In the telematic infrastructure of the health system (TI) security researchers have found a security gap again. Around 200 medical practices are said to have been accessible via the Internet, according to a report by the Tagesschau. In 30 cases, the researchers are said to have succeeded in simulating a doctor’s practice for the TI and gaining access to patient files that were stored in the practice administration system without password protection.

In Germany there are currently about 145. 000 Practices linked to the TI. The researchers want to inform about the security gaps found at the annual congress of the Chaos Computer Club, which this year as “remote chaos experience” (rc3) takes place only virtually.

Incorrectly configured Already at the congress 36 C3 in December 2019 Christoph Saatjohann from the Laboratory for IT Security at Münster University of Applied Sciences described the telematic infrastructure of the health care system as full of holes in a lecture. Now he claimed to the Tagesschau that in about 200 cases the connectors (VPN routers) of medical practices were configured in such a way that they were visible and accessible via the Internet. A security vulnerability is said to be even more serious, in which the TI could be led to believe that a doctor is in the office. The security researchers are said to have succeeded in viewing doctor’s letters, diagnostic findings and X-rays. Details of these pentests will then be presented at the Chaos Computer Congress.

(mho)