A Note on the Security               in the Card Management System                 of the German E-Health Card            ...
Introduction    •       The German electronic Health Card (eHC)          •       Core component of the Healthcare Telemati...
Introduction: Use Cases of eHC              Obligatory:                              Optional:              •      Identifi...
Introduction: Security & Privacy                    •         German law requires strong privacy:                         ...
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare TelematicsDienstag, 14. Dezember 2010
German Healthcare Telematics        Healthcare        Telematics        BoundaryDienstag, 14. Dezember 2010
German Healthcare Telematics        Healthcare        Telematics        BoundaryDienstag, 14. Dezember 2010
German Healthcare Telematics        Healthcare        Telematics        BoundaryDienstag, 14. Dezember 2010
German Healthcare Telematics        Healthcare        Telematics        Boundary                              eHCDienstag,...
German Healthcare Telematics        Healthcare        Telematics        Boundary                              HPC   eHCDie...
German Healthcare Telematics        Healthcare        Telematics        Boundary                              HPC   eHCDie...
German Healthcare Telematics        Healthcare        Telematics        Boundary                              HPC   eHCDie...
Existing Security AnalysesDienstag, 14. Dezember 2010
Existing Security Analyses                SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS                                 ...
Existing Security Analyses                SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS                                 ...
Existing Security Analyses                 SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS                                ...
Existing Security Analyses                 SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS                                ...
Open Problem:                  Card Management System                            !!!Dienstag, 14. Dezember 2010
Open Problem:                  Card Management System                            !!!                   Einführung der Gesu...
Open Problem:                  Card Management System                            !!!                   Einführung der Gesu...
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
(1) Conflicting Requirements           •      Security Requirement:                  „At any time, the card management is n...
(1) Conflicting Requirements           •      Security Requirement:                  „At any time, the card management is n...
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
(2) Creating Replacement Cards                    •         Lost/stolen eHC or switching health insurance                 ...
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
(3) Re-Encrypting Data                    •         Issuing replacement or renewal card                              impli...
(3) Re-Encrypting Data                    •         Issuing replacement or renewal card                              impli...
(3) Re-Encrypting Data                    •         Issuing replacement or renewal card                              impli...
(3) Re-Encrypting Data                    •         Issuing replacement or renewal card                              impli...
Card Management SystemDienstag, 14. Dezember 2010
Card Management SystemDienstag, 14. Dezember 2010
Card Management System                              Violation of Data Sovereignty                                     of t...
Conclusion                    •         German E-Health Card: complex security architecture                    •         C...
Conclusion                    •         German E-Health Card: complex security architecture                    •         C...
Conclusion                    •         German E-Health Card: complex security architecture                    •         C...
Questions?                                      Contact:                                Marcel Winandy                    ...
Upcoming SlideShare
Loading in …5
×

A Note on the Security in the Card Management System of the German E-Health Card

867 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
867
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

A Note on the Security in the Card Management System of the German E-Health Card

  1. 1. A Note on the Security in the Card Management System of the German E-Health Card Marcel Winandy (Ruhr-University Bochum) 3rd International ICST Conference on Electronic Healthcare for the 21st Century (eHealth 2010) Casablanca, Morocco, 13-15 December 2010Dienstag, 14. Dezember 2010
  2. 2. Introduction • The German electronic Health Card (eHC) • Core component of the Healthcare Telematics • Each insured person will have such a card • Supposed to enable new applications • Smartcard with small storage + cryptographic functions • German Healthcare Telematics • Under development, going to be rolled out "soon" (originally 2006) • Specifications by Gematik (company organization of health institutions) • Health Professional Card (HPC) • Similar card for all health professionals • For identification, authentication, digital signaturesDienstag, 14. Dezember 2010
  3. 3. Introduction: Use Cases of eHC Obligatory: Optional: • Identification, • Medical Emergency Data Authentication - directly stored on eHC - personalized cards - individual cryptographic keys • Medication History • European Health • Electronic Health Records - centrally stored on servers Insurance Card (EHIC) (in encrypted format) - printed on the backside - eHC used to encrypt/decrypt • Electronic Prescription and authorize access (via PIN) - issuing and filling - directly stored on eHC • Other applicationsDienstag, 14. Dezember 2010
  4. 4. Introduction: Security & Privacy • German law requires strong privacy: "Data Sovereignty" (§291a.5 SGB V) „Only the patient can define who may access the data associated with the eHC.“ • German Ministry of Health*: eHC basic security requirements „Authentication, authorization, and audit mechanisms have to be chosen so that the data sovereignty of the insured party can be taken for granted.“ * German Federal Ministry of Health: „Entscheidungsvorlage - Festlegung der Authentisierungs-, Autorisierungs- und Auditmechanismen der Telematikinfrastruktur für die Fachanwendungen“,Version 0.9.0, March 2006.Dienstag, 14. Dezember 2010
  5. 5. German Healthcare TelematicsDienstag, 14. Dezember 2010
  6. 6. German Healthcare TelematicsDienstag, 14. Dezember 2010
  7. 7. German Healthcare TelematicsDienstag, 14. Dezember 2010
  8. 8. German Healthcare TelematicsDienstag, 14. Dezember 2010
  9. 9. German Healthcare TelematicsDienstag, 14. Dezember 2010
  10. 10. German Healthcare TelematicsDienstag, 14. Dezember 2010
  11. 11. German Healthcare TelematicsDienstag, 14. Dezember 2010
  12. 12. German Healthcare TelematicsDienstag, 14. Dezember 2010
  13. 13. German Healthcare Telematics Healthcare Telematics BoundaryDienstag, 14. Dezember 2010
  14. 14. German Healthcare Telematics Healthcare Telematics BoundaryDienstag, 14. Dezember 2010
  15. 15. German Healthcare Telematics Healthcare Telematics BoundaryDienstag, 14. Dezember 2010
  16. 16. German Healthcare Telematics Healthcare Telematics Boundary eHCDienstag, 14. Dezember 2010
  17. 17. German Healthcare Telematics Healthcare Telematics Boundary HPC eHCDienstag, 14. Dezember 2010
  18. 18. German Healthcare Telematics Healthcare Telematics Boundary HPC eHCDienstag, 14. Dezember 2010
  19. 19. German Healthcare Telematics Healthcare Telematics Boundary HPC eHCDienstag, 14. Dezember 2010
  20. 20. Existing Security AnalysesDienstag, 14. Dezember 2010
  21. 21. Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS • Network security INFRASTRUCTURE IN GERMANY • Access control policies Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany a u {hubermic, sunyaev, krcmar}@in.tum.de Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys- tems. Abstract: Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. 1 INTRODUCTION outlook. The current security status of health care in Germany was evaluated and valuable hints for future In Germany, the Electronic Health Card (eHC) will developments in the health care sector could be de- replace the present health card as requested by law. rived. By establishing the eHC, several improvements, such The paper is based on a literature review (e.g. as cost savings, better ways of communication in the Computers & Security, Information Management & health care sector or the self-determination of the in- Computer Security, Information Systems Security, In- sured person concerning medical data, are supposed ternational Journal of Medical Informatics, Informa- to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Informa- The use of IT to administrate medical data of the tion Systems, International Journal of Information Se- insured, implicates the question, whether these sys- curity, security & privacy, Journal of computer secu- tems are safe enough to satisfy requirements like pri- rity, ACM Transaction on Information and Systems vacy, safety, security and availability (Heeks, 2006). Security und ACM Computing Surveys). The secu- The data administrated by the eHC and its infras- rity analysis approach presented in this paper differs tructure is mosltly strictly confidential as it contains from other approaches due to the following aspects: personal information about peoples state of health, Focus (health care sector; technical evaluation of se- course of disease and hereditary diseases (Lorence curity measures), being up-to-date (appliance of up- and Churchill, 2005). As for example insurance com- to-date techniques and standards) and regional dis-Dienstag, 14. Dezember 2010would be highly interested in panies or employers tinctions (located in germany, regional and political
  22. 22. Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS • Network security INFRASTRUCTURE IN GERMANY • Access control policies Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany a u {hubermic, sunyaev, krcmar}@in.tum.de SECURITY ANALYSIS OF THE GERMAN ELECTRONIC • Peripheral parts HEALTH CARD’S PERIPHERAL PARTS (end-user systems) Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys- tems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, 85748 Garching, Germany Abstract: Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, krcmar}@in.tum.de security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Keywords: Security Analysis, Electronic Health Card, Health Care Telematics. 1 INTRODUCTION outlook. The current security status of health care in Abstract: This paper describes a technical security analysis which is based on experiments valuableahints for future Germany was evaluated and done in laboratory and verified in a physician’s practice. The health care telematics infrastructure in Germany stipulatesbe de- every In Germany, the Electronic Health Cardautomatically be given an electronic health smartcare sector could and a physician and every patient to (eHC) will developments in the health card (for patients) rived. replace the corresponding health as requested card law. health care providers). We analyzed these cards and the present health card professional by (for By establishing the eHC, several improvements, such The paper is based on a literature review (e.g. peripheral parts of the telematics infrastructure according to the ISO 27001 security standard. The as cost savings, betterattack scenarios show that there are several security & Security, peripheral parts of the German introduced ways of communication in the Computers issues in the Information Management & Computer Security, Information Systems Security, In- health care health carethe self-determination of the in-vulnerabilities we provide corresponding security measures to sector or telematics. Based on discovered sured person concerning medicalissues and supposed ternational Journal of Medical Informatics, Informa- overcome these open data, are derive conceivable consequences for the nation-wide introduction of to be achieved (Schabetsberger et al., 2006). electronic health card in Germany. tion Systems Journal, European Journal of Informa- The use of IT to administrate medical data of the tion Systems, International Journal of Information Se- insured, implicates the question, whether these sys- curity, security & privacy, Journal of computer secu- tems are safe enough to satisfy requirements like pri- rity, ACM Transaction on Information and Systems 1 vacy, safety, security and availability (Heeks, 2006). INTRODUCTION taking out a ACM Computing Surveys). insurance Security und loan or trying to find The secu- The data administrated by the eHC and its infras- (Anderson, 2001). Furthermore,inone’spaper differs rity analysis approach presented this reputation from other approaches due to the following aspects: During the is mosltly strictly confidential as it contains tructure next years in Germany the present health could get tarnished when the wrong pieces of own insurance card will be replaced by the health, personal information about peoples state of new sensitive medical sector; technical evaluation of se- Focus (health care information becomes publicly curity measures), being up-to-date (appliance of up- electronic of disease and hereditary diseases (Lorence course health card (eHC) (Sunyaev et al., 2009). accessible (Schneider, 2004). to-date techniques basedstandards) and regional dis- and Churchill, 2005). As for example insurance com- The introduction tends to improve the efficiency of This paper is and on extensive laboratoryDienstag, 14. Dezember 2010would be highly interested in panies or employers the health system and the patients’ rights (Bales, experiments and on detailed regional and political tinctions (located inagermany, review of gematik’s
  23. 23. Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS • Network security INFRASTRUCTURE IN GERMANY • Access control policies Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany a u {hubermic, sunyaev, krcmar}@in.tum.de SECURITY ANALYSIS OF THE GERMAN ELECTRONIC • Peripheral parts HEALTH CARD’S PERIPHERAL PARTS (end-user systems) Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys- tems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, 85748 Garching, Germany Abstract: Securing the E-Health Cloud Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, krcmar}@in.tum.de security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the • Platform security results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Horst Görtz Institute Horst Görtz Institute Horst Görtz Institute Keywords: Security Analysis, Electronic Health Card, IT SecurityTelematics. for IT Security for Health Care for IT Security Ruhr-University Bochum 1 INTRODUCTION Ruhr-University outlook. The current security status of health care in Bochum Ruhr-University Bochum Abstract: This paper describes a technical security Germany Germany Germany analysis which is based on experiments valuableahints for future Germany was evaluated and done in laboratory and verified in a physician’s practice. The health care telematics infrastructure in Germany stipulatesbe de- hans.loehr@trust.rub.de ahmad.sadeghi@trust.rub.de marcel.winandy@trust.rub.de every In Germany, the Electronic Health Cardautomatically be given an electronic health smartcare sector could and a physician and every patient to (eHC) will developments in the health card (for patients) rived. replace the corresponding health as requested card law. health care providers). We analyzed these cards and the present health card professional by (for By establishing the eHC, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics infrastructurecountries in to the ISO 27001 security continuing The on according the recent years. There are standard. efforts as cost savings, betterattack scenarios show that there are several security & Security, peripheral parts of the German Computers Information Management & introduced ways of communication in the national and issues in the standardization for interoperabil- international health care health carethe self-determination of the in- sector or Modern information technology is increasingly used in health- Computer Security, Information Systems Security, In- care with the person concerning medical data, on discovered vulnerabilities we Journal corresponding security measures to to improvetelematics. Based are services sured goal overcome these open issues and supposed and enhance medical ity and data provide ternational exchange. Many different application scenarios of Medical Informatics, Informa- and to reduce costs. In this context, the outsourcing derive of conceivableenvisaged in electronic nation-wide (e-health), e.g., elec- are consequences for the healthcare introduction of to be achieved (Schabetsberger et al., 2006). tion Systemsrecords [12, 23, 22], accounting and billing [17, tronic health Journal, European Journal of Informa- computation and storage resources to in Germany.providers electronic health card general IT tion Systems, International Journal of Information Se- The use of ITbecome very appealing. data of the (cloud computing) has to administrate medical E-health 24], medical research, and trading intellectual property [15]. clouds insured, implicates the such as easy and ubiquitous offer new possibilities, question, whether these sys- curity, security & privacy, Journal of computer secu- In particular e-health systems like electronic health records tems are safe enough to satisfy requirements like pri- access to medical data, and opportunities for new business (EHRs) are Transaction on Informationin healthcare (e.g., rity, ACM believed to decrease costs and Systems 1 vacy, safety,they also bearavailabilityand raise 2006). taking outund and to Computing to find The secu- models. INTRODUCTION However, security and new risks (Heeks, chal- avoiding expensive doubletrying Surveys). insurance ad- Security a ACM or diagnoses, or repetitive drug loan lenges with respect to security and privacy aspects. infras- The data administrated by the eHC and its (Anderson, 2001). Furthermore, this reputation ministration) approach presented inone’spapermanagement rity analysis improve personal health differs In this paper,iswe point strictly confidential as it contains in general. approaches due to the following aspects: from other tructure mosltly out several shortcomings health During the next years in Germanyparticularly they do the present of cur- could get tarnished when the wrong the e-healthown pieces of personal information be replaced by the health, about peoples state of new rent e-health solutions and standards, Focus (health care sector; technical evaluation ofapproach Examples of national activities are sensitive medical information becomes publicly(eHC) se- not insurance ofclient willand hereditary which is a crucial address the card platform security, diseases (Lorence course disease in Austria [23], the German electronic Health Card curity measures), being up-to-date (appliance ofElectronic accessible (Schneider, 2004). up- aspect for the health card (eHC) e-health systems. 2009). electronic overall security of (Sunyaev et al., To fill system [12] under development, or the Taiwan and Churchill, 2005). As for example insurance com- this The introductiona tends to architecture for establishing gap, we present security improve the efficiency of Medical Record Templatestandards) and regional dis- in- to-date techniques based (TMT) [22]. In Germany each This paper is and on extensive laboratoryDienstag, 14. Dezember 2010would be highlyOur solution panies or employers interested in privacy domains in e-health the patients’ rights (Bales, sured person will get detailed regional and political tinctions (located inagermany, review of only contains ad- experiments and on a smartcard that not gematik’s the health system and infrastructures.
  24. 24. Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS • Network security INFRASTRUCTURE IN GERMANY • Access control policies Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany a u {hubermic, sunyaev, krcmar}@in.tum.de SECURITY ANALYSIS OF THE GERMAN ELECTRONIC • Peripheral parts HEALTH CARD’S PERIPHERAL PARTS (end-user systems) Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys- tems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, 85748 Garching, Germany Abstract: Securing the E-Health Cloud Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, krcmar}@in.tum.de security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the • Platform security results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Keywords: Horst Görtz Institute !"#$%&#()*+,%*&&(#&%*$%-#)./$%0#/1+0/)#% Ruhr-University Bochum 1 INTRODUCTION Horst Görtz Institute Security Analysis, Electronic Health Card, IT SecurityTelematics. for IT Security for Health Care Horst Görtz Institute for IT Security Ruhr-University outlook. The current security status of health care in This paper describes a technical security Germany Germany Bochum Ruhr-University Bochum Germany • Other open security issues Abstract: analysis which is based on experiments valuableahints for future Germany was evaluated and done in laboratory and +#1#./+*&% verified in a physician’s practice. The health care telematics infrastructure in Germany stipulatesbe de- hans.loehr@trust.rub.de ahmad.sadeghi@trust.rub.de marcel.winandy@trust.rub.de every In Germany, the Electronic Health Cardautomatically be given an electronic health smartcare sector could and a physician and every patient to (eHC) will developments in the health card (for patients) rived. replace the corresponding health as requested card law. health care providers). We analyzed these cards and the present health card professional by (for By establishing the eHC, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics !"#$%&()*+$ infrastructurecountries in to the ISO 27001 security continuing The on according the recent years. There are standard. efforts as cost savings, betterattack scenarios show that there are several security & Security, peripheral parts of the German Computers Information Management & introduced ways of communication in the national and issues in the standardization for interoperabil- international health care health carethe self-determination of the in- sector or technology is increasingly used in health- Computer Security, Information Systems Security, In- Modern information!"#$%&"(&)*+),(+*%$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%$(:) care with the person concerning medical data, on discovered vulnerabilities we Journal corresponding security measures to to improvetelematics. Based are supposed ity and data provide ternational exchange. Many different application scenarios of Medical Informatics, Informa- sured goal overcome these open issues and/8(:$"4;-(<&8<=") consequences for the nation-wide (e-health), e.g., elec- and enhance medical services and to reduce costs. In this context, the outsourcing derive of conceivableenvisaged in electronic healthcare introduction of are to be achieved (Schabetsberger et al., 2006). tion Systemsrecords [12, 23, 22], accounting and billing [17, tronic health Journal, European Journal of Informa- computation and storage resources to in Germany.providers electronic health card general IT The use of ITbecome very appealing. data of the (cloud computing) has to administrate medical E-health 24], medical International Journal of Information Se- tion Systems, ,)$-)./0$1*#2*#34*.$ research, and trading intellectual property [15]. clouds insured, implicates the such as easy and ubiquitous offer new possibilities, question, whether these sys- curity, security & privacy, Journal of computer secu- In particular e-health systems like electronic health records !"#$%&"(&)*+)>.*(*-./0)3(-4"%/-&5&)?$//"@0)9"%$(:) on Informationin healthcare (e.g., (EHRs) are Transaction decrease costs and Systems rity, ACM believed to tems are safe enough to satisfy requirements like pri- access to medical data, and opportunities for new business @"-"-/&"%;8(-AB$//"@<=") expensive double diagnoses, or repetitive drug ad- avoiding und ACM Computing Surveys). insurance Security models. INTRODUCTION However, security and new risks (Heeks, chal- loan or trying to find The secu- 1 vacy, safety,they also bearavailabilityand raise 2006). taking out a and to improve personal health management lenges with respect to security and privacy aspects. infras- The data administrated by the eHC and its (Anderson, 2001). Furthermore, this reputation ministration) approach presented inone’spaper differs rity analysis 5*"2&4$6./2).$ get tarnished when the wrong pieces of own In this paper,iswe point strictly confidential as it contains tructure mosltly out several shortcomings health During the next years in Germanyparticularly they do the present of cur- in general. could other approaches activities are the e-health approach from due to the following aspects: Examples of national personal information be replaced by the health, about peoples state of new rent e-health solutions and standards, Focus (health care sector; technical evaluation of se- !"#$%&"(&)*+),(+*%$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%$(:) sensitive medical information becomes publicly not insurance ofclient willand hereditary which is B%.$%;-(<&8<=") measures), being up-to-date (appliance Card (eHC) address the card platform security, diseases a crucial course disease (Lorence in Austria [23], the German electronic Health curity accessible (Schneider, 2004). of up- electronic health card (eHC) e-health systems. 2009). aspect for the overall security of (Sunyaev et al., To fill system [12] under development, or the Taiwan Electronic and Churchill, 2005). As for example insurance com- this The introductiona tends to architecture for establishing gap, we present security improve the efficiency of Medical Record Templatestandards) and regional dis- in- to-date techniques based (TMT) [22]. In Germany each This paper is and on extensive laboratoryDienstag, 14. Dezember 2010would be highlyOur solution panies or employers interested in privacy domains in e-health the patients’ rights (Bales, sured person will get detailed regional and political tinctions (located inagermany, review of only contains ad- experiments and on a smartcard that not gematik’s the health system and infrastructures.
  25. 25. Open Problem: Card Management System !!!Dienstag, 14. Dezember 2010
  26. 26. Open Problem: Card Management System !!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement eGK Facharchitektur Kartenmanagement eGK Fachkonzept Version: 1.6.0 Revision: main/rel_main/8 Stand: 07.07.2008 Status: freigegeben Version: 1.3.0 gematik_CMS_Facharchitektur_Kartenmanagement_eGK.doc Seite 1 von 81 Revision: main/rel_main/5 Version: 1.6.0 © gematik Stand: 07.07.2008 Stand: 20.06.2008 Status: freigegeben gematik_CMS_Fachkonzept_Kartenmanagement_eGK_V1.3.0.doc Seite 1 von 62 Version: 1.3.0 © gematik Stand: 20.06.2008Dienstag, 14. Dezember 2010
  27. 27. Open Problem: Card Management System !!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement eGK Facharchitektur Kartenmanagement eGK Fachkonzept Version: 1.6.0 Revision: main/rel_main/8 Stand: 07.07.2008 Status: freigegeben Version: 1.3.0 gematik_CMS_Facharchitektur_Kartenmanagement_eGK.doc Seite 1 von 81 Revision: main/rel_main/5 Version: 1.6.0 © gematik Stand: 07.07.2008 Stand: 20.06.2008 Status: freigegeben gematik_CMS_Fachkonzept_Kartenmanagement_eGK_V1.3.0.doc Seite 1 von 62 Version: 1.3.0 © gematik Stand: 20.06.2008Dienstag, 14. Dezember 2010
  28. 28. Card Management SystemDienstag, 14. Dezember 2010
  29. 29. Card Management SystemDienstag, 14. Dezember 2010
  30. 30. Card Management SystemDienstag, 14. Dezember 2010
  31. 31. Card Management SystemDienstag, 14. Dezember 2010
  32. 32. Card Management SystemDienstag, 14. Dezember 2010
  33. 33. Card Management SystemDienstag, 14. Dezember 2010
  34. 34. Card Management SystemDienstag, 14. Dezember 2010
  35. 35. Card Management SystemDienstag, 14. Dezember 2010
  36. 36. Card Management SystemDienstag, 14. Dezember 2010
  37. 37. Card Management SystemDienstag, 14. Dezember 2010
  38. 38. Card Management SystemDienstag, 14. Dezember 2010
  39. 39. Card Management SystemDienstag, 14. Dezember 2010
  40. 40. Card Management SystemDienstag, 14. Dezember 2010
  41. 41. Card Management SystemDienstag, 14. Dezember 2010
  42. 42. (1) Conflicting Requirements • Security Requirement: „At any time, the card management is not allowed to obtain inform- ation about application contents [...] for which it is not authorized.“ „The card issuer MUST NOT get possession of unencrypted medical application data.“ • Availability Requirement: „When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new eHC.“Dienstag, 14. Dezember 2010
  43. 43. (1) Conflicting Requirements • Security Requirement: „At any time, the card management is not technical obtain inform- Specification requires particular allowed to solution: ation about application contents [...] for which it is not authorized.“ „The following secret keys MUST be presently managed in „The card issuer MUST NOT get possession of unencrypted medical application data.“ card management: [a list of keys follows].“ the context of the • Availability Requirement: ⟹ Copies of the keys are stored !!! „When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new eHC.“Dienstag, 14. Dezember 2010
  44. 44. Card Management SystemDienstag, 14. Dezember 2010
  45. 45. Card Management SystemDienstag, 14. Dezember 2010
  46. 46. Card Management SystemDienstag, 14. Dezember 2010
  47. 47. (2) Creating Replacement Cards • Lost/stolen eHC or switching health insurance implies creating a replacement card • Copies of the keys from the old card are used: „All data required for the production of the card are available.“ „The card issuer may assign the creation of the card to one or more service providers.“Dienstag, 14. Dezember 2010
  48. 48. Card Management SystemDienstag, 14. Dezember 2010
  49. 49. Card Management SystemDienstag, 14. Dezember 2010
  50. 50. (3) Re-Encrypting Data • Issuing replacement or renewal card implies re-encryption of data • Input needed for Card Issuer: ICCSN (eHC ID) • Input for the Application Operator: „[Card Issuer] transmits the ICCSN of the insured party and other data to the application operator.“ Application Operator „processes the application data“.Dienstag, 14. Dezember 2010
  51. 51. (3) Re-Encrypting Data • Issuing replacement or renewal card implies re-encryption of data • Input needed for Card Issuer: ICCSN (eHC ID) • Input for the Application Operator: „[Card Issuer] transmits the ICCSN of the insured party and other data to the application operator.“ Application Operator „processes the application data“.Dienstag, 14. Dezember 2010
  52. 52. (3) Re-Encrypting Data • Issuing replacement or renewal card implies re-encryption of data • Input needed for Card Issuer: ICCSN (eHC ID) • Input for the Application Operator: „[Card Issuer] transmits the ICCSN of the insured party and other data to the application operator.“ Application Operator „processes the application data“.Dienstag, 14. Dezember 2010
  53. 53. (3) Re-Encrypting Data • Issuing replacement or renewal card implies re-encryption of data • Input needed for Card Issuer: ICCSN (eHC ID) • Input for the Application Operator: „[Card Issuer] transmits the ICCSN of the insured party and other data to the application operator.“ Application Operator „processes the application data“.Dienstag, 14. Dezember 2010
  54. 54. Card Management SystemDienstag, 14. Dezember 2010
  55. 55. Card Management SystemDienstag, 14. Dezember 2010
  56. 56. Card Management System Violation of Data Sovereignty of the Patient !!!!Dienstag, 14. Dezember 2010
  57. 57. Conclusion • German E-Health Card: complex security architecture • Card Management System has serious flaws: • Copies of the secret keys of the patients are stored and could spread to other (unauthorized) parties • Data Sovereignty of the patient is violated! • Possible solution: remove technical requirement (instead: designs could use, e.g., secret key sharing)Dienstag, 14. Dezember 2010
  58. 58. Conclusion • German E-Health Card: complex security architecture • Card Management System has serious flaws: • Copies of the secret keys of the patients are stored and could spread to other (unauthorized) parties • Data Sovereignty of the patient is violated! • Possible solution: remove technical requirement (instead: designs could use, e.g., secret key sharing) MediTrust (Platform security for end-users)Dienstag, 14. Dezember 2010
  59. 59. Conclusion • German E-Health Card: complex security architecture • Card Management System has serious flaws: • Copies of the secret keys of the patients are stored and could spread to other (unauthorized) parties • Data Sovereignty of the patient is violated! • Possible solution: remove technical requirement (instead: designs could use, e.g., secret key sharing) MediTrust (Platform security for end-users) eBPG (Alternative security solution for eBusiness Plattform Gesundheit accessing electronic health records)Dienstag, 14. Dezember 2010
  60. 60. Questions? Contact: Marcel Winandy Ruhr-University Bochum marcel.winandy@trust.rub.de http://www.trust.rub.de Twitter: @marwinKDienstag, 14. Dezember 2010

×