The electronic patient file - the expected failure with an announcement

Germany can do digitalization. Not. What is becoming increasingly apparent in everyday life is now being dramatically underlined by the way in which the electronic patient file (ePA) is to be introduced.

For this reason in particular, my usual pessimism (which I call “conventional realism”) paired with a healthy caution that Germany simply cannot digitize was there from the start and after yesterday's findings at 38C3, I simply feel confirmed.

Of course, Federal Health Minister Karl Lauterbach continues to insist that the ePA is secure: just as his colleague Nancy Faeser is constantly calling for data retention and biometric recording of individuals, Lauterbach's political legacy (no, it's not the hospital reform!) is also tied to the digital construct that is supposed to make everything easier for 74 million citizens in the healthcare system: All health data is to flow into this in the long term and is therefore subject to a high (if not the highest!) protection factor, as it is clearly personal data. However, we wouldn't be in Germany if we weren't once again being as clumsy as possible when it comes to digitalization and turning the ePA into the next project with the “Failure by Design” anti-seal of approval.

What has happened?

First of all, the health insurance companies started sending out information about the ePA months ago. At our health insurance company, BARMER, it was also possible to opt out when replying. This was then, a few weeks later and also typically German, confirmed again in writing by post. It is worth mentioning here: Doing nothing at all means (silent) consent and you are in the potential draw of data that you might not want to have floating around on the net. The process at BARMER was well explained, the answers via a QR code for the lady of the house and our daughters worked without any problems - this also needs to be mentioned, but technically I would have preferred an opt-in: Scan the code IF (!) you want to use the ePA - but then the planned success story would not have been a success, but that's another topic.

At the 38th Chaos Communication Congress in Hamburg, Bianca Kastl and Martin Tschirsich, both security experts, showed quite clearly how third parties could gain access to the health data of any ePA with very little effort and in several ways. Both have a professional background: Kastl is chairwoman of the Innovationsverbund Öffentliche Gesundheit e. V. (Public Health Innovation Association), Tschirsich is active in the Chaos Computer Club and works in the field of information security. The crux of the matter: the electronic patient file is due to be launched nationwide as early as February and news like this does not necessarily provide a tailwind: reason enough for gematik, which has overall responsibility for the telematics infrastructure (TI) and is the central platform for digital applications in the German healthcare system, to publish a quick statement. The tenor: everything is good and secure. Period. But does that create trust?

Failure by Design?

The infrastructure of the digital patient record has been in place since 2021 - you would think that when it goes live in February 2025, the platform would be secure, mature and theoretically and practically aligned with current security standards. However, trust in a new platform can only be created if the solution is not presented to you like a pre-cooked dish, but if you have also been involved in the (cooking) process beforehand. The flavor here: Someone has “mumbled” something with someone in a quiet chamber and the result is now to be pushed through into live operation - come what may. But we're not just talking about some strange platform where (perhaps!) the content doesn't matter: We are talking about the clearly personal health data of every citizen - data and details that people would certainly rather not see in untrustworthy hands or on moderately secure platforms.

The reasons why it would be better to put the brakes on and make the thing secure in the first place were clearly demonstrated: Kastl and Tschirsich, for example, managed to obtain valid health professional and practice ID cards as well as health cards from third parties. It sounds difficult, but apparently only to a limited extent: this was probably made possible by shortcomings in the issuing processes, in the relevant portals that issue the health cards and in card handling in everyday life. Some of the ePA gaps found have existed for years and have a certain tradition and history at the Chaos Communication Congress, as can be read in the summary. In the end, the question arises as to why this only became so brutally apparent a month before the real launch - but the history here goes back a little, as the CCC also makes clear. Security and transparency must not take a back seat in the current discussion, but an expert report by the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT) already attested to the project's glaring and serious weaknesses in the 90-page final report: It's a prankster who thinks evil when gematik only published this report quite late in October 2024.

The colleagues from netzpolitik.org have also dedicated an article to the topic and clearly demonstrated the sometimes outrageous ways in which theoretical workarounds can be created to obtain data - whether this applies to the card procurement itself or remote access to the data. The warnings of the former Federal Data Protection Commissioner Ulrich Kelber, which have already been discussed in the past and in some cases completely neglected, must also be taken into account when assessing the situation - this cannot and must not be allowed to happen!

Of course, you can ponder why Kelber didn't get a second term in office either, as I remember him as someone who took the topic of “data protection” seriously per se, but without positioning it as a classic boring showstopper in all respects. My (subjective) assumption here: His professional opinion was - like some others - not really conducive to the prestige project ePA with regard to the advance of Federal Health Minister Karl Lauterbach. Kelber himself, who holds a degree in computer science and is currently a professor of data ethics at the Rhein-Sieg-Kreis University of Applied Sciences (and therefore a specialist in the field), is currently also calling for the currently planned ePA test phase to be extended from one month to at least six months.

Verdict

The CCC's call for an “end to ePA experiments on living citizens” is ultimately no coincidence - and should not go unheard, as the facts clearly speak for themselves. According to the Chaos Computer Club, factors such as the planned obsolescence of the connectors, the corresponding identification procedure or the questionable cost-benefit ratio, which was certified from the outset, were not just a random and unfortunate collection of teething troubles, but have always been the turbulence that has accompanied the “ePA” project from the very beginning.

The bland aftertaste: once again, the German attempt to successfully pursue forced digitization “come hell or high water” has neglected the basics and simply ignored problems that have been mentioned for months and years. Thanks to the change from “opt-in” to “opt-out”, the onus is on patients not to have their health data placed on any platform “just like that”, who often simply wait and participate in the lottery due to a lack of better knowledge and a lack of objective reporting. An experiment will theoretically be extended to 74 million German citizens if the pilot phase for such a “project” - starting on January 15 - is successful: Three weeks for the pilot phase, including findings and “go-live” of the final platform, is not only sporting here, but grossly negligent per se.

Personally, I am a friend of digitalization and use it sensibly wherever possible. However, despite all the features and conveniences, I don't lose sight of the protection of personal data, provided you can have an influence on it in today's world: This is the case here and therefore I unfortunately feel confirmed in my basic negative attitude that “digitization” in Germany is often not left to the experts, but to free riders with a lobby and a great advertising budget. The potential consequences will and will only have to be dealt with in retrospect: Then one or two heads roll, nobody wants to have known about anything and, as always, it usually hits the wrong people. This is a fatal mistake, which is also facilitated by the professional opinion of so-called (non-) “experts” and unfortunately also federal ministers, who want to realize themselves historically at the expense of the citizen and build themselves a questionable legacy of their time in office.

In the end, the only thing that can be said for the electronic patient file at this point is: sit down, six - stop the project, do detention and make it better (or have it made better). The idea behind it is a good one, but the way it is currently being implemented is unfortunately typical of our society, in which the real experts are being left out of the loop - for a variety of reasons! The ePA can only work if the feedback received so far is dealt with openly, if real experts are brought on board and if the security of the platform is independently tested and certified in the future - this way, the electronic patient file with all its well-intentioned features will be a pipe-dream that will not bear the “Made in Germany” seal of approval, but rather “Failure by Design” - but then we will be in (unfortunately) good company here in Germany!