According to the Federal Ministry of Health’s digitalization strategy, all people with statutory health insurance who do not actively object will receive an electronic patient file in future. Who will then be able to access personal patient data and how well is the data protected against unauthorized access?
At the beginning of March 2023, Federal Minister of Health Prof. Karl Lauterbach presented the new digitalization strategy of the Federal Ministry of Health (BMG) at a press conference. A central topic of the digitalization strategy is the electronic patient file (ePA). Since January 2021, this has been provided to the 73 million people with statutory health insurance by the health insurance companies on request (opt-in). According to Karl Lauterbach, however, less than one percent of those with statutory health insurance have applied for an ePA to date. This has apparently been on the cards for some time, as it was already agreed in the coalition agreement of November 2021 to accelerate the introduction of the ePA and to provide all insured persons who do not actively object with an ePA (opt-out). This is now being implemented as part of the digitalization strategy. The BMG has already announced two new laws: the Digital Act and the Health Data Utilization Act (GDNG). The aim is for 80 percent of people with statutory health insurance to have an ePA by 2025 and for patient data to be pseudonymized and used for research purposes.
For insured persons, this means having to make a decision. Not applying for an EPR was easy and convenient, but should they now object to the facility? How is personal patient data protected in an ePA? Who can access patient data? This article provides background information on how the ePA works and how patient data stored in the ePA is protected.
The electronic patient file
The electronic patient file is essentially a secure cloud-based document repository with a complex authorization system. Insured persons can view their patient data at any time and control the authorization for access by doctors or other persons themselves. This is achieved through the interaction of various components:
- The ePA file system (ePA-AS) is the central backend component in which the patient data is stored. This is also where user authentication and the enforcement of access rights take place.
- The insured person’s ePA front end (ePA-FdV) is the decentralized access point for insured persons. The ePA-FdV is available as a mobile app as well as a desktop application. Insured persons can use the ePA-FdV to manage their own file and upload, view, download or delete content.
- Doctors and other service providers access patients’ ePAs via the specialist module ePA on the connectors.
- Two independent key generation services (SGD) provide user-specific keys for encrypting the file contents.
Encryption of file contents
The patient data stored in the ePA is personal health data in accordance with Article 9 of the General Data Protection Regulation (GDPR) and is therefore particularly worthy of protection. Protection is implemented through numerous measures. Encryption of the file contents is particularly relevant. In the event of potential access to file contents by an unauthorized person, they will only receive encrypted data. The overall encryption process is made up of several encryptions with different keys:
- The document key is used to encrypt a specific file content. In the following, it is assumed for simplicity’s sake that the file contents are documents (e.g. PDF documents). Each document stored in the ePA is encrypted with an individual key.
- The context key is used to encrypt the metadata and log data. The metadata contains plain text information and, despite the encrypted storage of the medical documents, allows an overview of the file contents and a server-side search in the file.
- The file key is used to encrypt the file contents. This includes the document keys already mentioned as well as the documents themselves.
- Authorization keys 1 and 2 are used to encrypt the context key and the file key. They are user-specific.
Access to and decryption of patient data from the electronic health record is carried out as follows: an authorized person, for example the insured person, authenticates themselves to the electronic health record system and the key generation services via the electronic health record system. The ePA-FdV receives the individual authorization keys 1 and 2 from the key generation services, and the ePA-FdV receives the file and context key in encrypted form from the ePA file system. The file and context keys are decrypted using the onion-skin principle with the help of the authorization keys. The context key is transmitted to the ePA file system in plain text via a specially secured protocol. There is a so-called trusted execution environment in the ePA file system, which technically prevents access by the operator and thus ensures that the operator cannot view any file contents. In this trusted execution environment, the so-called file context is decrypted using the context key. This is metadata that contains, for example, a description of the content of the documents stored in the ePA. The desired document can be selected on the ePA-FdV via the file context and loaded onto the end device. There, the document is first decrypted using the file key. The result is a document key and the document encrypted with it. The document is decrypted using the document key and is ultimately available in plain text. If the document is stored outside the ePA-FdV, security can no longer be guaranteed by the ePA.
Authorization management
If an insured person authorizes another person (e.g. a doctor) to access file contents, the file and context keys are encrypted with the authorization keys of this other person and stored in the file system for retrieval by this person. Non-authorized persons, such as the operator of the ePA filing system, are thus cryptographically excluded from accessing the file. If a person is generally authorized and the necessary keys are available, access can still be restricted at document level. This means that insured persons can specify who can access each document individually.
Conclusion
The ePA implements various security mechanisms to protect patient data. Insured persons must always authenticate themselves for access. In order to decrypt the content, various keys must also be brought together. The security of the encryption lies largely in the authorization keys. For this reason, there are two of these, which are provided by independent key generation services. This ensures that different entities are always involved in the decryption process. Neither the operator of the file system nor the operators of the key generation services are technically capable of decrypting file content. Authorization to access file content is controlled by the insured persons themselves. Only authorized persons can decrypt the necessary cryptographic keys; all others are cryptographically excluded. Access authorization can be assigned individually for each document on a fine-grained basis.
Patient data in the ePA is well protected against unauthorized access. The insured persons themselves are responsible for authorization control and the security of downloaded patient data. Data sovereignty requires personal responsibility.
