Serious security problems emerge again with the telematic infrastructure (TI) of the German health system – the lighthouse project with which the federal government has been working for around 20 years ago tried to break new ground. But wherever committed IT security experts have looked as critical citizens so far, abysses and massive problems were revealed, be it in the rollout, with sloppy identity checks, in software security, in the security dimension of availability, operational reality or hardware security .

Thomas Maus is a graduate – IT specialist and since 22 freelance companies and authorities, mainly on IT security issues. This includes the management of large, company-critical installations, the establishment of pen test teams and the training of international police forces in combating cyber crime.

Don’t panic on the TI-tanic Much was predictable and specifically predicted – but well-founded criticism, warnings and alternative suggestions from the CCC, the GI (Gesellschaft für Informatik), FIfF and others have faded since 15 years unheard. At the same time, committed citizens can only check data security and data protection in the TI on a random basis. Your laborious work only reveals the tip of the iceberg, and this tip is huge!

In the population, this erodes the indispensable leap of faith that is a prerequisite for a successful digital transformation, not only in the health care system. The nuclear energy and automotive industries have sufficiently demonstrated that this loss of trust is dangerous – the IT industry shouldn’t have the ambition to outperform it.

Let actions speak for themselves Measures to build trust are therefore urgently required and therefore I hereby remind you of the challenge that I have already 2005 in my lecture on the 22 C3 on health telematics had proposed: The Ministry of Health provides a test environment for the entire TI and awards prizes for finding safety deficiencies that correspond to both the later data value and the confidence of the Federal Ministry of Health in the safety of the system.

The protagonists who are convinced of the security of the system – i.e. all advocates and those responsible – prove this by feeding their real health data into the test system, if necessary ls pay prizes to be distributed primarily out of their private assets. With the introduction of the system, patients and doctors are also subject to similar risks.

But will be until the deadline – one year after an absolute majority of members of the Bundestag with their data and assets as a sign of their trust and political will found in the test system – found no security holes, the TI should have acquired the necessary trust. Until this deadline, participation in the TI is voluntary for everyone and all sanctions are suspended.

If this quorum is reached If not achieved within a year, the TI evidently does not find enough trust. It is crushed and there is finally serious discussion about privacy-friendly, decentralized, robust and resilient alternatives!

Admittedly, this is not an easy decision, because a data breach in medical data – like radioactive contamination – easily affects several Generations. But the holidays and lockdown offer space to consult with 1st and 2nd degree relatives and go into the New Year with a solid resolution to participate or not participate in the challenge.

Expensive investment ruin? If you, as a member of the German Bundestag, but before shy away from declaring TI a billion-dollar investment ruin – the work has already been done for you. However, this raises the question to be investigated, since when this insight has existed. The current ePA and e-prescription drafts have long since passed from the original plan to implement high-quality data protection using card terminals and smart cards through end-to-end encryption.

It is germinating So a suspicion: with considerable costs for the insured community, an outdated technology was forcibly and knowingly introduced, which foreseeably could not provide any adequate benefit for the insured during its lifetime.

One is already in the IT industry Long abandoned such monster projects because they are notorious brakes on innovation. The legally stipulated start of operation of the TI was January 1st 2005 (yes, New Year’s two thousand six!). Since 2003 it has inhibited innovation in the healthcare sector because many intelligent, small digitization projects were crushed or not even attempted , because the TI always solved all problems much more comprehensively – only soon. The TI is therefore not the solution, but the cause of our digitization deficits.

Decency is to distance yourself If you, dear members of the German Bundestag, are already thinking about the TI in all its aspects, then please also think about priorities: Does our medical profession really have the time at the moment? and leisure to choose between ruinous liability risks due to unmanageable security implications of the TI connection and ruinous fee reductions due to non-TI connection?

Are new TI functions that make it necessary for technicians to install and breakdown service as a potential super-spreader from practice to practice, really appropriate at the moment? Is it fair to legislate the health care system when the professionals who should be wisely heard are fighting for lives?

My 2 ¢ with warm wishes for a truly peaceful Christmas time in good health.

(mho)