For decades, the federal government overslept the digitization of medicine, now it cannot go fast enough. From the coming year, everything from electronic patient files and e-prescriptions to tele-consultation will gradually run through apps on the smartphone. With hundreds of medical and health apps in the Apple and Google stores, there has so far been little opportunity for users to check their quality.
Why such a quality check is important, however, shows a security check of almost two dozen apps from German health insurances, which the computer magazine c’t carried out together with the NDR and David Wischnjak, security consultant at Ciphron GmbH. Vishnyak found, among other things, login data and passwords in plain text, outdated software libraries and unencrypted data transfers in the code of the Android apps. The security expert sees some catching up to do with the use of trackers, the parameters of transport encryption and the APK signature process. Numerous AOK apps that offered little more functionality than a website made a negative impression. Only the TK app was able to convince the c’t authors.
Hacker experiment at the card terminal
In another hacking experiment with card terminals, c’t reveals the simple handicraft utensils with which the security precautions of the ORGA 6141 Online card reader from Ingenico, which is widely used in medical practices, can be bypassed within a few minutes. After a tip from an anonymous hacker group, the c’t editors were able to purchase terminals on eBay – without proof of medical activity.
We sent the test devices to Dr. Jiska Classen from the Secure Mobile Networking Lab (SEEMOO) at TU Darmstadt to examine the hackers’ attack path as outlined. Dr. Classen was able to cut through an electronic protective film behind an unsecured bottom flap of the terminal within a few minutes without triggering a security alarm. The unprotected contacts of the card slot for ID cards for health professionals are located under the film. The operation was documented by Dr. Classes in one video.
The anonymous hackers could use a logic analyzer to access unencrypted commands and PIN entries in the device from these contacts. Security expert Thomas Maus, who analyzed the group’s attack path for c’t, therefore sounded the alarm: through the gap in the device, attackers could hide a small micro-computer with WiFi, access and manipulate health data, and write prescriptions. According to Maus, the card terminal would not meet the security requirements required by the Common Criteria.
It is still unclear why the card terminals sealed with BSI seals have an easy-to-open bottom flap. This is neither glued – as described in the manual – nor secured with seals from the BSI. The deviation between the device and the manual contradicts the security requirements of the Common Criteria, according to which the terminals are specified.
It is noteworthy that Gematik GmbH, which is responsible for organizing and securing the telematics connection of the medical practices, apparently suspected when the card terminals were approved three years ago how easily an attacker could overcome the technical protection. But instead of demanding more robust technology, they contented themselves with organizational security requirements. Doctors and clinics are allowed to leave said terminals unattended for a maximum of ten minutes.
The doctors we interviewed were previously unknown. Since doctors and clinics are still legally responsible for the security of their patients’ data, they must be given particularly detailed information about any risks. However, there is still no data protection impact assessment of the telematics infrastructure that would meet this information requirement.