Health insurance companies are currently waiving the verification via video identification process. Behind the stop is a report by the Chaos Computer Club.
After CCC attack: video identification procedure is suspended
© Chaos Computer Club
The national agency for digital medicine (Gematik) has prohibited health insurance companies from using the video identification process for security reasons. The Chaos Computer Club (CCC) had previously demonstrated how it had gained access to a test person’s patient file using the video identification procedure.
The CCC therefore demanded
“No longer using this unsafe technology where there is a high potential for damage”.
In a 30-page report, CCC security researcher Martin Tschirsich showed an attack on the video identification system using simple means such as open source software and
“a bit of red watercolor paint”.
The security researcher has thus succeeded in outwitting various video identification solutions and fooling employees into thinking they are false
the attacks remained undetected until then.
Videoident can be circumvented with the simplest of means
In this way, Tschirsich secured access to the personal health data of the test person who was in the know. As can be seen from the document, “among them were redeemed prescriptions, certificates of incapacity for work, medical diagnoses and original treatment documents”. The CCC assumes that the attack by people who deal with the subject will take place in the shortest possible time
“with little effort”
be executable. Continued use of the system is too high due to the risk of abuse. The security researcher also considers checks by artificial intelligence (AI) to be unreliable: “The assumption that modern video identification processes can eliminate the known weaknesses ‘through the use of artificial intelligence’ has turned out to be wrong in practice,” so chirsich.
As Gematik writes in its announcement, other identification methods are not affected and can continue to be used. These include Postident, procedures for the online ID function or the on-site check. Furthermore, Gematik and the Federal Ministry of Health are working on providing additional procedures that include an on-site assessment of the ID card.
Bitkom criticizes the decision
The IT industry association Bitkom criticized the decision:
“With the blanket and unannounced ban on video identification procedures at health insurance companies, Gematik has done patients in Germany a disservice. Instead of approaching providers with suspected security gaps and working out solutions, all services were blocked across the board. Who now digital health offers would like to use, for which authentication is required, must appear in person at a branch of the health insurance company or the post office”
explains Bitkom CEO Dr. Bernhard Rohleder.
According to Bitkom, the online function of the ID card
“no viable alternative yet”,
because too few citizens have activated this function or do not know how this system works. Thus, a further introduction of the electronic medical record will continue
Gematik and the Federal Ministry of Health only want to decide on the re-approval of video identification procedures when the providers provide concrete evidence that their procedures are no longer susceptible to the weaknesses shown.