Security Analysis of the German Electronic Health Card's Peripheral Parts

This paper describes a technical security analysis which is based on experiments done in a laboratory and verified in a physician’s practice. The health care telematics infrastructure in Germany stipulates every physician and every patient to automatically be given an electronic health smart card (for patients) and a corresponding health professional card (for health care providers). We analyzed these cards and the peripheral parts of the telematics infrastructure according to the ISO 27001 security standard. The introduced attack scenarios show that there are several security issues in the peripheral parts of the German health care telematics. Based on discovered vulnerabilities we provide corresponding security measures to overcome these open issues and derive conceivable consequences for the nation-wide introduction of electronic health card in Germany.

[1]  Jan Marco Leimeister,et al.  A Proposed Solution for Managing Doctor's Smart Cards in Hospitals Using a Single Sign-On Central Architecture , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[2]  Wolfgang Deiters,et al.  Mehrwertdienste im Umfeld der elektronischen Gesundheitskarte , 2006, Informatik-Spektrum.

[3]  Herbert Weber,et al.  Die eGK-Lösungsarchitektur Architektur zur Unterstützung der Anwendungen der elektronischen Gesundheitskarte , 2006, Informatik-Spektrum.

[4]  Kenneth D. Mandl,et al.  Indivo: a personally controlled health record for health information exchange and communication , 2007, BMC Medical Informatics Decis. Mak..

[5]  Jan Marco Leimeister,et al.  Bewertung und Klassifikation von Bedrohungen im Umfeld der elektronischen Gesundheitskarte , 2008, GI Jahrestagung.

[6]  Bernd Blobel,et al.  Authorisation and access control for electronic health record systems , 2004, Int. J. Medical Informatics.

[7]  Helmut Krcmar,et al.  Security Analysis of the Health Care Telematics Infrastructure in Germany , 2008, ICEIS.

[8]  Dirk Drees The Introduction of Health Telematics in Germany , 2007, ISSE.

[9]  Jan Marco Leimeister,et al.  Analysis of the Applications of the Electronic Health Card in Germany , 2009, Wirtschaftsinformatik.

[10]  Wilfried Berg Telemedizin und Datenschutz , 2004 .

[11]  H. Krcmar,et al.  IT-Sicherheitsrichtlinien für eine sichere Arztpraxis , 2008 .

[12]  Daniel Poeschkens Verbandskommunikation zu komplexen Themen: gematik – Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH , 2010 .

[13]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[14]  Kent L. Beck,et al.  Extreme programming explained - embrace change , 1990 .

[15]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .