In 2025 the electronic patient file comes, but there are considerable security problems


You can optionally object to the electronic patient file. (Zerbor - Adobe Stock)

You can optionally object to the electronic patient file. (Zerbor – Adobe Stock)

The electronic patient file (EPA) “for everyone” comes. The EPA is a kind of digital folder in which all important information about health and disease history is stored.

For legally insured persons, the rollout begins from January 15, 2025 and the health insurance companies automatically provide the insured person with an EPA, unless object is filed.

However, security researchers indicate serious security gaps that caused a sensation when the introduction in 2020.

Many security problems still exist

The two security researchers Bianca Kastl and Martin Tschirsich demonstrate how third parties can get access to the EPA with (sometimes) little effort. A central point is the output of health cards. You can find the full lecture here:

Relive: “Could never be hacked before”: The electronic patient file comes – now for everyone!

To the background: For access to the EPA, you need either the electronic ID card and a PIN or the health card with the associated pin. The PIN for the electronic health card (EGK) receives insured persons from your health insurance.

Read:  Apple eliminates the ability to buy and rent movies and series from Android TV and Google TV

The focus of the criticism is again the focus of the output processes, the application portals and the handling of these cards in the medical practices.

  • The two security researchers explain how quickly and comparatively easy to apply for health cards to foreign names (about 20 minutes, according to the researchers).
  • As Heise.de writes, the cryptographic identities are also stored on the chip cards, which are intended to ensure safe access to the EPA. However, these are not used to authenticate the authenticity of the card.
  • The researchers also found that they were able to use weaknesses to generate so -called accesses for medical practices by using vulnerabilities. This gave you the authorization to view the health records of any insured person without having to physically interact with a health card beforehand.

The utilization of security gaps in the identity detection procedure of the EPA infrastructure is much more complex, but nevertheless possible, to obtain comprehensive access to the system and thus to all EPAs. The researchers put the time required at about a month.

According to the two researchers, access to more than 70 million patient files would be possible on the basis of all these serious security gaps.

Read:  Samsung introduces ISOCELL HP2, the new 200MP sensor developed for the Galaxy S23

“The necessary trust cannot be prescribed”

As the innovation network of public health writes, the safety of the EPA must be guaranteed for everyone in order to gain the trust of the insured. People who could benefit from the EPA may not use them due to risk considerations, according to the researchers.

The experts therefore formulate three central demands:

  • Independent and resilient evaluation of security risks
  • Transparent communication of risks towards those affected
  • Open development process over the entire life cycle

In the meantime, the Gematik, the operator of the EPA infrastructure, has spoken out. Although this admits the security deficiencies, it describes “the practical implementation in reality” as “not very likely”. After all, confirm the exchange with the responsible security authorities.

EPA can be contradicted

As mentioned at the beginning, all legally insured persons will automatically receive a personal electronic patient file in 2025 – unless you contradict it.

The use of the EPA is basically voluntary. There is more information about the contradiction from the respective health insurance company.

The health insurance companies offer an objection form online that you have to fill out with your insured data.

The Best Online Bookmakers February 06 2025

BetMGM Casino

BetMGM Casino

Bonus

$1,000