Security flaws in card terminals in doctor’s offices and health insurance apps

An estimated 145,000 medical practices and clinics in Germany are currently connected to the telematics infrastructure. When we asked, the manufacturer did not want to tell us how many of them are using Ingenico card terminals. However, the number should be six digits. A possible recall or replacement of the vulnerable devices would therefore be associated with considerable costs.

Shortly before the introduction of the electronic patient file on January 1, 2021, the data security of the telematics infrastructure is in a desolate state. At the beginning of the week, security researchers from the Chaos Computer Club discovered around 200 incorrectly configured telematics connectors that allow attackers free access to patient and health data. The security researchers want details on their analysis between the holidays on the Remote Chaos Experience to introduce.

Focus on medical IT

Read more about the problems of apps and card terminals in the healthcare sector in c’t 1/2021

Update 6:20 p.m .:

Meanwhile, the Gematik has to uncover the security gap responds.

In this, the Gematik refers to an English blog entry by the security expert Dr. Jiska Classen. Among other things, the statement says:

“Gematik has informed the manufacturer and the Federal Office for Information Security about the attack path and the researcher’s results. Together with the manufacturer, gematik will discuss how this vulnerability can be remedied in future generations of devices low practical usability does not affect the existing approval or card terminals in the field. ”

c’t had informed the manufacturer Ingenico, the BSI and Gematik after months of research with Thomas Maus on September 14th of the security gap and the possible attack method. After we met Dr. Classen later consulted, it had come to an argument between her and Thomas Maus about the effects of the security gap. c’t finally had with Dr. Classen mutually agreed on the statements concerning her and received an OK from her for publication. However, she published essential parts of the research on her blog the day before c’t without prior agreement.


To home page