reported from the source

Quick summary: A digital system intended to protect sensitive data in medical practices has been found to have significant security gaps, as revealed by researchers at the CCC hacker congress.

A digital system is supposed to protect sensitive data in medical practices. However, researchers have shown at the 39th Chaos Communication Congress in Hamburg that important standards have not been adhered to. Many patients may not know that when practices and hospitals send diagnoses, lab results, or medication instructions via email, they do not do so casually. There is a system considered particularly secure, called KIM „Kommunikation im Medizinwesen,“ designed for the secure transmission of highly sensitive health information. This information is encrypted to prevent interception or reading by attackers. The system is specified by a governmental body, Gematik. Investigations by NDR and Süddeutsche Zeitung reveal that this security promise has apparently not been fully met for years. IT security researcher Christoph Saatjohann, who made these findings months ago, presented them today at the congress. Gematik has since responded and released a comprehensive security update, but some uncertainties remain. Sender addresses could be falsified. „When emails come via KIM, it appears serious to the practice and gets clicked on,“ explains the security researcher. This poses a risk. Gematik had mandated this solution for practices, clinics, and pharmacies years ago but did not implement security standards. While doctor emails carry a digital signature confirming they were sent via the protected system, it does not reliably indicate who the sender is. This gap can be compared to a letter that is sealed but has a freely selectable sender on the envelope. The letter may be genuine, but the name could be incorrect. Attackers could exploit this vulnerability for spam or phishing, according to the researcher from FH Münster, who teaches cybersecurity in the medical field. Deceptively authentic messages could have appeared as legitimate medical correspondence but contained malware to incapacitate practices or steal patient data. Clinics are a popular target for attacks, with hacked patient data frequently appearing on the dark web for sale. Additionally, before Gematik’s security update, messages could be decrypted and read. In some cases, access was even possible from the internet due to a small number of incorrectly configured KIM modules, the researcher explains. Gematik has now released a so-called hotfix, security updates intended to close the most serious gaps. The gaps had no concrete impact on medical facilities. Measures were initiated immediately after the vulnerabilities were reported to address them. A large part has already been completed, and all parties are working hard on the remaining issues, according to written statements. „Now it is up to the practices and other institutions. They need to implement the update, which may take time,“ Saatjohann explains the updates. He welcomes the quick response and transparent handling. The Federal Office for Information Security stated in response to inquiries that the identified security gaps could only be exploited with technical expertise. From the BSI’s perspective, there is unlikely to be an immediate risk for patients. However, Saatjohann also points out an ongoing problem: without much effort, he was able to create an email address in the KIM system under the name of Gematik. His suspicion is that newly registered email addresses are not checked for plausibility; only an ID for medical facilities is necessary. Several hundred thousand people in the healthcare sector have access to these. They are occasionally sold on eBay. „As a practice receiving a KIM email, I have no practical way to find out who really sent it to me,“ he says. Gematik announced that it would introduce additional security measures to better recognize critical or misleading names in the future. This is not the first time Gematik has faced criticism: in 2024, IT experts presented vulnerabilities in the electronic patient file at the Chaos Communication Congress. Although these have been addressed, they have not been fully resolved. In May of this year, the group, with Saatjohann’s assistance, again gained access to sensitive files. Doctors express uncertainty. „My trust in Gematik is very limited, and I unfortunately have to doubt their IT competence,“ says general practitioner Michael Eckstein, deputy chairman of the MEDI association in Baden-Württemberg, a cross-disciplinary interest group for practicing physicians, regarding the new findings. „Doctors are generally IT laypeople and cannot oversee the complex technology. We must reluctantly assume that the encryption is secure.“ A senior physician from North Rhine-Westphalia and a clinic doctor from Bavaria told NDR and SZ that there is often a lack of trust in IT applications. Instead, there is a growing tendency to revert to faxes and messengers. The researcher views this even more critically, as many fax machines are significantly less secure than KIM, as they typically do not use encryption.

Source: www.tagesschau.de