The newly added security measures for the official start of the electronic patient file (ePA) this week have proven to be insufficient, according to reports by Spiegel. Ethical hackers from the Chaos Computer Club (CCC) have reportedly overcome a central new security precaution and informed the authorities. The operators responded to the warning with an immediate emergency measure on Wednesday afternoon, closing the ePA security loophole for the time being. IT security experts had previously made a series of vulnerabilities in the ePA system public, prompting Gematik, the operator, to admit that the attack scenarios were “technically possible” although they were unlikely in reality. The start of the ePA was postponed to Tuesday of this week as a result. Federal Health Minister Karl Lauterbach (SPD) had announced at the time that the ePA would only be launched when all hacker attacks, including those by the CCC, were technically impossible. To make unauthorized access to electronic patient files more difficult, additional checks for a verification value were introduced, which is calculated based on the date of insurance coverage and the street and house number of the insured person’s address. The hackers demonstrated that they can automatically query these data under certain conditions in the system of the so-called electronic substitute certificate. This is typically used to allow patients who have forgotten their health card to still be billed. With the queried data, the verification value can be calculated and the process is publicly documented. Gematik responded with an “emergency measure.” The process was reportedly “suspended for the time being” and the electronic substitute certificate is therefore temporarily unavailable. “There are currently no indications of unauthorized access to electronic patient files” Gematik stated.
Hackers exploit security flaw in electronic patient records system
