SRC provides expert opinion for Gematik's E-Rezept

SRC provides expert opinion on e‑prescription for gematik

IT security plays a special role in the digital­i­sation of the healthcare system. In the context of the intro­duction of the electronic prescription (e‑prescription) for which gematik is respon­sible, the security of all compo­nents will be tested by independent experts approved by gematik.
The intro­duction of the e‑prescription and the e‑prescription app started on 1 July 2021. By then, data security for patients, doctors and pharma­cists had to be ensured. In order to check the security of these appli­ca­tions in their daily work, gematik, with the approval of the Federal Office for Infor­mation Security, commis­sioned several expert opinions to test the appli­ca­tions. Some of these expert opinions were prepared by the experts of the SRC. The result: Nothing stands in the way of a controlled commis­sioning into production operation. The appli­ca­tions can be integrated into the telem­atics infra­structure (TI).

The prereq­uisite for the test phase that now follows is the security assessment, in which the SRC assessors were involved for two compo­nents. SRC employees have been approved as experts by gematik since 2014 and have assessed the identity provider service of RISE as well as the specialist service e‑prescription of IBM. gematik published the summary of the expert reports prepared by the SRC experts on its website on 1 July 2021.

In the test phase that has just started, the e‑prescription is now being tested in everyday practice in the model region of Berlin-Brandenburg. Here, practical findings on the inter­action of all compo­nents involved in the e‑prescription are to be collected first. The nationwide intro­duction of the e‑prescription is being prepared for the 4th quarter of 2021.

Every person with statutory health insurance can use their NFC-enabled electronic health card (eGK) with the corre­sponding PIN for the e‑prescription. The eGK is issued as standard by the statutory health insurance funds to their insured persons.
From 2022, the e‑prescription will be oblig­atory for all those insured by the statutory health insurers, but private health insurers have already made clear their interest in partic­i­pating in the e‑prescription. For the time being, private health insurers can decide volun­tarily whether to issue the eGK to their insured.
“The intro­duction of the e‑prescription and the associated app is undoubtedly a milestone for the digital­i­sation of the German health system. At SRC, we are a little proud to have contributed to securing this solution with our work,” says Randolf Skerka, Head of IS Management at SRC.
“This assessment was charac­terised by smooth and intensive coordi­nation with the manufac­turers RISE and IBM as well as gematik. Only in this way was it possible to ensure the high quality in the short time available,” says Dr. Jens Putzka on behalf of all colleagues involved at SRC.

IT security in the health sector: Regulation is necessary and overdue

IT security in the health sector: Regulation is necessary and overdue

Open inter­faces, outdated technology and different interests: IT security in the health sector is a complex topic, after all it is about the needs and safety of the patient. A major problem is the lack of regulation on the part of author­ities such as the Federal Institute for Drugs and Medical Technology and the Federal Office for Infor­mation Security — currently there are only recom­men­da­tions but no binding guidelines.

The Federal Office for Infor­mation Security (BSI), the Federal Institute for Drugs and Medical Devices (BfArM) and gematik are the competent author­ities for IT security of medical devices in Germany. It must be ensured that unautho­rised persons cannot use the IT in medical devices and systems against the patient and that compo­nents and systems are only open to autho­rised persons. Companies special­ising in IT security, such as SRC Security Research & Consulting GmbH from Bonn, can help here. Regulation is necessary to create security standards — although a sense of proportion is needed here. Because over-regulation can also cause damage.

Under the title “IT Security in the Healthcare Sector: Regulation is necessary and overdue” (german), the magazine “all about security” gave Randolf-Heiko Skerka, Head of IS Management at SRC Security Research & Consulting GmbH, the oppor­tunity to comment comprehensively.

If you are inter­ested, we would be pleased to hear from you.

BSI Medical and Care Products

BSI publishes study results on the security of medical products and care products

The thoughts of unsafe medical or care products is discon­certing. Especially in a sensitive area such as the health care sector, the affected person trusts in the best possible help. But especially with the advancing digital­i­sation in the healthcare sector, vulner­a­bil­ities are increas­ingly appearing in networked medical‑, IoT- and elderly care products. If such vulner­a­bil­ities are discovered or even exploited, this often poses a major problem for users and manufac­turers of these products.
The Federal Office for Infor­mation Security (BSI) therefore initiated the projects “ManiMed — Manip­u­lation of Medical Devices” and “eCare — Digiti­sation in Care” in order to be able to assess the IT security of selected products.

he studies now published by the BSI enable manufac­turers to improve the IT security features of their products. In addition, users of medical devices are informed about which IT security features could be critical. Improved IT security features strengthen the confi­dence of patients and doctors in the security of networked medical devices. In the study, a total of six products from different categories were examined in terms of IT security.

SRC played a major role in the prepa­ration of the eCare study. The study focused on networked products (both medical and IoT products) that are used in the field of care for the elderly or sick. These include, for example, devices for measuring vital data or a tablet for senior citizens. A total of six products from different categories were examined from an IT security perspective. The results of the study can be found on the BSI website for Download.

In summary, the IT security level of the products examined can be rated as poor to very poor. The results lead us to believe that none of the products examined, including their inter­faces, apps, etc., have been subjected to a profes­sional security evalu­ation, an independent penetration test or similar.