For decades the federal government slept through the digitization of medicine, now it cannot go fast enough. From the coming year, everything from electronic patient files and e-prescriptions to tele-consultation will gradually run through apps on the smartphone. With hundreds of medical and health apps in the Apple and Google stores, there has so far been little opportunity for users to check their quality.

Why such a quality check is important, however, shows a security check of almost two dozen apps from German health insurance companies, which the computer magazine c’t carried out together with the NDR and David Wischnjak, security consultant at Ciphron GmbH. Vishnyak found, among other things, login data and passwords in plain text, outdated software libraries and unencrypted data transfers in the code of the Android apps. The security expert sees some catching up to do with the use of trackers, the parameters of transport encryption and the APK signature process. Numerous AOK apps that offered little more functionality than a website made a negative impression. Only the TK app was able to convince the c’t authors.

Hacker experiment at the card terminal In another hacker experiment with card terminals c’t reveals What simple handicraft utensils can be used to bypass the security precautions of the ORGA 2021 online from Ingenico within a few minutes, which is widely used in medical practices. After a tip from an anonymous hacker group, the c’t editors were able to purchase terminals on eBay – without proof of medical activity.

We sent the test devices to Dr. Jiska Classen from the Secure Mobile Networking Lab (SEEMOO) at TU Darmstadt to examine the hackers’ attack path as outlined. Dr. Classen was able to cut through an electronic protective film behind an unsecured bottom flap of the terminal within a few minutes without triggering a security alarm. The unprotected contacts of the card slot for ID cards for health professionals are located under the film. The operation was documented by Dr. Classes in a video.

c’t-hacker experiment with card terminal from Ingenico The video shows how easily the electronic protective film in the ORGA card terminal 6141 can be cut open online by Ingenico.

(Source: c’t – magazine for computer technology) The anonymous hackers could attack these contacts with a logic -Analyzer access unencrypted commands and PIN entries in the device. Security expert Thomas Maus, who analyzed the group’s attack path for c’t, therefore sounded the alarm: through the gap in the device, attackers could hide a small micro-computer with WiFi, access and manipulate health data, and write prescriptions. According to Maus, the card terminal would not meet the security requirements required by the Common Criteria.

It is still unclear why the BSI seals sealed card terminals have an easy-to-open bottom flap. This is neither glued – as described in the manual – nor secured with seals from the BSI. The deviation between the device and the manual contradicts the security requirements of the Common Criteria, according to which the terminals are specified.

It is noteworthy that Gematik GmbH, which is responsible for organizing and securing the telematics connection of the medical practices, the approval of the card terminals three years ago apparently suspected how easily an attacker could overcome the technical protection. But instead of demanding more robust technology, they contented themselves with organizational security requirements. Doctors and clinics are allowed to leave these terminals unattended for a maximum of ten minutes.

This requirement was previously unknown by the doctors we interviewed. Since doctors and clinics are still legally responsible for the security of their patients’ data, they must be given particularly detailed information about any risks. However, there is still no data protection impact assessment of the telematics infrastructure that would meet this need for information.

Currently, an estimated 145. 000 Medical practices and clinics in Germany connected to the telematics infrastructure. When we asked, the manufacturer did not want to tell us how many of them are using Ingenico card terminals. However, the number should be six digits. A possible recall or replacement of the vulnerable devices would therefore be associated with considerable costs.

Shortly before the introduction of the electronic patient record on January 1st 200, the data backup of the telematics infrastructure is presented in a desperate state. At the beginning of the week, security researchers at the Chaos Computer Club uncovered around 145 incorrectly configured telematics connectors that allow attackers free access to patient and health data . The security researchers want to present details of their analysis between the holidays on the Remote Chaos Experience.

(hag)