a note on the security in the card management system of the german e-health card

A Note on the Securityin the Card Management Systemof the German E-Health Card

Marcel Winandy(Ruhr-University Bochum)

3rd International ICST Conference on Electronic Healthcare for the 21st Century (eHealth 2010)Casablanca, Morocco, 13-15 December 2010

Dienstag, 14. Dezember 2010

Introduction• The German electronic Health Card (eHC)

• Core component of the Healthcare Telematics

• Each insured person will have such a card

• Supposed to enable new applications

• Smartcard with small storage + cryptographic functions

• German Healthcare Telematics

• Under development, going to be rolled out "soon" (originally 2006)

• Specifications by Gematik (company organization of health institutions)

• Health Professional Card (HPC)

• Similar card for all health professionals

• For identification, authentication, digital signatures


Introduction: Use Cases of eHC

Obligatory:

• Identification, Authentication- personalized cards- individual cryptographic keys

• European Health Insurance Card (EHIC)- printed on the backside

• Electronic Prescription- issuing and filling- directly stored on eHC

Optional:

• Medical Emergency Data- directly stored on eHC

• Medication History

• Electronic Health Records- centrally stored on servers (in encrypted format)- eHC used to encrypt/decrypt and authorize access (via PIN)

• Other applications


Introduction: Security & Privacy

• German law requires strong privacy:"Data Sovereignty" (§291a.5 SGB V)

„Only the patient can define who may access the data associated with the eHC.“

• German Ministry of Health*:eHC basic security requirements

„Authentication, authorization, and audit mechanisms have to be chosen so that the data sovereignty of the insured party can be taken for granted.“

* German Federal Ministry of Health: „Entscheidungsvorlage - Festlegung der Authentisierungs-, Autorisierungs- und Auditmechanismen der Telematikinfrastruktur für die Fachanwendungen“, Version 0.9.0, March 2006.


German Healthcare Telematics



HealthcareTelematicsBoundary




eHC




eHCHPC


Existing Security Analyses



SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICSINFRASTRUCTURE IN GERMANY

Michael Huber, Ali Sunyaev and Helmut KrcmarChair for Information Systems, Technische Universitat Munchen, Germany

{hubermic, sunyaev, krcmar}@in.tum.de

Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys-tems.

Abstract: Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developedsecurity analysis approach, suitable for technical security analyses in general. This approach is used for asecurity analysis of several components and processes of the Health Care Telematics in Germany. Besides theresults of the analysis, basics for further analysis and verification activities is given.

1 INTRODUCTION

In Germany, the Electronic Health Card (eHC) willreplace the present health card as requested by law.By establishing the eHC, several improvements, suchas cost savings, better ways of communication in thehealth care sector or the self-determination of the in-sured person concerning medical data, are supposedto be achieved (Schabetsberger et al., 2006).

The use of IT to administrate medical data of theinsured, implicates the question, whether these sys-tems are safe enough to satisfy requirements like pri-vacy, safety, security and availability (Heeks, 2006).The data administrated by the eHC and its infras-tructure is mosltly strictly confidential as it containspersonal information about peoples state of health,course of disease and hereditary diseases (Lorenceand Churchill, 2005). As for example insurance com-panies or employers would be highly interested insuch information, the security measures of TI systemsdealing with them have to be analysed in detail (An-derson, 2001).

Due to their ethical, judicial and social implica-tions, medical information requires extremely sensi-tive handling. These aspects emphasise the need for asecurity method that evaluates the technical aspects ofinformation security in a health environment. In thispaper, we first introduce the health telematics infras-tructure. After the introduction, an analysis approachbased on ISO 27001 is introduced in chapter 3. Theresult of its application to several components of thehealth telematics infrastructure is presented in chap-ter 4. Chapter 5 concludes the paper and provides an

outlook. The current security status of health care inGermany was evaluated and valuable hints for futuredevelopments in the health care sector could be de-rived.

The paper is based on a literature review (e.g.Computers & Security, Information Management &Computer Security, Information Systems Security, In-ternational Journal of Medical Informatics, Informa-tion Systems Journal, European Journal of Informa-tion Systems, International Journal of Information Se-curity, security & privacy, Journal of computer secu-rity, ACM Transaction on Information and SystemsSecurity und ACM Computing Surveys). The secu-rity analysis approach presented in this paper differsfrom other approaches due to the following aspects:Focus (health care sector; technical evaluation of se-curity measures), being up-to-date (appliance of up-to-date techniques and standards) and regional dis-tinctions (located in germany, regional and politicalconditions).

2 THE HEALTH TELEMATICSINFRASTRUCTURE

The present health card in Germany is a storage-onlysmart card, whereas the eHC will provide a micro-processor enabling services such as the ciphering orsigning of information (Schweiger et al., 2007). Thisinsurance card is actually used exclusively for admin-istrative purposes such as identifying the insured per-son or accessing administrative data stored on the card

144

• Network security• Access control policies








1 INTRODUCTION








144


SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD’S PERIPHERAL PARTS

Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, 85748 Garching, Germany

{sunyaev, kaletsch, mauro, krcmar}@in.tum.de

Keywords: Security Analysis, Electronic Health Card, Health Care Telematics.

Abstract: This paper describes a technical security analysis which is based on experiments done in a laboratory and verified in a physician’s practice. The health care telematics infrastructure in Germany stipulates every physician and every patient to automatically be given an electronic health smart card (for patients) and a corresponding health professional card (for health care providers). We analyzed these cards and the peripheral parts of the telematics infrastructure according to the ISO 27001 security standard. The introduced attack scenarios show that there are several security issues in the peripheral parts of the German health care telematics. Based on discovered vulnerabilities we provide corresponding security measures to overcome these open issues and derive conceivable consequences for the nation-wide introduction of electronic health card in Germany.

1 INTRODUCTION

During the next years in Germany the present health insurance card will be replaced by the new electronic health card (eHC) (Sunyaev et al., 2009). The introduction tends to improve the efficiency of the health system and the patients’ rights (Bales, 2003, p.5). In order to reduce costs in the public sector and to create a homogeneous communication basis a nationwide system is created – the health care telematics infrastructure (TI). The eHC will not only contain administrative data but also detailed information about the patient and his treatments. These pieces of information, covered by the obligation of secrecy in the physician-patient relationship and highly protected by law (Berg, 2004, pp.412-413), will now be stored in central databases in order to improve services for the patients.

Digitizing this information bears risks (Mandl et al., 2007). Insurance companies, banks, employers or marketing firms are only a few of several organizations highly interested in health data (Huber et al., 2008, p.1). Getting to know people’s state of health, etiopathology or congenital diseases could give them a remarkable competitive advantage. Each individual whose data are stolen could get into serious trouble (Blobel, 2004). As a consequence patients could possibly get significant issues when

taking out a loan or trying to find insurance (Anderson, 2001). Furthermore, one’s reputation could get tarnished when the wrong pieces of own sensitive medical information becomes publicly accessible (Schneider, 2004).

This paper is based on extensive laboratory experiments and on a detailed review of gematik’s specifications (detailed information about health care telematics specifications can be found at the organization`s website - http://www.gematik.de). Based on ISO 27001 for Information Security Management Systems Standard and BSI Security Guidelines (BSI, 2004), we focus on security issues in the peripheral parts of the telematics system and verify them in practice. These concerns are categorized and possible solutions are presented in this paper.

After the introduction of the German health care telematics and its peripheral parts, the configurations of the laboratory and the physician`s practice are described in section 4. The results of the performed security analysis and possible consequences are presented in sections 5 and 6. Section 7 summarizes our key findings and provides recommendations for future work in this area.

19

• Peripheral parts (end-user systems)








1 INTRODUCTION








144







1 INTRODUCTION






19


• Platform securitySecuring the E-Health Cloud

Hans LöhrHorst Görtz Institute

for IT Security

Ruhr-University Bochum

Germany

[email protected]

Ahmad-Reza SadeghiHorst Görtz Institute

for IT Security


Germany

[email protected]

Marcel WinandyHorst Görtz Institute

for IT Security


Germany

[email protected]

ABSTRACT

Modern information technology is increasingly used in health-care with the goal to improve and enhance medical servicesand to reduce costs. In this context, the outsourcing ofcomputation and storage resources to general IT providers(cloud computing) has become very appealing. E-healthclouds offer new possibilities, such as easy and ubiquitousaccess to medical data, and opportunities for new businessmodels. However, they also bear new risks and raise chal-lenges with respect to security and privacy aspects.

In this paper, we point out several shortcomings of cur-rent e-health solutions and standards, particularly they donot address the client platform security, which is a crucialaspect for the overall security of e-health systems. To fillthis gap, we present a security architecture for establishingprivacy domains in e-health infrastructures. Our solutionprovides client platform security and appropriately combinesthis with network security concepts. Moreover, we discussfurther open problems and research challenges on security,privacy and usability of e-health cloud systems.

Categories and Subject Descriptors

D.4.6 [Operating Systems]: Security and Protection—information flow controls, security kernels; J.3 [Life and

Medical Sciences]: Medical Information Systems

General Terms

Security

Keywords

E-Health, security architecture, information flow, isolation,client platform security

1. INTRODUCTION

The application of information technology to healthcare(healthcare IT) has become increasingly important in many

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.IHI’10, November 11–12, 2010, Arlington, Virginia, USA.Copyright 2010 ACM 978-1-4503-0030-8/10/11 ...$10.00.

countries in the recent years. There are continuing efforts onnational and international standardization for interoperabil-ity and data exchange. Many different application scenariosare envisaged in electronic healthcare (e-health), e.g., elec-tronic health records [12, 23, 22], accounting and billing [17,24], medical research, and trading intellectual property [15].In particular e-health systems like electronic health records(EHRs) are believed to decrease costs in healthcare (e.g.,avoiding expensive double diagnoses, or repetitive drug ad-ministration) and to improve personal health managementin general.Examples of national activities are the e-health approach

in Austria [23], the German electronic Health Card (eHC)system [12] under development, or the Taiwan ElectronicMedical Record Template (TMT) [22]. In Germany each in-sured person will get a smartcard that not only contains ad-ministrative information (name, health insurance company),but also can be used to access and store medical data likeelectronic prescriptions, emergency information like bloodgroup, medication history, and electronic health records.The smartcard contains cryptographic keys and functionsto identify the patient and to encrypt sensitive data. TheTMT in Taiwan concentrates on a standardized documentdata structure to ease information sharing, but also con-tains a similar infrastructure based on smartcards allowingto share and transfer EHRs. A common approach in allthese systems is to store medical data in central data cen-ters, which build the core concept of a centrally managedhealthcare telematics infrastructure.On the international basis the ISO (Technical Committee

215) [16] and the Health Level 7 consortium (HL7) [14] de-fine standards for e-health infrastructures. While they alsoinclude specifications for security and privacy aspects, theirmain focus is currently the interoperability and definition ofcommon document exchange formats and nomenclature ofmedical data objects.Obviously e-health systems store and process very sen-

sitive data and should have a proper security and privacyframework and mechanisms since the disclosure of healthdata may have severe (social) consequences especially forpatients. For example, banks or employers could refuse aloan or a job if the data about the health of a person isavailable. If health data is leaked outside the system delib-erately or accidentally, the responsible health professionalsor IT providers would have to face severe legal penalties forviolating privacy laws.When addressing privacy regulations with technical solu-

tions, we are faced with a number of difficulties: E-Health








1 INTRODUCTION








144







1 INTRODUCTION






19


• Platform securitySecuring the E-Health Cloud

Hans LöhrHorst Görtz Institute

for IT Security


Germany

[email protected]

Ahmad-Reza SadeghiHorst Görtz Institute

for IT Security


Germany

[email protected]

Marcel WinandyHorst Görtz Institute

for IT Security


Germany

[email protected]

ABSTRACT

Modern information technology is increasingly used in health-care with the goal to improve and enhance medical servicesand to reduce costs. In this context, the outsourcing ofcomputation and storage resources to general IT providers(cloud computing) has become very appealing. E-healthclouds offer new possibilities, such as easy and ubiquitousaccess to medical data, and opportunities for new businessmodels. However, they also bear new risks and raise chal-lenges with respect to security and privacy aspects.

In this paper, we point out several shortcomings of cur-rent e-health solutions and standards, particularly they donot address the client platform security, which is a crucialaspect for the overall security of e-health systems. To fillthis gap, we present a security architecture for establishingprivacy domains in e-health infrastructures. Our solutionprovides client platform security and appropriately combinesthis with network security concepts. Moreover, we discussfurther open problems and research challenges on security,privacy and usability of e-health cloud systems.

Categories and Subject Descriptors

D.4.6 [Operating Systems]: Security and Protection—information flow controls, security kernels; J.3 [Life and

Medical Sciences]: Medical Information Systems

General Terms

Security

Keywords

E-Health, security architecture, information flow, isolation,client platform security

1. INTRODUCTION

The application of information technology to healthcare(healthcare IT) has become increasingly important in many

Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.IHI’10, November 11–12, 2010, Arlington, Virginia, USA.Copyright 2010 ACM 978-1-4503-0030-8/10/11 ...$10.00.

countries in the recent years. There are continuing efforts onnational and international standardization for interoperabil-ity and data exchange. Many different application scenariosare envisaged in electronic healthcare (e-health), e.g., elec-tronic health records [12, 23, 22], accounting and billing [17,24], medical research, and trading intellectual property [15].In particular e-health systems like electronic health records(EHRs) are believed to decrease costs in healthcare (e.g.,avoiding expensive double diagnoses, or repetitive drug ad-ministration) and to improve personal health managementin general.Examples of national activities are the e-health approach

in Austria [23], the German electronic Health Card (eHC)system [12] under development, or the Taiwan ElectronicMedical Record Template (TMT) [22]. In Germany each in-sured person will get a smartcard that not only contains ad-ministrative information (name, health insurance company),but also can be used to access and store medical data likeelectronic prescriptions, emergency information like bloodgroup, medication history, and electronic health records.The smartcard contains cryptographic keys and functionsto identify the patient and to encrypt sensitive data. TheTMT in Taiwan concentrates on a standardized documentdata structure to ease information sharing, but also con-tains a similar infrastructure based on smartcards allowingto share and transfer EHRs. A common approach in allthese systems is to store medical data in central data cen-ters, which build the core concept of a centrally managedhealthcare telematics infrastructure.On the international basis the ISO (Technical Committee

215) [16] and the Health Level 7 consortium (HL7) [14] de-fine standards for e-health infrastructures. While they alsoinclude specifications for security and privacy aspects, theirmain focus is currently the interoperability and definition ofcommon document exchange formats and nomenclature ofmedical data objects.Obviously e-health systems store and process very sen-

sitive data and should have a proper security and privacyframework and mechanisms since the disclosure of healthdata may have severe (social) consequences especially forpatients. For example, banks or employers could refuse aloan or a job if the data about the health of a person isavailable. If health data is leaked outside the system delib-erately or accidentally, the responsible health professionalsor IT providers would have to face severe legal penalties forviolating privacy laws.When addressing privacy regulations with technical solu-

tions, we are faced with a number of difficulties: E-Health

!"#$%&#'()*+,%*&&(#&%*$%-#)./$%0#/1+0'/)#%+#1#./+*'&%

!"#$%&'()*+$!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:)

/8(:$"4;-(<&8'<=")

,)'$-)./0$1*#2*#34*.$!"#$%&'"(&)*+)>.*(*'-./0)3(-4"%/-&5&)?$//"@0)9"%'$(:)

@"-'"-/&"%;8(-AB$//"@<=")

5*"2&4$6./2).$!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:)

B%.'$%;-(<&8'<=")

6*(70.839$ %*/&.#4($)')"(3#3:$5*)"4;/).*$4*"*2)4#/3:$<"*/4.0'#/$;*)"4;$/).8:$='>0.2)4#0'$3(34*23$3*/&.#4(:$5*)"4;/).*$=%$3*/&.#4(?$$

!@34.)/49$ A*+*"0B2*'43$#'$C*.2)'$;*)"4;/).*$4*"*2)4#/3$)#2$)4$/0''*/4#'D$*E#34#'D$#'>0.2)4#0'$3(34*23$0>$+).#0&3$3*.+#/*$ B.0+#8*.3$ )'8$ ;*)"4;$ #'3&.*.3$ +#)$ )$ /0220'$ '*470.F?$ %&/;$ )$ "#'F#'D$ 0>$ 8#>>*.*'4$ 3(34*23$ )'8$#'>.)34.&/4&.*$*"*2*'43$/.*)4*3$)$/02B"*E$3#4&)4#0'$4;)4$;)3$40$8*)"$7#4;$;#D;$B.#0.#4($.*G&#.*2*'43$>0.$8)4)$3*/&.#4(:$8)4)$3)>*4(:$)'8$8)4)$#'4*D.#4($)3$#4$/0'/*.'3$3*'3#4#+*$8)4)$3&/;$)3$B*.30')"$2*8#/)"$#'>0.2)4#0'$0.$)82#'#34.)4#+*$0B*.)4#0')"$8)4)?$H;#3$B)B*.$B.0+#8*3$)$3*/&.#4($)')"(3#3$0>$4;*$C*.2)'$;*)"4;/).*$4*"*2)4#/3$#'>.)34.&/4&.*$&'8*.$8*+*"0B2*'4$)'8$8*.#+*3$3*/&.#4($2*)3&.*3$40$0+*./02*$4;*$#8*'4#>#*8$+&"'*.)@#"#4#*3?$H;#3$)')"(3#3$0>$0B*'$ #33&*3$ #'$ 4;*$3*/&.#4($/0'/*B4$0>$C*.2)'$;*)"4;/).*$ 4*"*2)4#/3$2#D;4$@*$;*"B>&"$ >0.$@04;$>&4&.*$.*3*)./;$)'8$B.)/4#/*$#'$;*)"4;/).*$#'>0.2)4#0'$3(34*23$3*/&.#4(?$

2! *$+)!3('+*!$%

H;*$')4#0'I7#8*$;*)"4;/).*$ 4*"*2)4#/3$ #'>.)34.&/4&.*$&'8*.$ 8*+*"0B2*'4$ #'$ C*.2)'($ #3$ @)3*8$ 0'$ 4;*$#'4.08&/4#0'$ 0>$ 4;*$ '*7$ "@".&%*(-.) C"$@&2) D$%=)E"CDF:$7;#/;$7#""$.*B")/*$4;*$;*)"4;$ #'3&.)'/*$/).8$/&..*'4"($ #'$ &3*$ J%&'()*+$ *4$ )"?:$ KLLM)N?$ O)3*8$ 0'$32).4$ /).8$ 4*/;'0"0D(:$ *5P$7#""$B.0+#8*$)88#4#0')"$>&'/4#0')"#4#*3$4;.0&D;$;*)"4;/).*$8)4)$2)')D*2*'4:$*?D?$ *"*/4.0'#/$ 4.)'3>*.$ 0>$ B.*3/.#B4#0'3$ )'8$8#)D'034#/$ 8)4)?$ H;*.*>0.*:$ *EB*.43$ B.*8#/4$ 3*+*.)"$#2B.0+*2*'43$ #'$ 8)4)$ 2)')D*2*'4$ >0.$ 4;*$;*)"4;/).*$ 3*/40.:$ #'/"&8#'D$/034$ 3)+#'D3$ JC&);$)'8$Q#'F:$ KLLRN:$ 34.*)2"#'*8$ /022&'#/)4#0'3$ @*47**'$#'+0"+*8$B).4#*3:$)'8$>0.$B)4#*'43$20.*$/0'4.0"$0+*.$4;*$;)'8"#'D$0>$4;*#.$2*8#/)"$8)4)$J%/;)@*43@*.D*.$*4$)"?:$KLLSN?$%#'/*$ *5P$ )'8$ 4;*$ /0..*3B0'8#'D$ ;*)"4;/).*$

4*"*2)4#/3$ #'>.)34.&/4&.*$2)')D*$;#D;"($/0'>#8*'4#)"$2*8#/)"$ #'>0.2)4#0':$ #'/"&8#'D$ 8)4)$ 0'$ B)4#*'43T$;*)"4;$ /0'8#4#0'3:$ /0&.3*$ 0>$ 8#3*)3*$ )'8$ ;*.*8#4).($

8#3*)3*3$ J10.*'/*$ )'8$ P;&./;#"":$ KLLUN:$.*G&#.*2*'43$.*D).8#'D$B.#+)/(:$3)>*4(:$3*/&.#4($)'8$)+)#")@#"#4($ 0>$ 3&/;$ 8)4)$ 4;.0&D;0&4$ 4;*$ 3(34*2$ ).*$*E4.*2*"($ 3*'3#4#+*?$ A#3/"03&.*$ 0>$ B)4#*'4$ 2*8#/)"$8)4)$ /0&"8$ ;)+*$ 3*+*.*$ 30/#)"$ /0'3*G&*'/*3:$ *?D?$8*'#)"$ 0>$ *2B"0(2*'4$ 0.$ #'3&.)'/*$ @*/)&3*$ 0>$/*.4)#'$ #""'*33*3$ J-)'8"$ )'8$ 60;)'*:$ KLLRN?$ !3$B033#@"*$ +&"'*.)@#"#4#*3$ )'8$ "*)F)D*$ 0>$ /0'>#8*'4#)"$8)4)$ #3$ )$ .*/&..#'D$ B.0@"*2$ #'$ 4;*$ 208*.'$#'>0.2)4#0'$ 3(34*2$ ")'83/)B*:$ )'$ #'I8*B4;$ 3*/&.#4($)')"(3#3$ 0>$ 4;#3$ ;*)"4;/).*$ 4*"*2)4#/3$ 3(34*2$ #3$#'8#3B*'3)@"*?$='$ 4;#3$ B)B*.:$ 7*$ >#.34$ #'4.08&/*$ 4;*$ C*.2)'$

;*)"4;/).*$ 4*"*2)4#/3$ #'>.)34.&/4&.*?$ P;)B4*.$ V$*EB")#'3$ 8*4)#"3$ 0>$ 4;*$ )')"(3#3:$ #'/"&8#'D$ 4;*$*E)2#'*8$ 3B*/#>#/)4#0'$ 80/&2*'4)4#0'3$ )'8$/02B0'*'43:$ 4;*$ #8*'4#>#/)4#0'$ 0>$ 4;.*)83$ )'8$.*G&#.*8$3*/&.#4($.*G&#.*2*'43?$H;*$3*/&.#4($)')"(3#3$7*$ /0'8&/4*8$ 7)3$ #2B"*2*'4*8$ )//0.8#'D$ 40$ 4;*$=%W$ KXLLY$ 3*/&.#4($ 34)'8).8?$ ='$ /;)B4*.$ Z:$ 4;*$.*3&"43$7*$ )/;#*+*8$ ).*$ B.*3*'4*8$ )'8$ *EB")#'*8$ #'$

187

• Other open security issues


Open Problem:Card Management System

!!!


Open Problem:Card Management System

!!!

gematik_CMS_Facharchitektur_Kartenmanagement_eGK.doc Seite 1 von 81 Version: 1.6.0 © gematik Stand: 07.07.2008

Einführung der Gesundheitskarte

Kartenmanagement eGK

Facharchitektur

Version: 1.6.0

Revision: main/rel_main/8

Stand: 07.07.2008

Status: freigegeben

gematik_CMS_Fachkonzept_Kartenmanagement_eGK_V1.3.0.doc Seite 1 von 62 Version: 1.3.0 © gematik Stand: 20.06.2008

Einführung der Gesundheitskarte

Kartenmanagement eGK

Fachkonzept

Version: 1.3.0

Revision: main/rel_main/5

Stand: 20.06.2008

Status: freigegeben


Card Management System


• Security Requirement:„At any time, the card management is not allowed to obtain inform-ation about application contents [...] for which it is not authorized.“

„The card issuer MUST NOT get possession of unencrypted medical application data.“

• Availability Requirement:„When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new eHC.“

(1) Conflicting Requirements


• Security Requirement:„At any time, the card management is not allowed to obtain inform-ation about application contents [...] for which it is not authorized.“

„The card issuer MUST NOT get possession of unencrypted medical application data.“

• Availability Requirement:„When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new eHC.“

Specification requires particular technical solution:

„The following secret keys MUST be presently managed in the context of the card management: [a list of keys follows].“

⟹ Copies of the keys are stored !!!

(1) Conflicting Requirements


(2) Creating Replacement Cards

• Lost/stolen eHC or switching health insurance implies creating a replacement card

• Copies of the keys from the old card are used:

„All data required for the production of the card are available.“

„The card issuer may assign the creation of the card to one or more service providers.“


(3) Re-Encrypting Data

• Issuing replacement or renewal cardimplies re-encryption of data

• Input needed for Card Issuer: ICCSN (eHC ID)

• Input for the Application Operator:„[Card Issuer] transmits the ICCSN of the insured party and other data to the application operator.“

Application Operator „processes the application data“.



Violation of Data Sovereignty of the Patient !!!!


Conclusion• German E-Health Card: complex security architecture

• Card Management System has serious flaws:

• Copies of the secret keys of the patients are stored and could spread to other (unauthorized) parties

• Data Sovereignty of the patient is violated!

• Possible solution: remove technical requirement(instead: designs could use, e.g., secret key sharing)







MediTrust (Platform security for end-users)







MediTrust (Platform security for end-users)

eBPGeBusiness Plattform Gesundheit

(Alternative security solution for accessing electronic health records)


Questions?

Contact:

Marcel Winandy


[email protected]

http://www.trust.rub.de

Twitter: @marwinK


mailto:[email protected]

mailto:[email protected]



a note on the security in the card management system of the german e-health card

Documents