Electronic patient file open to hackers
The electronic patient file starts pilot operation today and is to be rolled out nationwide just one month later. This is a bold plan in view of the huge security gaps and the concentrated protests from medical professionals and data protectionists. But the health minister has an ally of distinction: Germany's former chief ethicist Alena Buyx. Even in coronavirus times, she had a soft spot for state power, big pharma and obedient herd animals. And it has stayed that way.
Federal Health Minister Karl Lauterbach (SPD) has to take what and who he can get. Shortly before the launch of the electronic patient file for all (ePA), Alena Buyx has come out as a fan of the project. In an interview with Zeit-Online (behind paywall): "I'm happy about it and won't contradict it." Buyx of all people! In coronavirus times, as Chair of the German Ethics Council, she went along with every politically imposed violation of fundamental rights. She demanded a general vaccination obligation. We had to "fire from all cylinders" because "we know everything about safety" and those who didn't participate didn't deserve solidarity. At least in retrospect, the 47-year-old advocate of values was quite often wrong when it came to the pandemic - to put it mildly. Now she says of the EPA: "There will never be a perfect system, and striving for perfect risk minimization means that something will never be finished." And when asked about the glaring security gaps in the system, she adds: "That doesn't change much for me."
For a very significant group of experts, this changes a great deal. For weeks, players in the healthcare sector have been speaking out again and again - doctors, clinic operators, pharmacists, data protectionists - criticizing the project, casting doubt on it, rejecting it outright or at least arguing for a delay. For example, the Association of Pediatricians and Adolescent Doctors (BVKJ) advises parents to "actively decide against the ePA". The Freie Ärzteschaft warns of an "abolition of confidentiality", "deception of patients and doctors" and the primacy of profit. The Professional Association of German Psychologists (BDP e.V.) speaks of catastrophic side effects, stigmatization and therefore incorrect treatments if sensitive data on mental illnesses falls "into the wrong hands".
Thumbs down from the President of the Medical Association
Not least the President of the German Medical Association (BÄK), Klaus Reinhardt, is giving the simulation games a thumbs down. At his association's New Year's conference, he advised consumers not to take advantage of the offer as long as there are risks. At the moment, the "potential gateways" are simply too big. In any case, there is hardly anyone who still gives Lauterbach's "revolution" the thumbs up, apart from the lobbyists of the health and data economy and the so-called medical ethicist Buyx. But the minister is not bothered by the massive criticism. At the beginning of the week, web.de asked him whether he could recommend the ePA with a clear conscience. Answer: "Absolutely", citizens' data "is safe from hackers".
Really? Before the turn of the year, IT specialists from the Chaos Computer Club (CCC) demonstrated at its annual congress how it is possible to access already stored ePA data with little effort and in various ways, completely without the health card of the person concerned. As things stand, this will be possible in future for all 70 million files. But while the security researchers were "digging through the ePA, the security concept was read by an AI at the Fraunhofer Institute and found to be 'secure' with minor flaws", according to a press release from the association. The procedure can only "raise eyebrows" and the happy statement that the ePA for everyone is secure must be regarded as a "hallucinated misdiagnosis".
Outrageous potential for blackmail
The Minister of Health also later played down the CCC's findings to a "theoretical problem". The Association of Independent Doctors reads things quite differently, accusing Lauterbach and the responsible National Agency for Digital Medicine (gematik) of "irresponsible obfuscation tactics". What deputy federal chairwoman Silke Lüder said in a press release on Monday is revealing. "The medical data is not stored on the card, but in the cloud at the companies IBM and Rise - in plain text, not even end-to-end encrypted." The access key is "simply the insurance card", without checking whether the card has been issued to the right person. All that is needed is the name, insurance number and date of birth of the insured person, then the card is delivered to practically any address. "As the new version of the ePA 3.0 has also done away with the associated PIN number, it will be very easy to access the entire medical history with any card in future," says Lüder. Two-factor authentication is used for every online banking action, "only the most sensitive data we have does not have this security".
"At least as serious" for association head Wieland Dietrich are "possible illegal accesses" by practically all professional groups in the healthcare sector. In total, around two million people are entitled to access. "That's unacceptable." Any employee of a pharmacy or pedicure practice, for example, can see whether the patient has erectile dysfunction, psychological problems or a sexually transmitted disease after swiping the card. "The potential for blackmail is outrageous," says Dietrich, who insists "that this dangerous project be stopped immediately in its current form", and continues: "As doctors, we are to be forced by the state, under threat of financial penalties, to effectively make our patients' medical records public. That borders on coercion."
Profiteers before the raid
Coercion is the defining motive of the entire undertaking. On November 20, NachDenkSeiten published an article entitled "Hauptsache Daten! A patient is supposed to be transparent - not to get well". The ePA has been around for four years, but was a slow seller. Hardly anyone wanted it. Now those with statutory health insurance are being forced into their "happiness". It will be set up automatically for everyone, unless they actively object according to the so-called opt-out model. However, very few people do this out of ignorance or convenience. According to the major health insurance companies, the number of refusals is negligible.
The main beneficiaries will be the large pharmaceutical companies, who hope to gain lucrative, but often useless innovations from the change. The main reason why the German healthcare system is so expensive is that it is highly privatized and relies on costly medical devices, often pointless operations and a sea of drugs with dubious effects. The ePA promises completely new possibilities in this respect. In future, the data stored in it will be made available to research, both public and private. However, according to the law, the data will only be pseudonymized and not anonymized. Experts complain that this would make it very difficult to assign the information to the relevant individual. This opens the door to possible misuse and practically programs scenarios in which insurers, criminals, security authorities and secret services also gain access.
A Like from Facebook
Powerful IT companies should also be able to make free use of the technology. At the Digital Health Conference in Berlin at the end of November, Lauterbach enthused about the huge and valuable treasure trove of data that the project would unearth and store at the Federal Research Data Center (FDZ). All the tech giants are interested in using it to train their AI systems and build "generative AI". "We are in talks with Meta, with Open AI, with Google", and Israel has been consulted, the minister noted. He has other breakthroughs in mind, such as in the field of telemedicine. In future, patients could be treated via video link and doctors could "view all findings directly and decide whether the patient needs to come to the practice after all". He believes that this could save "up to a third" of the one billion doctor-patient contacts.
That fits. As has been reported several times, Lauterbach's recently approved major hospital reform amounts to a radical hospital cutback. The accelerated digitalization of medicine and the associated ePA are also intended to promote this by "relieving" emergency outpatient clinics, for example. The fact that these are often visited prematurely and wrongly is an obvious grievance. However, the hospital reform will not improve the situation of emergency departments. On the contrary, they are being dismantled on a large scale, as are maternity clinics. In the aforementioned interview with web.de, the SPD politician very impressively exposes his very limited understanding of medicine at one point. Nothing would influence the "costs and quality of our healthcare system more than functioning preventive care", he stated very accurately. But then his example: "Half of people with high blood pressure in Germany are still not being treated with medication." Measures to keep people healthy at a younger age, more exercise, sport and better eating do not even occur to Lauterbach.
Shrivel banana software
Today, Wednesday, the "ePA for all" enters the pilot phase. The system will initially be tested for suitability in practice in three model regions in North Rhine-Westphalia, Franconia (Bavaria) and Hamburg and with around 270 service providers. Critics have coined the term "deep green shrivel banana software" for the project. According to those responsible, this should only gradually mature during operation - despite all the dangers and uncertainties. The nationwide rollout will only start "once mass data misuse has been technically ruled out", assures Lauterbach. "I can assure you of that." At the same time, however, he does not want to question the announced date of February 15, no doubt also out of concern that the imminent change of government could throw a spanner in the works for him and his clients.
The former chief ethicist and recipient of the Order of Merit of the Federal Republic of Germany, Buyx, is of course supporting the project. "It makes sense to get the project on the road now and at the same time build up further security structures if they prove necessary" - in other words, if the baby has fallen into the well ... In the UK, for example, blood test data from patients surfaced on the darknet on a large scale last year. In the USA, the medical data of around 100 million citizens - insurance information, medical documents, payment data and social security numbers - fell into the hands of hackers almost a year ago. The attackers exploited a security vulnerability at Change Healthcare, the largest payment service provider in the healthcare sector.
But in Germany, everything is under control and a health minister with an affinity for Big Pharma wants to plug a huge security hole in just one month. Better not rely on it. You can still object to the ePA, even retrospectively. AtNetzpolitik.orgexplains how to do this.