A Note on the Security in the Card Management System of the German E-Health Card

This is a paper I wrote about the German E-Health Card ("Gesundheitskarte"), where I've analyzed the security implications of the Card Management System (CMS). I presented the paper at eHealth 2010 in Casablanca, Morocco, last week. While previous work did a lot of security analysis concerning the German Healthcare Telematics infrastructure -- including network security, access control, peripheral parts, and platform security -- the card management system was neglected and got less or no notice from security experts. However, taking a closer look into the specifications from Gematik, one can find serious security flaws and conflicting requirements that ultimately lead to a loss of data sovereignty of the patient, i.e., the patient is not under control of his/her data stored in electronic health records (EHR) any more. The good news are that the deployment of the CMS and especially the EHR within the telematics is currently on hold. But the bad news are that the specification of the CMS is still in an insecure state and might be used in future when EHR systems are going to be deployed that use the eHC.

From the abstract:
The German compulsory health insurance system will introduce an electronic health card (eHC) in the near future. The eHC is supposed to enable new applications like securely storing electronic health records of patients in a central data center infrastructure so that health professionals can access these data via a common network. In this context, the card management system (CMS) is of special interest since it is used to personalize, issue, and maintain the cards. In this paper, we analyze the functional requirements specification of the CMS in Germany and identify several conflicting and ambiguous requirements. As the most important result, the specification defines technical measures that are insufficient to protect the data and data sovereignty of the patient. We discuss the resulting consequences, which might be helpful to improve the system design before its final deployment.

More information: [Paper] [Slides]