A Note on the Security in the Card Management System of the German E-Health Card
1. A Note on the Security
in the Card Management System
of the German E-Health Card
Marcel Winandy
(Ruhr-University Bochum)
3rd International ICST Conference on Electronic Healthcare for the 21st Century (eHealth 2010)
Casablanca, Morocco, 13-15 December 2010
Dienstag, 14. Dezember 2010
2. Introduction
• The German electronic Health Card (eHC)
• Core component of the Healthcare Telematics
• Each insured person will have such a card
• Supposed to enable new applications
• Smartcard with small storage + cryptographic functions
• German Healthcare Telematics
• Under development, going to be rolled out "soon" (originally 2006)
• Specifications by Gematik (company organization of health institutions)
• Health Professional Card (HPC)
• Similar card for all health professionals
• For identification, authentication, digital signatures
Dienstag, 14. Dezember 2010
3. Introduction: Use Cases of eHC
Obligatory: Optional:
• Identification, • Medical Emergency Data
Authentication - directly stored on eHC
- personalized cards
- individual cryptographic keys
• Medication History
• European Health • Electronic Health Records
- centrally stored on servers
Insurance Card (EHIC) (in encrypted format)
- printed on the backside - eHC used to encrypt/decrypt
• Electronic Prescription and authorize access (via PIN)
- issuing and filling
- directly stored on eHC
• Other applications
Dienstag, 14. Dezember 2010
4. Introduction: Security & Privacy
• German law requires strong privacy:
"Data Sovereignty" (§291a.5 SGB V)
„Only the patient can define who may access the data
associated with the eHC.“
• German Ministry of Health*:
eHC basic security requirements
„Authentication, authorization, and audit mechanisms have
to be chosen so that the data sovereignty of the insured
party can be taken for granted.“
* German Federal Ministry of Health: „Entscheidungsvorlage - Festlegung der Authentisierungs-, Autorisierungs- und
Auditmechanismen der Telematikinfrastruktur für die Fachanwendungen“,Version 0.9.0, March 2006.
Dienstag, 14. Dezember 2010
21. Existing Security Analyses
SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS
• Network security
INFRASTRUCTURE IN GERMANY • Access control policies
Michael Huber, Ali Sunyaev and Helmut Krcmar
Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany
a u
{hubermic, sunyaev, krcmar}@in.tum.de
Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys-
tems.
Abstract: Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed
security analysis approach, suitable for technical security analyses in general. This approach is used for a
security analysis of several components and processes of the Health Care Telematics in Germany. Besides the
results of the analysis, basics for further analysis and verification activities is given.
1 INTRODUCTION outlook. The current security status of health care in
Germany was evaluated and valuable hints for future
In Germany, the Electronic Health Card (eHC) will developments in the health care sector could be de-
replace the present health card as requested by law. rived.
By establishing the eHC, several improvements, such The paper is based on a literature review (e.g.
as cost savings, better ways of communication in the Computers & Security, Information Management &
health care sector or the self-determination of the in- Computer Security, Information Systems Security, In-
sured person concerning medical data, are supposed ternational Journal of Medical Informatics, Informa-
to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Informa-
The use of IT to administrate medical data of the tion Systems, International Journal of Information Se-
insured, implicates the question, whether these sys- curity, security & privacy, Journal of computer secu-
tems are safe enough to satisfy requirements like pri- rity, ACM Transaction on Information and Systems
vacy, safety, security and availability (Heeks, 2006). Security und ACM Computing Surveys). The secu-
The data administrated by the eHC and its infras- rity analysis approach presented in this paper differs
tructure is mosltly strictly confidential as it contains from other approaches due to the following aspects:
personal information about peoples state of health, Focus (health care sector; technical evaluation of se-
course of disease and hereditary diseases (Lorence curity measures), being up-to-date (appliance of up-
and Churchill, 2005). As for example insurance com- to-date techniques and standards) and regional dis-
Dienstag, 14. Dezember 2010would be highly interested in
panies or employers tinctions (located in germany, regional and political
22. Existing Security Analyses
SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS
• Network security
INFRASTRUCTURE IN GERMANY • Access control policies
Michael Huber, Ali Sunyaev and Helmut Krcmar
Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany
a u
{hubermic, sunyaev, krcmar}@in.tum.de
SECURITY ANALYSIS OF THE GERMAN ELECTRONIC
• Peripheral parts
HEALTH CARD’S PERIPHERAL PARTS (end-user systems)
Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys-
tems.
Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar
Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, 85748 Garching, Germany
Abstract: Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed
{sunyaev, kaletsch, mauro, krcmar}@in.tum.de
security analysis approach, suitable for technical security analyses in general. This approach is used for a
security analysis of several components and processes of the Health Care Telematics in Germany. Besides the
results of the analysis, basics for further analysis and verification activities is given.
Keywords: Security Analysis, Electronic Health Card, Health Care Telematics.
1 INTRODUCTION outlook. The current security status of health care in
Abstract: This paper describes a technical security analysis which is based on experiments valuableahints for future
Germany was evaluated and done in laboratory and
verified in a physician’s practice. The health care telematics infrastructure in Germany stipulatesbe de-
every
In Germany, the Electronic Health Cardautomatically be given an electronic health smartcare sector could and a
physician and every patient to (eHC) will
developments in the health
card (for patients)
rived.
replace the corresponding health as requested card law. health care providers). We analyzed these cards and the
present health card professional by (for
By establishing the eHC, several improvements, such The paper is based on a literature review (e.g.
peripheral parts of the telematics infrastructure according to the ISO 27001 security standard. The
as cost savings, betterattack scenarios show that there are several security & Security, peripheral parts of the German
introduced ways of communication in the
Computers
issues in the
Information Management &
Computer Security, Information Systems Security, In-
health care health carethe self-determination of the in-vulnerabilities we provide corresponding security measures to
sector or telematics. Based on discovered
sured person concerning medicalissues and supposed ternational Journal of Medical Informatics, Informa-
overcome these open data, are derive conceivable consequences for the nation-wide introduction of
to be achieved (Schabetsberger et al., 2006).
electronic health card in Germany.
tion Systems Journal, European Journal of Informa-
The use of IT to administrate medical data of the tion Systems, International Journal of Information Se-
insured, implicates the question, whether these sys- curity, security & privacy, Journal of computer secu-
tems are safe enough to satisfy requirements like pri- rity, ACM Transaction on Information and Systems
1 vacy, safety, security and availability (Heeks, 2006).
INTRODUCTION taking out a ACM Computing Surveys). insurance
Security und loan or trying to find The secu-
The data administrated by the eHC and its infras- (Anderson, 2001). Furthermore,inone’spaper differs
rity analysis approach presented this reputation
from other approaches due to the following aspects:
During the is mosltly strictly confidential as it contains
tructure next years in Germany the present health could get tarnished when the wrong pieces of own
insurance card will be replaced by the health,
personal information about peoples state of new sensitive medical sector; technical evaluation of se-
Focus (health care information becomes publicly
curity measures), being up-to-date (appliance of up-
electronic of disease and hereditary diseases (Lorence
course
health card (eHC) (Sunyaev et al., 2009). accessible (Schneider, 2004).
to-date techniques basedstandards) and regional dis-
and Churchill, 2005). As for example insurance com-
The introduction tends to improve the efficiency of This paper is and on extensive laboratory
Dienstag, 14. Dezember 2010would be highly interested in
panies or employers
the health system and the patients’ rights (Bales, experiments and on detailed regional and political
tinctions (located inagermany, review of gematik’s
23. Existing Security Analyses
SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS
• Network security
INFRASTRUCTURE IN GERMANY • Access control policies
Michael Huber, Ali Sunyaev and Helmut Krcmar
Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany
a u
{hubermic, sunyaev, krcmar}@in.tum.de
SECURITY ANALYSIS OF THE GERMAN ELECTRONIC
• Peripheral parts
HEALTH CARD’S PERIPHERAL PARTS (end-user systems)
Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys-
tems.
Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar
Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, 85748 Garching, Germany
Abstract: Securing the E-Health Cloud
Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed
{sunyaev, kaletsch, mauro, krcmar}@in.tum.de
security analysis approach, suitable for technical security analyses in general. This approach is used for a
security analysis of several components and processes of the Health Care Telematics in Germany. Besides the
• Platform security
results of the analysis, basics for further analysis and verification activities is given.
Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy
Horst Görtz Institute Horst Görtz Institute Horst Görtz Institute
Keywords: Security Analysis, Electronic Health Card, IT SecurityTelematics.
for IT Security for Health Care for IT Security
Ruhr-University Bochum
1 INTRODUCTION Ruhr-University outlook. The current security status of health care in
Bochum Ruhr-University Bochum
Abstract: This paper describes a technical security Germany
Germany Germany
analysis which is based on experiments valuableahints for future
Germany was evaluated and done in laboratory and
verified in a physician’s practice. The health care telematics infrastructure in Germany stipulatesbe de-
hans.loehr@trust.rub.de ahmad.sadeghi@trust.rub.de marcel.winandy@trust.rub.de every
In Germany, the Electronic Health Cardautomatically be given an electronic health smartcare sector could and a
physician and every patient to (eHC) will
developments in the health
card (for patients)
rived.
replace the corresponding health as requested card law. health care providers). We analyzed these cards and the
present health card professional by (for
By establishing the eHC, several improvements, such The paper is based on a literature review (e.g.
ABSTRACT peripheral parts of the telematics infrastructurecountries in to the ISO 27001 security continuing The on
according the recent years. There are standard. efforts
as cost savings, betterattack scenarios show that there are several security & Security, peripheral parts of the German
Computers Information Management &
introduced ways of communication in the national and issues in the standardization for interoperabil-
international
health care health carethe self-determination of the in-
sector or
Modern information technology is increasingly used in health- Computer Security, Information Systems Security, In-
care with the person concerning medical data, on discovered vulnerabilities we Journal corresponding security measures to
to improvetelematics. Based are services
sured goal overcome these open issues and supposed
and enhance medical ity and data provide
ternational
exchange. Many different application scenarios
of Medical Informatics, Informa-
and to reduce costs. In this context, the outsourcing derive of
conceivableenvisaged in electronic nation-wide (e-health), e.g., elec-
are consequences for the healthcare introduction of
to be achieved (Schabetsberger et al., 2006). tion Systemsrecords [12, 23, 22], accounting and billing [17,
tronic health Journal, European Journal of Informa-
computation and storage resources to in Germany.providers
electronic health card general IT
tion Systems, International Journal of Information Se-
The use of ITbecome very appealing. data of the
(cloud computing) has to administrate medical E-health 24], medical research, and trading intellectual property [15].
clouds insured, implicates the such as easy and ubiquitous
offer new possibilities, question, whether these sys-
curity, security & privacy, Journal of computer secu-
In particular e-health systems like electronic health records
tems are safe enough to satisfy requirements like pri-
access to medical data, and opportunities for new business (EHRs) are Transaction on Informationin healthcare (e.g.,
rity, ACM believed to decrease costs and Systems
1 vacy, safety,they also bearavailabilityand raise 2006). taking outund and to Computing to find The secu-
models. INTRODUCTION
However, security and new risks (Heeks, chal- avoiding expensive doubletrying Surveys). insurance ad-
Security a ACM or diagnoses, or repetitive drug
loan
lenges with respect to security and privacy aspects. infras-
The data administrated by the eHC and its (Anderson, 2001). Furthermore, this reputation
ministration) approach presented inone’spapermanagement
rity analysis improve personal health differs
In this paper,iswe point strictly confidential as it contains in general. approaches due to the following aspects:
from other
tructure mosltly out several shortcomings health
During the next years in Germanyparticularly they do
the present
of cur- could get tarnished when the wrong the e-healthown
pieces of
personal information be replaced by the health,
about peoples state of new
rent e-health solutions and standards, Focus (health care sector; technical evaluation ofapproach
Examples of national activities are
sensitive medical information becomes publicly(eHC) se-
not insurance ofclient willand hereditary which is a crucial
address the card platform security, diseases (Lorence
course disease
in Austria [23], the German electronic Health Card
curity measures), being up-to-date (appliance ofElectronic
accessible (Schneider, 2004). up-
aspect for the health card (eHC) e-health systems. 2009).
electronic overall security of (Sunyaev et al., To fill system [12] under development, or the Taiwan
and Churchill, 2005). As for example insurance com-
this The introductiona tends to architecture for establishing
gap, we present security improve the efficiency of Medical Record Templatestandards) and regional dis- in-
to-date techniques based (TMT) [22]. In Germany each
This paper is and on extensive laboratory
Dienstag, 14. Dezember 2010would be highlyOur solution
panies or employers interested in
privacy domains in e-health the patients’ rights (Bales, sured person will get detailed regional and political
tinctions (located inagermany, review of only contains ad-
experiments and on a smartcard that not gematik’s
the health system and infrastructures.
24. Existing Security Analyses
SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS
• Network security
INFRASTRUCTURE IN GERMANY • Access control policies
Michael Huber, Ali Sunyaev and Helmut Krcmar
Chair for Information Systems, Technische Universit¨ t M¨ nchen, Germany
a u
{hubermic, sunyaev, krcmar}@in.tum.de
SECURITY ANALYSIS OF THE GERMAN ELECTRONIC
• Peripheral parts
HEALTH CARD’S PERIPHERAL PARTS (end-user systems)
Keywords: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Sys-
tems.
Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar
Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, 85748 Garching, Germany
Abstract: Securing the E-Health Cloud
Based on ISO 27001 for Information Security Management Systems, this paper introduces a newly developed
{sunyaev, kaletsch, mauro, krcmar}@in.tum.de
security analysis approach, suitable for technical security analyses in general. This approach is used for a
security analysis of several components and processes of the Health Care Telematics in Germany. Besides the
• Platform security
results of the analysis, basics for further analysis and verification activities is given.
Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy
Keywords:
Horst Görtz Institute
!"#$%&#'()*+,%*&&(#&%*$%-#)./$%0#/1+0'/)#%
Ruhr-University Bochum
1 INTRODUCTION
Horst Görtz Institute
Security Analysis, Electronic Health Card, IT SecurityTelematics.
for IT Security for Health Care
Horst Görtz Institute
for IT Security
Ruhr-University outlook. The current security status of health care in
This paper describes a technical security Germany
Germany
Bochum Ruhr-University Bochum
Germany
• Other open security
issues
Abstract: analysis which is based on experiments valuableahints for future
Germany was evaluated and done in laboratory and
+#1#./+*'&%
verified in a physician’s practice. The health care telematics infrastructure in Germany stipulatesbe de-
hans.loehr@trust.rub.de ahmad.sadeghi@trust.rub.de marcel.winandy@trust.rub.de every
In Germany, the Electronic Health Cardautomatically be given an electronic health smartcare sector could and a
physician and every patient to (eHC) will
developments in the health
card (for patients)
rived.
replace the corresponding health as requested card law. health care providers). We analyzed these cards and the
present health card professional by (for
By establishing the eHC, several improvements, such The paper is based on a literature review (e.g.
ABSTRACT peripheral parts of the telematics !"#$%&'()*+$ infrastructurecountries in to the ISO 27001 security continuing The on
according the recent years. There are standard. efforts
as cost savings, betterattack scenarios show that there are several security & Security, peripheral parts of the German
Computers Information Management &
introduced ways of communication in the national and issues in the standardization for interoperabil-
international
health care health carethe self-determination of the in-
sector or
technology is increasingly used in health- Computer Security, Information Systems Security, In-
Modern information!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:)
care with the person concerning medical data, on discovered vulnerabilities we Journal corresponding security measures to
to improvetelematics. Based are supposed ity and data provide
ternational
exchange. Many different application scenarios
of Medical Informatics, Informa-
sured goal overcome these open issues and/8(:$"4;-(<&8'<=") consequences for the nation-wide (e-health), e.g., elec-
and enhance medical services
and to reduce costs. In this context, the outsourcing derive of
conceivableenvisaged in electronic healthcare introduction of
are
to be achieved (Schabetsberger et al., 2006). tion Systemsrecords [12, 23, 22], accounting and billing [17,
tronic health Journal, European Journal of Informa-
computation and storage resources to in Germany.providers
electronic health card general IT
The use of ITbecome very appealing. data of the
(cloud computing) has to administrate medical E-health 24], medical International Journal of Information Se-
tion Systems,
,)'$-)./0$1*#2*#34*.$ research, and trading intellectual property [15].
clouds insured, implicates the such as easy and ubiquitous
offer new possibilities, question, whether these sys-
curity, security & privacy, Journal of computer secu-
In particular e-health systems like electronic health records
!"#$%&'"(&)*+)>.*(*'-./0)3(-4"%/-&5&)?$//"@0)9"%'$(:) on Informationin healthcare (e.g.,
(EHRs) are Transaction decrease costs and Systems
rity, ACM believed to
tems are safe enough to satisfy requirements like pri-
access to medical data, and opportunities for new business
@"-'"-/&"%;8(-AB$//"@<=") expensive double diagnoses, or repetitive drug ad-
avoiding und ACM Computing Surveys). insurance
Security
models. INTRODUCTION
However, security and new risks (Heeks, chal- loan or trying to find The secu-
1 vacy, safety,they also bearavailabilityand raise 2006). taking out a and to improve personal health management
lenges with respect to security and privacy aspects. infras-
The data administrated by the eHC and its (Anderson, 2001). Furthermore, this reputation
ministration) approach presented inone’spaper differs
rity analysis
5*"2&4$6./2).$ get tarnished when the wrong pieces of own
In this paper,iswe point strictly confidential as it contains
tructure mosltly out several shortcomings health
During the next years in Germanyparticularly they do
the present
of cur- in general.
could other approaches activities are the e-health approach
from due to the following aspects:
Examples of national
personal information be replaced by the health,
about peoples state of new
rent e-health solutions and standards, Focus (health care sector; technical evaluation of se-
!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:)
sensitive medical information becomes publicly
not insurance ofclient willand hereditary which is B%.'$%;-(<&8'<=") measures), being up-to-date (appliance Card (eHC)
address the card platform security, diseases a crucial
course disease (Lorence
in Austria [23], the German electronic Health
curity
accessible (Schneider, 2004). of up-
electronic health card (eHC) e-health systems. 2009).
aspect for the overall security of (Sunyaev et al., To fill system [12] under development, or the Taiwan Electronic
and Churchill, 2005). As for example insurance com-
this The introductiona tends to architecture for establishing
gap, we present security improve the efficiency of Medical Record Templatestandards) and regional dis- in-
to-date techniques based (TMT) [22]. In Germany each
This paper is and on extensive laboratory
Dienstag, 14. Dezember 2010would be highlyOur solution
panies or employers interested in
privacy domains in e-health the patients’ rights (Bales, sured person will get detailed regional and political
tinctions (located inagermany, review of only contains ad-
experiments and on a smartcard that not gematik’s
the health system and infrastructures.
25. Open Problem:
Card Management System
!!!
Dienstag, 14. Dezember 2010
42. (1) Conflicting Requirements
• Security Requirement:
„At any time, the card management is not allowed to obtain inform-
ation about application contents [...] for which it is not authorized.“
„The card issuer MUST NOT get possession of unencrypted medical
application data.“
• Availability Requirement:
„When a replacement or renewal card is created, it MUST be
assured that application data stored on a server (e.g., EHR) can be
accessed using the new eHC.“
Dienstag, 14. Dezember 2010
43. (1) Conflicting Requirements
• Security Requirement:
„At any time, the card management is not technical obtain inform-
Specification requires particular allowed to solution:
ation about application contents [...] for which it is not authorized.“
„The following secret keys MUST be presently managed in
„The card issuer MUST NOT get possession of unencrypted medical
application data.“ card management: [a list of keys follows].“
the context of the
• Availability Requirement:
⟹ Copies of the keys are stored !!!
„When a replacement or renewal card is created, it MUST be
assured that application data stored on a server (e.g., EHR) can be
accessed using the new eHC.“
Dienstag, 14. Dezember 2010
47. (2) Creating Replacement Cards
• Lost/stolen eHC or switching health insurance
implies creating a replacement card
• Copies of the keys from the old card are used:
„All data required for the production of the card are
available.“
„The card issuer may assign the creation of the card to one
or more service providers.“
Dienstag, 14. Dezember 2010
50. (3) Re-Encrypting Data
• Issuing replacement or renewal card
implies re-encryption of data
• Input needed for Card Issuer: ICCSN (eHC ID)
• Input for the Application Operator:
„[Card Issuer] transmits the ICCSN of the insured party
and other data to the application operator.“
Application Operator „processes the application data“.
Dienstag, 14. Dezember 2010
51. (3) Re-Encrypting Data
• Issuing replacement or renewal card
implies re-encryption of data
• Input needed for Card Issuer: ICCSN (eHC ID)
• Input for the Application Operator:
„[Card Issuer] transmits the ICCSN of the insured party
and other data to the application operator.“
Application Operator „processes the application data“.
Dienstag, 14. Dezember 2010
52. (3) Re-Encrypting Data
• Issuing replacement or renewal card
implies re-encryption of data
• Input needed for Card Issuer: ICCSN (eHC ID)
• Input for the Application Operator:
„[Card Issuer] transmits the ICCSN of the insured party
and other data to the application operator.“
Application Operator „processes the application data“.
Dienstag, 14. Dezember 2010
53. (3) Re-Encrypting Data
• Issuing replacement or renewal card
implies re-encryption of data
• Input needed for Card Issuer: ICCSN (eHC ID)
• Input for the Application Operator:
„[Card Issuer] transmits the ICCSN of the insured party
and other data to the application operator.“
Application Operator „processes the application data“.
Dienstag, 14. Dezember 2010
56. Card Management System
Violation of Data Sovereignty
of the Patient !!!!
Dienstag, 14. Dezember 2010
57. Conclusion
• German E-Health Card: complex security architecture
• Card Management System has serious flaws:
• Copies of the secret keys of the patients are stored
and could spread to other (unauthorized) parties
• Data Sovereignty of the patient is violated!
• Possible solution: remove technical requirement
(instead: designs could use, e.g., secret key sharing)
Dienstag, 14. Dezember 2010
58. Conclusion
• German E-Health Card: complex security architecture
• Card Management System has serious flaws:
• Copies of the secret keys of the patients are stored
and could spread to other (unauthorized) parties
• Data Sovereignty of the patient is violated!
• Possible solution: remove technical requirement
(instead: designs could use, e.g., secret key sharing)
MediTrust (Platform security for end-users)
Dienstag, 14. Dezember 2010
59. Conclusion
• German E-Health Card: complex security architecture
• Card Management System has serious flaws:
• Copies of the secret keys of the patients are stored
and could spread to other (unauthorized) parties
• Data Sovereignty of the patient is violated!
• Possible solution: remove technical requirement
(instead: designs could use, e.g., secret key sharing)
MediTrust (Platform security for end-users)
eBPG (Alternative security solution for
eBusiness Plattform Gesundheit accessing electronic health records)
Dienstag, 14. Dezember 2010