CCC and the electronic patient file

Chaos Computer Club finds security gaps in electronic patient records

As a patient who sees the introduction of the electronic patient record (ePA) as a sensible and necessary step towards the digitization of patient information, I am deeply concerned by the recent revelations of the Chaos Computer Club (CCC). The security of all of our most sensitive data is at stake and I feel compelled to share my thoughts and concerns as a trained data protection officer under the Ulm Model of UDIS gGmbH on this volatile topic.

The CCC and the electronic patient record: a wake-up call for us all

The Chaos Computer Club, known for its in-depth analyses of digital systems, has uncovered alarming security vulnerabilities in electronic patient records at its 38th Chaos Communication Congress [source: 1]. As a patient who wants efficient and secure digital healthcare, this news hits me like a slap in the face.

The CCC's revelations on electronic patient records

The CCC has shown that it is possible to gain unauthorized access to the health data stored in the ePA with relatively little effort [source: 1]. This raises serious questions about the integrity of the system that is supposed to protect our most confidential information.

My concerns as a patient

As someone who could potentially be affected by these security breaches, I am very worried. The idea that my medical history, diagnoses and treatments could fall into the wrong hands is frightening. The CCC and electronic health records have become synonymous with the vulnerability of our digital health data.

The scope of the security gaps

The vulnerabilities uncovered by the CCC are alarming. It has been demonstrated that it is possible:

Obtain valid health professional and practice ID cards as well as third-party health cards [source: 1].
create access tokens for the patient records of any insured person [source: 1].
Potential access to the data of all insured persons – without presenting or scanning the health card [source: 1].

As a patient and trained data protection officer, these findings make me doubt the security of electronic patient records. The CCC and the electronic patient file have shown us how fragile our trust in digital healthcare systems can be.

The reaction of those responsible

The Federal Ministry of Health (BMG) has reacted to the CCC’s revelations and assured that the problems will be solved before the official introduction of the ePA [source: 2]. However, as a patient and interim CIO responsible for IT and IT security at a pharmaceutical company, I wonder whether these assurances are sufficient.

Promises and reality

Prof. Dr. Karl Lauterbach, still Federal Minister of Health, promises that the electronic patient file will only be launched when “hacker attacks are impossible” [source: 2]. This statement sounds utopian to me as an IT manager with over 45 years of professional experience and technically interested patients. No system has ever been 100% secure and will never be 100% secure in the future, and such promises raise unrealistic expectations among patients in our home country.

The CCC and the electronic patient record: a wake-up call for more transparency

The work of the CCC has provided us patients with a valuable service. It has highlighted the need for more transparency and an open dialog about the security of our health data. The CCC and the electronic patient file have become catalysts for an urgently needed discussion that is unlikely to affect Prof. Dr. Karl Lauterbach in the future.

Demands for improvements

As an affected patient and as the IT manager of a pharmaceutical company, I agree with the calls for increased security measures. The Professional Association of Pediatricians (BVKJ) has already emphasized that the health data of over 70 million insured persons must not be put at risk under any circumstances [source: 3].

The challenges of digitalization in the healthcare sector

The CCC’s revelations about electronic patient records clearly show the complexity of digitalization in the healthcare sector. As a patient, I recognize the potential benefits of digitized healthcare, but the security concerns weigh heavily on me as an interim CIO (Chief Information Officer).

Balancing act between innovation and security

Digitalization in healthcare promises many benefits: better coordination between doctors, faster access to important information and potentially life-saving data analyses. However, the CCC and the electronic patient file have shown that these benefits must not come at the expense of data security for us as patients! I am surprised that there is no outcry from the public about such a sensitive topic and that the media hardly ever report on it. What is behind this?

My perspective as a technically interested patient

As someone who follows, supports and uses developments in technology for professional reasons, I see both the opportunities and the considerable risks of the current electronic patient record. The CCC and the electronic patient record have triggered an important debate that goes far beyond technical aspects and urgently needs to be considered from an ethical perspective.

The need for a holistic approach

It is not enough just to implement technical solutions. We need a holistic approach that also takes organizational and human/ethical factors into account. The CCC has shown that vulnerabilities lie not only in the software, but also in processes and in the “real-life handling of” magnetic and chip “cards” [source: 1].

Solutions and improvements

As a patient, I expect those responsible in politics and software developers to take concrete steps to improve security at all levels. The Federal Office for Information Security (BSI) has already announced a number of measures, which I am convinced are not enough:

Introduction of white-listing for participating healthcare facilities [source: 2].
Additional coding of health insurance numbers [source: 2].
Expansion of surveillance measures such as monitoring and anomaly detection [source: 2].

These steps sound promising, but as a patient and IT manager, I wonder whether they will be enough to restore the trust shaken by the CCC and the electronic patient file. I have my justified doubts!

The role of patients in the digital healthcare landscape

As a patient and IT expert, the CCC’s revelations about electronic patient records have made me very aware that we all need to take an active role in shaping our digital healthcare. We must not be passive recipients of technologies, but must question them critically and demand our rights, even in court if necessary. The path to the Federal Court of Justice, the Federal Constitutional Court and the European Court of Justice is open to us citizens. Perhaps we have to take this path in an over-regulated Germany and Europe.

Education and enlightenment

One important aspect that the CCC and the electronic patient file have brought to light is the need for education and information for healthcare providers (medical practices, medical care centers, hospitals, health insurance companies, etc.), but also for us as patients. Many patients feel overwhelmed by the complexity of digital healthcare systems, which I can well understand. We need more digital health literacy initiatives!

Ethical considerations

The CCC’s work on electronic patient records also raises important ethical questions. As a patient, I ask myself:

How much control do I really have over my health data?
Who is responsible if my data is compromised?
Who bears the costs for material and immaterial damage?
How can we ensure that digitalization does not lead to new forms of discrimination?

These questions show that the CCC and the electronic patient file have not only addressed a technical issue, but also a social one!

A look into the future

Despite the current concerns that the CCC has raised about electronic patient records, as a patient and especially as an IT manager, I am not fundamentally opposed to digitalization in the healthcare sector. I continue to see the enormous potential that lies in a well-implemented electronic patient record. After all, I lecture on this topic at various international universities – both in the healthcare sector and in many other industries.

Hope for improvement

I hope that the CCC’s revelations will serve as a catalyst for real improvements. The electronic patient record, if implemented correctly, could become a new, important milestone in the very good patient care in Germany. However, for this to happen, security concerns must be taken seriously and addressed openly.

Conclusion: The CCC and the electronic patient record as a turning point

The CCC’s discovery of the security gaps in the electronic patient file marks a turning point in the digitalization of our healthcare system in Germany. As a patient and IT professional, I am grateful for the important work of the CCC, which must shake us all awake!

The CCC and the electronic patient file have shown us that there is still a long way to go to secure digital healthcare. At the same time, they have initiated a necessary discussion that will hopefully lead to more robust and trustworthy systems.

As a patient I remain cautiously optimistic, as an IT manager skeptical. I can only hope that those responsible will learn the right lessons from this experience and that we can all work together – patients, doctors, technicians and politicians – on a secure and useful electronic patient record. This is the only way we can restore the trust that has been damaged by the poor work of the politicians and civil servants responsible on the one hand and the software and hardware developers on the other. The CCC’s revelations about electronic patient records are shocking!

Enter your headline here

https://www.deutsche-apotheker-zeitung.de/news/artikel/2025/01/02/chaos-computer-club-legt-sicherheitsluecken-beim-elektronische patient-file-access-open
https://www.heise.de/news/Sicherheitsmaengel-bei-E-Patientenakte-Gesundheitsministerium-haelt-am-Start-fest-10224508.html
https://www.bvkj.de/politik-und-presse/pressemitteilung/schwachstellen-in-der-elektronische Patientenakte-bvkj-fordert-datensicherheit-fuer-kinder-und-jugendliche/
https://ihr-interim-cio.com/keynote-speaker-fuer-digitale-transformation/
https://www.verbraucherzentrale.de/wissen/gesundheit-pflege/krankenversicherung/elektronische-patientenakte-elektronische patient-file-digital-patient-file-for-all-comes-57223
https://ihr-interim-cio.com/blog/2/
https://www.rnd.de/wirtschaft/elektronische-patientenakte-offenbart-schwere-sicherheitsluecken-doch-besser-widersprechen-KCCWIEJDOBGFVPCCHMWI5SNPB4.html
https://www.wiwo.de/politik/deutschland/elektronische-patientenakte-lauterbach-schwaermt-von-e-akte-und-betont-deren-sicherheit/30160720.html
https://cmsattler.de/index.php/2024/08/05/claus-michael-sattler-das-schlimmste-was-einem-interim-manager-passieren-kann/
https://www.ccc.de/en/updates/2024/ende-der-elektronische Patient file experiments
https://www.handelsblatt.com/dpa/elektronische-patientenakte-lauterbach-schwaermt-von-e-akte-und-betont-deren-sicherheit/30160718.html
https://www.dr-datenschutz.de/ccc-elektronische patient-file-for-all-and-data-protection-concerns/
https://www.spiegel.de/netzwelt/netzpolitik/elektronische-patientenakte-elektronische patient-records-ccc-sees-eclatant-security-lacks-a-32dd2310-f52d-403c-9ec7-40d9b6426112
Image: ChatGPT