The Federal Office for Information Security (BSI) has started three projects to take a closer look at IT security in medical practices. According to the authority, the security situation in the networks connected to the telematics infrastructure (TI) has “so far hardly been recorded”. It plays an essential role “for the processing of sensitive health data” and patient safety.
In a survey in the CyberPraxMed sub-project, network structure and the equipment of typical medical practices are to be recorded and security risks assessed, announced the BSI on Monday. This is intended to statistically answer the question “how often the connector is in parallel operation with a private, conventional router and is therefore unable to fully develop its protective effect”. The connection devices, the replacement of which is highly controversial, form the interface between a practice management system (PVS), an on-site card terminal and the TI.
BSI wants to examine technical expertise
With CyberPraxMed, the BSI also wants to determine “the technical expertise in the area of IT security of the staff, the doctors and any IT service provider commissioned”. In addition, correlations of IT security “with the size of the practice, the type of practice and the geographical location are to be examined”. In addition, the experts want to examine the IT security of practice management systems with the SiPra project. It is intended to analyze the safe operation of various practice systems.
An online survey is already running as part of the SiRiPrax project. The BSI relies on its task under the Social Security Code to regularly assess and adapt an IT security guideline drawn up in 2020 together with the National Association of Statutory Health Insurance Physicians and the National Association of Statutory Health Insurance Dentists. This is intended to “sustainably” strengthen precautions in the area of IT security for resident doctors, dentists and psychotherapists. Practices should indicate the steps they have taken to implement the guidelines. Difficulties that arise during this process can also be mentioned.
The results of all three initiatives should enable the BSI to “specifically improve IT security in medical practices through appropriate recommendations and specifications and thus make an essential contribution to the digitization of the healthcare system”.
Good grades for Gematik
The authority shows little concern about the security situation in the core network of the TI, especially in the Gematik. In doing so, she relies on a situation report she created that was published at the same time Health 2022. Accordingly, the regulations there are “regularly monitored” and are based on “strict specifications”. As a result, the number of security incidents reported by Gematik’s Computer Emergency Response Team (CERT) to its counterpart at the BSI is “very low”. Two out of six incidents reported were DDoS attacks. The small amount is “a clear indication that the security measures and processes taken are effective”.
In August 2022, the Chaos Computer Club (CCC) published a documentation of attack vectors on the video and auto-identification process, the authors still refer to “special events”. The hackers could have bypassed the procedures of six VideoIdent providers and created and filled in an electronic patient file (EHR). In addition, access to the data of an initiated test person was tapped. As a result, the identification process was suspended. The threat is not specific to healthcare.
Security researchers see the situation critically
Security researchers from the CCC environment see the situation less rosy. They have repeatedly uncovered glaring weaknesses and security gaps, for example in the ePA test balloon Vivy, in corona apps and vaccination certificates, practice software, the doctor’s appointment booking software Doctolib, a digital doctor’s calendar or in VideoIdent systems. According to them, no one dares to tackle the crux of the matter – the proof of the identity of participants and thus the preservation of the integrity of the procedures – due to the effort involved.
(mki)
