Skip to main content

Security flaws stop German EHR programme

A study by Germany’s Chaos Computer Club (CCC), weekly news magazine Der Spiegel, and broadcaster NDR has uncovered major security weaknesses in Germany’s EHR system, the eGK.

The findings, revealed Friday December 27 at the CCC’s annual congress in Leipzig, and simultaneously in the latest issue of Der Spiegel (#1 2020), show that the system suffers not a single point of failure, but multiple data security failings throughout its infrastructure. In response, Gematik, the body responsible for the EHR, has stopped the roll-out of the programme until a full security audit is carried out.

Germany’s EHR system connects doctors’ practices, hospitals, clinics, and health insurers. The national backbone infrastructure of the system is known as the Telematics Instructure (TI), which is designed to provide both a national healthcare network for healthcare providers at all levels, and also the platform for the country’s EHR system. It is due to be alive from 2021. The backbone infrastructure is managed by Gematik GmbH, a non-profit established in 2005 to oversee the project.

The eGK EHR includes three different types of smartcards that are used to authenticate individual patients and primary care practices: the patient’s healthcard, the doctor’s card, and a practice card.

Despite being unauthorised, researchers from the CCC were able to procure all three types of EHR smartcard from an intermediary. They were also able to buy EHR connectors on the Internet, giving them access to the German EHR TI backbone network.

Researchers from CCC also discovered that personal data from doctors who had applied for access to the EHR TI network in the last fortnight was openly available on the Internet, due to a data breach at the provider of the smartcards. When CCC discovered this data breach, there were the personal details of around 170 doctors available on the Internet.

Research by Der Spiegel and NDR established that the data discovered by CCC allowed access to doctors’ records on the EHR system.

According to the CCC data security researchers, the problems with the German EHR system do not rest with one provider or company, but are structural security flaws that affect the entire EHR system.

When informed of the security flaws, Gematik, the organisation responsible for management of the programme and platform, stopped the issue of any further smartcards. It described the weaknesses found by the researchers as “unacceptable”.

A security audit has been initiated by Gematik, and further cards for individuals, doctors or practices will not be issued until the audit is complete.
Further reading:

Comments

Popular posts from this blog

Austria develops Smart Covid-19 Test

Austrian low power sensor firm ams AG has received funding from two Austrian Government ministries to develop a smart device to provide accurate testing for Covid-19. The hand held device is directly connected to a "medical data cloud", does not require a laboratory, and can deliver accurate test results within 15 minutes. The two Austrian Government departments funding the new device are the Federal Ministry of Climate Action, Environment, Energy, Mobility, Innovation and Technology (BMK), and the Federal Ministry for Digital and Economic Affairs (BMDW). ams has used the funds to develop a connected, smart version of a lateral flow test (LFT) device. Lateral flow tests are a standard approach for rapid point of care (PoC) testing. LFTs, which are usually analogue devices, are typically intuitive and easy to use, and are subject to strict regulatory requirements. A pregnancy strip test is a typical example of an analogue LFT device. The challenge for ams was threefold: to cre...

Heidelberg develops Unsupervised AI for motor disease

Researchers at the universities of Heidelberg in Germany, and Zurich in Switzerland have developed an AI model to detect human motor impairments and determine underlying diseases. The new software is also a test for how effective unsupervised AI behaviour analysis can be in discovering and determining complex disease states. Conventional supervised instrumented movement analysis is time-consuming, potentially subjective, and cost-intensive. It requires prior knowledge of behaviours of interest, and typically a large amount of video frame annotation. There is scope for human annotator bias, with different annotators focusing on different behaviours, while ignoring or minimising others. The researchers have developed uBAM ("unsupervised Behaviour Analysis and Magnification using Deep Learning"). This is a fully automatic, unsupervised diagnostic support system for behaviour analysis. The new system can extract and classify behaviour automatically, with the ability to compar...