 27 at the CCC’s annual congress in Leipzig, and simultaneously in the latest issue of Der Spiegel (#1 2020), show that the system suffers not a single point of failure, but multiple data security failings throughout its infrastructure. In response, Gematik, the body responsible for the EHR, has stopped the roll-out of the programme until a full security audit is carried out.
Germany’s EHR system connects doctors’ practices, hospitals, clinics, and health insurers. The national backbone infrastructure of the system is known as the Telematics Instructure (TI), which is designed to provide both a national healthcare network for healthcare providers at all levels, and also the platform for the country’s EHR system. It is due to be alive from 2021. The backbone infrastructure is managed by Gematik GmbH, a non-profit established in 2005 to oversee the project.
The eGK EHR includes three different types of smartcards that are used to authenticate individual patients and primary care practices: the patient’s healthcard, the doctor’s card, and a practice card.
Despite being unauthorised, researchers from the CCC were able to procure all three types of EHR smartcard from an intermediary. They were also able to buy EHR connectors on the Internet, giving them access to the German EHR TI backbone network.
Researchers from CCC also discovered that personal data from doctors who had applied for access to the EHR TI network in the last fortnight was openly available on the Internet, due to a data breach at the provider of the smartcards. When CCC discovered this data breach, there were the personal details of around 170 doctors available on the Internet.
Research by Der Spiegel and NDR established that the data discovered by CCC allowed access to doctors’ records on the EHR system.
According to the CCC data security researchers, the problems with the German EHR system do not rest with one provider or company, but are structural security flaws that affect the entire EHR system.
When informed of the security flaws, Gematik, the organisation responsible for management of the programme and platform, stopped the issue of any further smartcards. It described the weaknesses found by the researchers as “unacceptable”.
A security audit has been initiated by Gematik, and further cards for individuals, doctors or practices will not be issued until the audit is complete.
Further reading:
The findings, revealed Friday December 27 at the CCC’s annual congress in Leipzig, and simultaneously in the latest issue of Der Spiegel (#1 2020), show that the system suffers not a single point of failure, but multiple data security failings throughout its infrastructure. In response, Gematik, the body responsible for the EHR, has stopped the roll-out of the programme until a full security audit is carried out.
Germany’s EHR system connects doctors’ practices, hospitals, clinics, and health insurers. The national backbone infrastructure of the system is known as the Telematics Instructure (TI), which is designed to provide both a national healthcare network for healthcare providers at all levels, and also the platform for the country’s EHR system. It is due to be alive from 2021. The backbone infrastructure is managed by Gematik GmbH, a non-profit established in 2005 to oversee the project.
The eGK EHR includes three different types of smartcards that are used to authenticate individual patients and primary care practices: the patient’s healthcard, the doctor’s card, and a practice card.
Despite being unauthorised, researchers from the CCC were able to procure all three types of EHR smartcard from an intermediary. They were also able to buy EHR connectors on the Internet, giving them access to the German EHR TI backbone network.
Researchers from CCC also discovered that personal data from doctors who had applied for access to the EHR TI network in the last fortnight was openly available on the Internet, due to a data breach at the provider of the smartcards. When CCC discovered this data breach, there were the personal details of around 170 doctors available on the Internet.
Research by Der Spiegel and NDR established that the data discovered by CCC allowed access to doctors’ records on the EHR system.
According to the CCC data security researchers, the problems with the German EHR system do not rest with one provider or company, but are structural security flaws that affect the entire EHR system.
When informed of the security flaws, Gematik, the organisation responsible for management of the programme and platform, stopped the issue of any further smartcards. It described the weaknesses found by the researchers as “unacceptable”.
A security audit has been initiated by Gematik, and further cards for individuals, doctors or practices will not be issued until the audit is complete.
Further reading:
Comments
Post a Comment