A Note on the Security in the Card Management System of the German E-Health Card

Transcription

1 A Note on the Security in the Card Management System of the German E-Health Card Marcel Winandy (Ruhr-University Bochum) 3rd International ICST Conference on Electronic Healthcare for the 21st Century (ehealth 2010) Casablanca, Morocco, December 2010 Mittwoch, 15. Dezember 2010

2 Introduction The German electronic Health Card (ehc) Core component of the Healthcare Telematics Each insured person will have such a card Supposed to enable new applications Smartcard with small storage + cryptographic functions German Healthcare Telematics Under development, going to be rolled out "soon" (originally 2006) Specifications by Gematik (company organization of health institutions) Health Professional Card (HPC) Similar card for all health professionals For identification, authentication, digital signatures Mittwoch, 15. Dezember 2010

3 Introduction: Use Cases of ehc Obligatory: Identification, Authentication - personalized cards - individual cryptographic keys European Health Insurance Card (EHIC) - printed on the backside Electronic Prescription - issuing and filling - directly stored on ehc Optional: Medical Emergency Data - directly stored on ehc Medication History Electronic Health Records - centrally stored on servers (in encrypted format) - ehc used to encrypt/decrypt and authorize access (via PIN) Other applications Mittwoch, 15. Dezember 2010

4 Introduction: Security & Privacy German law requires strong privacy: "Data Sovereignty" ( 291a.5 SGB V) Only the patient can define who may access the data associated with the ehc. German Ministry of Health*: ehc basic security requirements Authentication, authorization, and audit mechanisms have to be chosen so that the data sovereignty of the insured party can be taken for granted. * German Federal Ministry of Health: Entscheidungsvorlage - Festlegung der Authentisierungs-, Autorisierungs- und Auditmechanismen der Telematikinfrastruktur für die Fachanwendungen, Version 0.9.0, March Mittwoch, 15. Dezember 2010

5 German Healthcare Telematics

6 German Healthcare Telematics

7 German Healthcare Telematics

8 German Healthcare Telematics

9 German Healthcare Telematics

10 German Healthcare Telematics

11 German Healthcare Telematics

12 German Healthcare Telematics

13 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

14 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

15 German Healthcare Telematics Healthcare Telematics Boundary Mittwoch, 15. Dezember 2010

16 German Healthcare Telematics Healthcare Telematics Boundary ehc Mittwoch, 15. Dezember 2010

17 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

18 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

19 German Healthcare Telematics Healthcare Telematics Boundary HPC ehc Mittwoch, 15. Dezember 2010

20 Existing Security Analyses

21 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, Keywords: Abstract: Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Based on ISO for Information Security Management Systems, this paper introduces a newly developed security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. 1 INTRODUCTION In Germany, the Electronic Health Card (ehc) will replace the present health card as requested by law. By establishing the ehc, several improvements, such as cost savings, better ways of communication in the health care sector or the self-determination of the insured person concerning medical data, are supposed to be achieved (Schabetsberger et al., 2006). The use of IT to administrate medical data of the insured, implicates the question, whether these systems are safe enough to satisfy requirements like privacy, safety, security and availability (Heeks, 2006). The data administrated by the ehc and its infrastructure is mosltly strictly confidential as it contains personal information about peoples state of health, course of disease and hereditary diseases (Lorence and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested Mittwoch, 15. in outlook. The current security status of health care in Germany was evaluated and valuable hints for future developments in the health care sector could be derived. The paper is based on a literature review (e.g. Computers & Security, Information Management & Computer Security, Information Systems Security, International Journal of Medical Informatics, Information Systems Journal, European Journal of Information Systems, International Journal of Information Security, security & privacy, Journal of computer security, ACM Transaction on Information and Systems Security und ACM Computing Surveys). The security analysis approach presented in this paper differs from other approaches due to the following aspects: Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of upto-date techniques and standards) and regional distinctions (located in germany, regional and political

22 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, krcmar}@in.tum.de security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Peripheral parts (end-user systems) Keywords: Security Analysis, Electronic Health Card, Health Care Telematics. 1 INTRODUCTION outlook. The current security status of health care in Abstract: This paper describes a technical security analysis which Germany is based was on evaluated experiments and valuable done in a hints laboratory for future and verified in a physician s practice. The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure in the health in Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. peripheral parts of the telematics infrastructure according to the ISO security standard. The as cost savings, better ways of communication in the Computers & Security, Information Management & introduced attack scenarios show that there are several security issues in the peripheral parts of the German health care sector or the self-determination of the insured person concerning medical data, are supposed ternational Journal of Medical Informatics, Informa- Computer Security, Information Systems Security, In- health care telematics. Based on discovered vulnerabilities we provide corresponding security measures to overcome these open issues and derive conceivable consequences for the nation-wide introduction of to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- electronic health card in Germany. The use of IT to administrate medical data of the insured, implicates the question, whether these systems are safe enough to satisfy requirements like pririty, ACM Transaction on Information and Systems curity, security & privacy, Journal of computer secu- 1 vacy, INTRODUCTION safety, security and availability (Heeks, 2006). taking Security out unda ACM loan Computing or trying Surveys). to find insurance The security analysis2001). approach Furthermore, presented inone s this paper reputation differs The data administrated by the ehc and its infrastructure is mosltly strictly confidential as it contains from other approaches due to the following aspects: (Anderson, During the next years in Germany the present health could get tarnished when the wrong pieces of own personal information about peoples state of health, Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card will be replaced by the new sensitive medical information becomes publicly course of disease and hereditary diseases (Lorence electronic health card (ehc) (Sunyaev et al., 2009). accessible (Schneider, 2004). and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory Mittwoch, 15. the health system and the patients rights (Bales, experiments and on a detailed review of gematik s

23 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Securing the E-Health Cloud Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, krcmar}@in.tum.de security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Horst Görtz Institute for IT Security Horst Görtz Institute Horst Görtz Institute Keywords: Security for IT Security Analysis, Electronic Health Card, for IT Health Security Care Telematics. 1 INTRODUCTION Ruhr-University Bochum Ruhr-Universityoutlook. BochumThe current Ruhr-University security status of Bochum health care in Abstract: This Germany paper describes a technical security Germany analysis which Germany is based was on evaluated experiments and Germany valuable done in a hints laboratory for future and hans.loehr@trust.rub.de verified in a physician s practice. ahmad.sadeghi@trust.rub.de The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure marcel.winandy@trust.rub.de in the health Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics infrastructure countries according as cost savings, better ways of communication in the Computers in to the the & Security, recent ISO years Information There security are Management continuing standard. The efforts & on introduced attack scenarios show that there are several security issues the peripheral parts of the German Modernhealth information care sector technology or theis self-determination increasingly used in ofhealth- care with sured theperson goal national and international standardization for interoperability and data we provide exchange. corresponding Many different security application measures scenarios to the in- Computer Security, Information Systems Security, International Journal of Medical Informatics, Informa- health toconcerning improve care telematics. andmedical enhance Based data, medical on discovered are supposed services vulnerabilities and to reduce costs. overcome In this these context, open issues the outsourcing and derive of conceivable are envisaged consequences in electronic for the nation-wide healthcare (e-health), introduction e.g., of electronic health records [12, 23, 22], accounting and billing [17, to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- computation and storage electronic resources health card to in general Germany. IT providers The use of IT to administrate medical data of the (cloud computing) has become very appealing. E-health 24], medical research, and trading intellectual property [15]. insured, implicates the question, whether these systems medical are safe data, enough and opportunities to satisfy requirements for new business like pri- (EHRs) rity, ACM aretransaction believed to on decrease Information costs inand healthcare Systems (e.g., curity, security & privacy, Journal of computer secu- clouds offer new possibilities, such as easy and ubiquitous In particular e-health systems like electronic health records access to models. 1 vacy, INTRODUCTION However, safety, they security also bear and availability new risks and (Heeks, raise2006). challenges with The respect data administrated to security and by privacy the ehcaspects. and its infras- (Anderson, ministration) rity analysis2001). approach and tofurthermore, improve presented personal inone s thishealth paper reputation management differs taking avoiding Security out expensive unda ACM loan double Computing or trying diagnoses, Surveys). to find or repetitive insurance The secu- drug ad- In this tructure paper, iswe mosltly point strictly out several confidential shortcomings as it contains of current e-health personal solutions information and standards, about peoples particularly state of they health, do infrom general. other approaches due to the following aspects: During the next years in Germany the present health could get tarnished when the wrong pieces of own Examples of national activities are the e-health approach Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card will be replaced by the new sensitive medical information becomes publicly not address coursetheofclient disease platform and hereditary security, which diseases a(lorence crucial in Austria [23], the German electronic Health Card (ehc) electronic health card (ehc) (Sunyaev et al., 2009). accessible (Schneider, 2004). aspect for the overall security of e-health systems. To fill system [12] under development, or the Taiwan Electronic and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory this gap, we present a security architecture for establishing Medical Record Template (TMT) [22]. In Germany each insured personand will on get a smartcard detailed review that not of only gematik s contains Mittwoch, 15. privacy the domains health system in e-health and the infrastructures. patients rights Our (Bales, solution experiments ad- Peripheral parts (end-user systems) Platform security

24 Existing Security Analyses SECURITY ANALYSIS OF THE HEALTH CARE TELEMATICS INFRASTRUCTURE IN GERMANY Network security Access control policies Keywords: Michael Huber, Ali Sunyaev and Helmut Krcmar Chair for Information Systems, Technische Universität München, Germany {hubermic, sunyaev, SECURITY ANALYSIS OF THE GERMAN ELECTRONIC HEALTH CARD S PERIPHERAL PARTS Security analysis, Health Care Telematics, Electronic Health Card, Information Security Management Systems. Ali Sunyaev, Alexander Kaletsch, Christian Mauro and Helmut Krcmar Securing the E-Health Cloud Chair for Information Systems, Technische Universität München, Boltzmannstraße 3, Garching, Germany Abstract: Based on ISO for Information Security Management Systems, this paper introduces a newly developed {sunyaev, kaletsch, mauro, krcmar}@in.tum.de security analysis approach, suitable for technical security analyses in general. This approach is used for a security analysis of several components and processes of the Health Care Telematics in Germany. Besides the results of the analysis, basics for further analysis and verification activities is given. Hans Löhr Ahmad-Reza Sadeghi Marcel Winandy Horst Görtz Institute Horst Görtz Institute Horst Görtz Institute Keywords: Security for IT Security Analysis, Electronic Health Card, for IT Health Security Care Telematics. for IT Security!"#$%&#'()*+,%*&&(#&%*$%-#)./$%0#/1+0'/)#% 1 INTRODUCTION Ruhr-University Bochum Ruhr-Universityoutlook. BochumThe current Ruhr-University security status of Bochum health care in Abstract: This Germany paper describes a technical security Germany analysis which Germany is based was on evaluated experiments and Germany valuable done in a hints laboratory for future and hans.loehr@trust.rub.de verified in a physician s practice. +#1#./+*'&% ahmad.sadeghi@trust.rub.de The health care In Germany, the Electronic Health Card (ehc) will developments telematics infrastructure marcel.winandy@trust.rub.de in the health Germany care sector stipulates could be every derived. physician and every patient to automatically be given an electronic health smart card (for patients) and a replace the present health card as requested by law. corresponding health professional card (for health care providers). We analyzed these cards and the By establishing the ehc, several improvements, such The paper is based on a literature review (e.g. ABSTRACT peripheral parts of the telematics infrastructure according to the ISO security standard. The as cost savings, better ways of communication!"#$%&'()*+$ countries in the Computers in the & Security, recent years. Information There are Management continuing efforts & on introduced attack scenarios show that there are several security issues the peripheral parts of the German Modernhealth information care sector technology or theis self-determination increasingly used in ofhealth- care with sured theperson goal toconcerning improve national and international standardization for interoperability and data we provide exchange. corresponding Many different security application measures scenarios to the in- Computer Security, Information Systems Security, International Journal of Medical Informatics, Informa- health!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:) care telematics. andmedical enhance Based data, medical on discovered are supposed services vulnerabilities overcome these open issues and /8(:$"4;-(<&8'<=") and to reduce costs. In this context, the outsourcing derive of conceivable are envisaged consequences in electronic for the nation-wide healthcare (e-health), introduction e.g., of electronic health records [12, 23, 22], accounting and billing [17, to be achieved (Schabetsberger et al., 2006). tion Systems Journal, European Journal of Information Systems, International Journal of Information Se- computation and storage electronic resources health card to in general Germany. IT providers The use of IT to administrate medical data of the (cloud computing) has become very appealing.,)'$-)./0$1*#2*#34*.$ E-health 24], medical research, and trading intellectual property [15]. insured, implicates the question, whether these systems medical are safe data, enough and opportunities to satisfy requirements for new business like pri- (EHRs) rity, ACM aretransaction believed to on decrease Information costs inand healthcare Systems (e.g., curity, security & privacy, Journal of computer secu- clouds offer new possibilities, such as easy and ubiquitous In particular e-health systems like electronic health records!"#$%&'"(&)*+)>.*(*'-./0)3(-4"%/-&5&)?$//"@0)9"%'$(:) access models. 1 vacy, INTRODUCTION However, safety, they security also bear and availability new risks and (Heeks, raise2006). challenges with The respect data administrated to security and by privacy the ehcaspects. and its infras- (Anderson, ministration) rity analysis2001). approach and tofurthermore, improve presented personal inone s thishealth paper reputation management differs taking avoiding Security out expensive unda ACM loan double Computing or trying diagnoses, Surveys). to find or repetitive insurance The secu- drug ad- In this tructure paper, iswe mosltly point strictly out several confidential shortcomings as it 5*"2&4$6./2).$ contains of current e-health personal solutions information and standards, about peoples particularly state of they health, do infrom general. other approaches due to the following aspects: During the next years in Germany the present health could get tarnished when the wrong pieces of own Examples of national activities are the e-health approach Focus (health care sector; technical evaluation of security measures), being up-to-date (appliance of up- insurance card!"#$%&'"(&)*+),(+*%'$&-./0)1".2(-/.2")3(-4"%/-&5&)67(.2"(0)68(-.20)9"%'$(:) will be replaced by the new sensitive medical information becomes publicly not address coursetheofclient disease platform and hereditary security, which diseases a(lorence crucial in Austria [23], the German electronic Health Card (ehc) electronic health card (ehc) (Sunyaev et al., B%.'$%;-(<&8'<=") 2009). accessible (Schneider, 2004). aspect for the overall security of e-health systems. To fill system [12] under development, or the Taiwan Electronic and Churchill, 2005). As for example insurance companies Dezember or employers 2010would be highly interested in tinctions (located in germany, regional and political to-date techniques and standards) and regional dis- The introduction tends to improve the efficiency of This paper is based on extensive laboratory this gap, we present a security architecture for establishing Medical Record Template (TMT) [22]. In Germany each insured personand will on get a smartcard detailed review that not of only gematik s contains Mittwoch, 15. privacy the domains health system in e-health and the infrastructures. patients rights Our (Bales, solution experiments ad- Peripheral parts (end-user systems) Platform security Other open security issues

25 Open Problem: Card Management System!!! Mittwoch, 15. Dezember 2010

26 Open Problem: Card Management System!!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement egk Facharchitektur Kartenmanagement egk Fachkonzept Version: Revision: main/rel_main/8 Stand: Status: freigegeben gematik_cms_facharchitektur_kartenmanagement_egk.doc Seite 1 von 81 Version: gematik Stand: Version: Revision: main/rel_main/5 Stand: Status: freigegeben gematik_cms_fachkonzept_kartenmanagement_egk_v1.3.0.doc Seite 1 von 62 Version: gematik Stand: Mittwoch, 15. Dezember 2010

27 Open Problem: Card Management System!!! Einführung der Gesundheitskarte Einführung der Gesundheitskarte Kartenmanagement egk Facharchitektur Kartenmanagement egk Fachkonzept Version: Revision: main/rel_main/8 Stand: Status: freigegeben gematik_cms_facharchitektur_kartenmanagement_egk.doc Seite 1 von 81 Version: gematik Stand: Version: Revision: main/rel_main/5 Stand: Status: freigegeben gematik_cms_fachkonzept_kartenmanagement_egk_v1.3.0.doc Seite 1 von 62 Version: gematik Stand: Mittwoch, 15. Dezember 2010

28 Card Management System

29 Card Management System

30 Card Management System

31 Card Management System

32 Card Management System

33 Card Management System

34 Card Management System

35 Card Management System

36 Card Management System

37 Card Management System

38 Card Management System

39 Card Management System

40 Card Management System

41 Card Management System

42 (1) Conflicting Requirements Security Requirement: At any time, the card management is not allowed to obtain information about application contents [...] for which it is not authorized. The card issuer MUST NOT get possession of unencrypted medical application data. Availability Requirement: When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new ehc. Mittwoch, 15. Dezember 2010

43 (1) Conflicting Requirements Security Requirement: Specification requires particular technical solution: At any time, the card management is not allowed to obtain information about application contents [...] for which it is not authorized. The following secret keys MUST be presently managed in The card issuer MUST NOT get possession of unencrypted medical application the context data. of the card management: [a list of keys follows]. Availability Requirement: Copies of the keys are stored!!! When a replacement or renewal card is created, it MUST be assured that application data stored on a server (e.g., EHR) can be accessed using the new ehc. Mittwoch, 15. Dezember 2010

44 Card Management System

45 Card Management System

46 Card Management System

47 (2) Creating Replacement Cards Lost/stolen ehc or switching health insurance implies creating a replacement card Copies of the keys from the old card are used: All data required for the production of the card are available. The card issuer may assign the creation of the card to one or more service providers. Mittwoch, 15. Dezember 2010

48 Card Management System

49 Card Management System

50 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

51 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

52 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

53 (3) Re-Encrypting Data Issuing replacement or renewal card implies re-encryption of data Input needed for Card Issuer: ICCSN (ehc ID) Input for the Application Operator: [Card Issuer] transmits the ICCSN of the insured party and other data to the application operator. Application Operator processes the application data. Mittwoch, 15. Dezember 2010

54 Card Management System

55 Card Management System

56 Card Management System Violation of Data Sovereignty of the Patient!!!! Mittwoch, 15. Dezember 2010

57 Conclusion German E-Health Card: complex security architecture Card Management System has serious flaws: Copies of the secret keys of the patients are stored and could spread to other (unauthorized) parties Data Sovereignty of the patient is violated! Possible solution: remove technical requirement (instead: designs could use, e.g., secret key sharing) MediTrust (Platform security for end-users) ebpg ebusiness Plattform Gesundheit (Alternative security solution for accessing electronic health records) Mittwoch, 15. Dezember 2010

58 Questions? Contact: Marcel Winandy Ruhr-University Bochum Mittwoch, 15. Dezember 2010