Gematik Acknowledges Security Vulnerabilities in Electronic Patient Records

Wed 29th Jan, 2025

The Gematik organization has recently come under scrutiny regarding its handling of security vulnerabilities in the electronic patient record system (ePA). As reported, Gematik claims it only recognized the seriousness of these vulnerabilities after security researchers informed them that valid practice identities were available for purchase on secondary markets.

According to communications obtained from the German Medical Journal, security researchers alerted Gematik to these vulnerabilities in August 2024. However, Gematik initially deemed these security issues as manageable and acceptable at that time. This assessment has now been called into question.

One of the critical vulnerabilities allows unauthorized access to the ePA system using only a Security Module Card Type B (SMC-B) along with a connector. This can be done without the need for the electronic health card or knowledge of its associated Integrated Circuit Card Serial Number (ICCSN). The potential for mass exploitation has been highlighted, as attackers could iterate through ICCSNs. Gematik had previously assessed the risk of such attacks as low, citing high detection risks and complex execution as factors.

Furthermore, a Gematik executive has indicated that the issuance of practice cards has been tightened through multiple enhancements in the distribution process. In mid-December, it was revealed that security researchers had purchased valid practice identities, including SMC-Bs and PIN codes, from a practice liquidation. This prompted Gematik to reassess the situation, leading to the formation of a security task force aimed at implementing necessary measures.

Despite these developments, it remains uncertain whether these vulnerabilities have been fully addressed ahead of the planned nationwide rollout of the ePA. Currently, all healthcare providers and pharmacies involved in the pilot phase are included on a whitelist, which restricts access to the ePA to a limited number of authorized users.


More Quick Read Articles »
Engineering Jobs