File systems that have something to do with health data are particularly well secured, one would think. Ironically, the electronic patient file (EPR) is not. Doctors usually save findings in it as documents and images. In order to guarantee at least formal protection against viruses and Trojans, only certain file types may be loaded into the EPR.
According to the specification of the Gematik (PDF) the file types PDF, JPEG, PNG, TIFF, text / plain and text / rtf, XML, HL7-V3, PKCS7-mime and FHIR + XML. Zip containers are prohibited because they could not only contain any files with malicious code, but also so-called decompression bombs. When unpacking, they write to the entire hard drive and paralyze the computer.
There are currently three ePA server backends in Germany operated by Bitmarck / Rise, IBM and ITSG. Doctors can upload and download reports there using their practice management software. Patients have access via apps of their health insurance companies and can also use them to upload and download files – and, with the start of the new ePA 2.0, also allow or block access by doctors.
TK-App does not reliably recognize zip files
One of the most popular ePA apps is currently “Die TK-App” for Android and iOS smartphones from Techniker Krankenkasse. At the end of November we received an anonymous tip that the Android version 3.15.0 (product version 3.1.0.13) of the TK app would allow the TK-Safe function to load actually forbidden zip containers into the EPR. During the subsequent check, we actually succeeded in uploading a zip file to the EPI and then downloading it again.
Actually, the app should prevent such an upload by checking the type of the file. To do this, however, it apparently only checks its MIME type in the metadata. To get around this, we constructed a zip container “Röntgenbilder.zip”, added the additional ending “.txt” and uploaded it to Google Drive. This classified the file as MIME type “text / plain” based on the filename extension. We then removed the .txt extension from the name and were able to upload “X-ray images.zip” from Google Drive via TK-Safe as a “document without a special form” to the EPR.
Fixed a hole in version 4.1
At the beginning of December, we informed Gematik and Techniker Krankenkasse, which confirmed the gap. Accordingly, the TK app adopted the MIME type “text / plain” identified by Google Drive when it was first uploaded, which Google Drive retained when it changed its name. On December 15, the Techniker Krankenkasse informed us that the gap in the TK app version 4.1 (product version 4.0.0.1) had been closed.
Check only when downloading
Manufacturers of an ePA app must have it certified by Gematik. However, this does not apply to “updates with minor changes”. Accordingly, Gematik had only certified product version 3.1.0 of the TK app and did not find the gap we described in it.
Due to a security gap in the Android app “Die TK-App”, we were able to upload a forbidden zip file to the EPR.
The Techniker Krankenkasse stated, however, that the security of the practices was not endangered by a possible upload of zip files to the EPR. Because all files in the EPR are transmitted end-to-end encrypted, they have to be checked in the front end. And since the TK app is just one of many ways to fill the ePA, doctors must absolutely check the ePA files for possible malicious code when they are downloaded.
A corresponding regulation can be found in the implementation guide of the EPR (gemILF_PS_ePA_V2.0.0.pdf, PDF) from the Gematik. There it says under the newly added point A_17769: “The PS should take measures to protect against possible malware in downloaded documents if the format or the content of the downloaded document does not match the specified document type in the metadata.” PS stands for primary system and means practice administration or hospital information systems.
According to the Techniker Krankenkasse, it should “carry out a plausibility check and take appropriate measures”. However, applications such as the TK app, which the insured can use to upload and download files to the EPR, are not part of the primary systems.
“Security Limit”
According to Gematik, there is no increased security risk with the EPR. She prefers to speak of a “security limit” and writes: “The control of these files lies with the insured himself, which means that only the insured himself can override this and the doctor he trusts can deliberately damage the doctor with a file . This rather unrealistic scenario does not only concern the use of the EPR, it already exists, for example when the findings (such as X-rays) are transmitted on a data carrier, which the insured person brings to the practice. “
Obviously, until the Gematik, word had not got around that Trojans could infect files without informing their owners (doctors or patients).
This raises the question of who is responsible if malicious code does make it into the EPR and bypasses the “plausibility check” and the “appropriate measures”. Because with the ePA it can always be proven who puts a file in the system, the system is more secure than a transmission by e-mail, argues the Gematik. Therefore, there are also no impact assessments of the damage that could result from importing malicious code into the EPR. According to Gematik, according to Section 75b of the Social Code Book V, doctors are obliged to adhere to “standard security measures against malware”.
Doctors and other health care providers should therefore have updated virus scanners and freshly patched PDF readers on their systems. In addition, it is a good idea to open ePA data and mail attachments in a virtual machine, which at least makes it much more difficult for possible malicious code to spread.
Many c’t investigative searches are only possible thanks to anonymous information from whistleblowers.
If you have knowledge of an issue that the public should be aware of, you can send us notices and material. Please use our anonymous and secure mailbox for this.
Liability issues
For fear of possible liability consequences, some doctors do not want to support the EPR in the first place. One doctor wrote to us: “A first step would be to let the patient know by signature that they will not receive their EPR because the legal and technical risks are too high for the doctor and the patient is the doctor of liability consequences due to ignorance his EPR exempted. “
But doctors can’t make it that easy for themselves. Because while the use of an ePA is voluntary for insured persons (opt-out), the doctor has a duty to cooperate according to § 291a SGB V if someone has filled an ePA with doctor data or wants to fill it out. The attending physician must also prove that he has completely viewed the data. Otherwise you could accuse him of a diagnostic error. In contrast to the allegation of a diagnostic error, the burden of proof can be reversed: The doctor must prove that he has actually included all the findings.
At the most recent congress of the independent medical profession, attorney Dirk Wachendorf therefore described the ePA as “an offer that is thoroughly poisoned in terms of liability”. In addition to the professional liability policy, he therefore recommended the assembled doctors to take out “cyber risk insurance”.
Such a policy would probably also be a good thing for those insured with the health insurance, in order to protect themselves against possible claims for damages, should one of their ePA files paralyze a practice with malicious code. Those who do not want to accept the additional costs associated with this still have the option of opting out of the EPR.
No backup, no pity
However, if you want to use the EPR in the future, you should always have a backup ready in case the EPR servers fail. This happened, for example, on December 13th, when the entire telematic infrastructure (TI) failed due to the log4j gap, or on December 16, when IBM switched its backend to ePA 2.0 and a third of all ePAs were unavailable.
Because other TI services currently do not exactly meet the requirements of high-availability systems, the National Association of Statutory Health Insurance Physicians rebelled against the mandatory introduction of the e-prescription in mid-December. Since it is not yet working properly in its background processes despite the start planned for January 2022 and is not available nationwide, the doctors’ representatives wanted to convert the strict provisions of digitization into optional provisions. The KV Westfalen-Lippe communiqué stated: “If the pharmacies in close proximity to the practice are unable or unwilling to receive and redeem e-prescriptions, you can issue the insured person with a paper prescription on sample 16 . “
Alternative paper printouts should also continue to be possible for the electronic certificate of incapacity for work (eAU). The KBV thus went on a direct confrontation course with Gematik and the Federal Ministry of Health (BMG). The BMG then pulled the emergency brake on December 20th and stopped the planned nationwide introduction of the e-prescription on January 1st. Because of “considerable concerns”, “the test and pilot operation should be continued and expanded step by step”, explained a spokesman for the BMG – without mentioning a new introduction date.
In c’t 2/2022 we have put together the c’t Emergency Windows 2022 for you. With the kit for the system running from the USB stick, you can find viruses, save data or reset passwords. We shed light on how the EU wants to use loopholes of the GDPR for content scanners, we tested high-end smartphones, mobile USB-C monitors and server software for private media collection. You will find issue 2/2022 from December 31st in Heise shop and at the well-stocked newspaper kiosk.
(hag)