c’t reveals: security breach in the electronic patient record

File systems that have something to do with health data are particularly well secured, you might think. Ironically, the Electronic Patient Record (EPD) is not. Doctors usually save the results in the form of documents and pictures. In order to ensure at least formal protection against viruses and Trojans, only certain types of files can be loaded into the EPR.

More from c't magazine

More from c't magazine

More from c't magazine

According to the specification of the Gematik (PDF) the file types PDF, JPEG, PNG, TIFF, text / plain and text / rtf, XML, HL7-V3, PKCS7-mime and FHIR + XML. Zip containers are prohibited because they might not only contain files containing malicious code, but also so-called decompression bombs. When unpacking, they write to the entire hard drive and cripple the computer.

There are currently three ePA server backends in Germany operated by Bitmarck / Rise, IBM and ITSG. Physicians can upload and download reports there using their practice management software. Patients can access them through their health insurance fund’s apps and can also use them to upload and download files – and, with the launch of the new ePA 2.0, allow or block physician access as well.

One of the most popular ePA applications currently is “Die TK-App” for Android and iOS smartphones from Techniker Krankenkasse. At the end of November, we received an anonymous information that the Android version 3.15.0 (product version of the TK application would allow the TK-Safe function to load really prohibited zip containers into the EPR. On subsequent checking, we actually managed to upload a zip file to the PPE and then upload it again.

In fact, the application should prevent such a download by checking the file type. To do this, however, it apparently only checks its MIME type in the metadata. To work around this problem, we built a zip container “Röntgenbilder.zip”, added the extra end “.txt” and uploaded it to Google Drive. This classified the file as a “text / plain” MIME type based on the extension of the file name. We then removed the .txt extension from the name and were able to download “radiographic images.zip” from Google Drive via TK-Safe as “document without special form” to the EPR.

At the beginning of December we informed Gematik and Techniker Krankenkasse, who confirmed the deviation. As a result, the TK application adopted the “text / plain” MIME type identified by Google Drive on its first download, which Google Drive retained when it changed its name. On December 15, Techniker Krankenkasse informed us that the gap in version 4.1 of the TK application (product version had been filled.

Manufacturers of an ePA application must have it certified by Gematik. However, this does not apply to “updates with minor changes”. Therefore, Gematik only certified version 3.1.0 of the TK application product and did not find the loophole we described there.

Due to a security breach in the Android application “Die TK-App”, we were able to download a prohibited zip file on the EPR.

However, Techniker Krankenkasse stated that the safety of the practices was not threatened by a possible upload of zip files to the EPR. Since all files in the EPR are transmitted end-to-end encrypted, they must be verified in advance. And because the TK app is just one of the many ways to fill out the ePA, doctors should definitely check ePA files for possible malicious code when they are downloaded.

A corresponding regulation can be found in the EPR application guide (gemILF_PS_ePA_V2.0.0.pdf, PDF) of the Gematik. It says there under the newly added point A_17769: “The PS should take measures to protect itself against possible malware in the downloaded documents if the format or the content of the downloaded document does not correspond to the type of document specified in the documents. metadata. »PS stands for primary system and refers to office administration or hospital information systems.

According to Techniker Krankenkasse, he should “carry out a plausibility check and take the appropriate measures”. However, applications such as the TK application, which the insured can use to upload and download files to the EPR, are not part of the primary systems.

According to Gematik, there is no increased safety risk with EPR. She prefers to speak of a “safe limit” and writes: “The control of these files rests with the insured himself, which means that only the insured himself can override and the doctor whom he trusts can. deliberately harming the doctor carrying a file. This rather unrealistic scenario does not only concern the use of the EPR, it already exists, for example when the results (such as x-rays) are transmitted on a data medium, which the insured person brings to the practice. “

Obviously, until Gematik, the rumor had not circulated that Trojans could infect files without informing their owners (doctors or patients).

This begs the question of who is responsible if malicious code gets to the EPR and bypasses the “plausibility check” and “appropriate measures”. Because with ePA, you can always prove who puts a file in the system, the system is more secure than transmission by e-mail, argues Gematik. Therefore, there are also no impact assessments of the damage that could result from importing malicious code into the EPR. According to Gematik, according to article 75b of book V of the social code, doctors are required to comply with “standard security measures against malware”.

Doctors and other healthcare providers should therefore have up-to-date virus scanners and freshly patched PDF readers on their systems. Additionally, it’s a good idea to open ePA data and mail attachments in a virtual machine, which at least makes it much harder for possible malicious code to be spread.

Much investigative research is only possible thanks to the anonymous information of whistleblowers.

If you are aware of an issue that the public should be aware of, you can send us notices and materials. Please use our anonymous and secure mailbox for this.


For fear of possible liability consequences, some doctors do not want to support the RPE in the first place. A doctor wrote to us: “A first step would be to let the patient know by signature that he will not receive his EPR because the legal and technical risks are too high for the doctor and the patient is the doctor of the consequences of liability through ignorance. . its exempt EPR. “

But doctors can’t make it easy for themselves. Because although the use of an ePA is voluntary for the insured (opt-out), the doctor has a duty to cooperate in accordance with § 291a SGB V if someone has filled in an ePA with the doctor’s data or wishes to do so. to fill. The attending physician must also prove that he has fully consulted the data. Otherwise, you could accuse it of a misdiagnosis. Contrary to the claim of misdiagnosis, the burden of proof can be reversed: the doctor must prove that he has indeed included all the results.

At the last congress of the independent medical profession, lawyer Dirk Wachendorf therefore described the ePA as “a deeply poisoned offer in terms of liability”. In addition to the professional civil liability policy, he therefore recommended that the doctors together take out “cyber risk insurance”.

Such a policy would probably also be a good thing for health insurance policyholders to protect themselves against possible damages claims should one of their ePA files cripple a practice with malicious code. Those who do not want to accept the additional costs associated with this still have the option of opting out of the EPR.

However, if you want to use EPR in the future, you should always have a backup in case the EPR servers fail. This happened, for example, on December 13, when the entire Telematics (IT) infrastructure failed due to the log4j gap, or on December 16, when IBM switched its backend to ePA 2.0. and that a third of all ePAs were not available.

Since other IT departments currently do not exactly meet the requirements of high availability systems, the National Association of Statutory Health Insurance Physicians has rebelled against the mandatory introduction of electronic prescribing in mid-December. As it does not yet function properly in its substantive processes despite the start-up scheduled for January 2022 and is not available nationally, the representatives of the doctors wanted to convert the strict digitization provisions into optional ones. The KV Westfalen-Lippe press release stated: “If pharmacies in the immediate vicinity of the practice are unable or unwilling to receive and exchange electronic prescriptions, you can issue the insured with a paper prescription on sample 16. “

Alternative paper prints should also continue to be possible for the electronic certificate of incapacity for work (eAU). The KBV thus embarked on a race of direct confrontation with Gematik and the Federal Ministry of Health (BMG). The BMG then pulled the emergency brake on December 20 and stopped the planned nationwide introduction of the electronic ordinance on January 1. Due to “great concerns”, “the test and pilot operation must be continued and gradually extended”, explained a spokesperson for the BMG – without mentioning a new date of introduction.

In c’t 2/2022 we have concocted the c’t Emergency Windows 2022 for you. With the kit for the system running from the USB stick, you can find viruses, save data or reset passwords . We shed light on how the EU wants to use GDPR loopholes for content scanners, we tested high-end smartphones, mobile USB-C monitors, and server software for private media collection. You will find the number 2/2022 of December 31 in Heise store and at the well-stocked newsstand.

(old witch)

Disclaimer: This article is generated from the feed and not edited by our team.

Comments are closed.