the Chaos Communication Congress of the Chaos Computer Club. This time, the gathering of top German hackers has targeted the electronic patient record (ePA); and found gaps as big as barn doors.
Next year, it’s supposed to be introduced for all insured patients, and it requires a lawsuit to opt out of this kind of record-keeping, where all health data is stored on central servers that can be accessed with a chip card.
The Federal Ministry of Health makes the ePA appealing, among other things, with the promise that patients themselves can access their records at any time.
“In the context of your treatment, all service providers involved can access the medical history stored in the ePA (e.g., doctor’s reports, examination reports). This saves time and significantly simplifies the treatment process!”
Ultimately, one can “set and control at any time who has which access rights, and change these.” “You can decide for yourself whether to allow others to access your personal ePA.”
If that were all, the result of the computer experts would be.
“The attack required an effort of about an hour, was remotely executable, and enabled full access to an ePA or all ePAs made available to service providers” reported Bianca Kastl and Martin Tschirsich. The “service providers” are the treating doctors. This means that all records of a practice were open after an hour of work, with the help of a known vulnerability since 2012.
But with more effort, there’s more result: with a month’s effort, the experts achieved a “full access to all ePAs.” All of them, from every patient.
It needs an “independent and reliable” assessment of the security risks, as the conclusion of Kastl and Tschirsich. Many of these security gaps have been “known for years” but apparently, they were not closed.
There are, of course, institutions that are interested in all data they can get their hands on. What about the CIA? A month’s work, and all data of German insured patients are open and can be exploited, for example, for extortion? Few data would be seen so unwillingly in circulation as the data found in the patient’s record. What if such data is stolen and sold? Stolen data from all possible servers is sold in the dark net; will patient records be available for purchase there soon?