Connector replacement in doctor's offices: 300 million grave without valid reasons

According to c’t article: Gematik defends connector exchange, doctors demand clarification

In German medical practices and clinics, 130,000 connectors are to be replaced because their crypto certificates expire after five years. In addition, the health insurance companies are to reimburse the doctors for a total of 400 million euros – including money for further software updates and security cards.

The connectors are a kind of secure hardware router that connects practices, clinics, psychotherapists and pharmacies to the telematics infrastructure (TI). The computer magazine c’t screwed on a connector to check the information from the manufacturer CGM that the security certificates were permanently installed.

It turned out that the certificates in the connectors are located on three small device-specific security module cards “type connector” (gSMC-K cards), which can be physically easily exchanged. The article thus refutes the claim that the gSMC-K cards are permanently attached to the connector and that detaching the card and connector would render the system unusable.

In the meantime, Gematik has commented on the c’t article:

it lies […] the assumption is that when the gSMC-K was removed as described in the article, the same (!) card was also reinserted into the connector – so the card itself was NOT replaced. If this were the case, it is not surprising that the connector continued to work afterwards, after all, nothing has changed in its configuration.

The Gematik thus correctly summarizes passages of our article: In our test, we removed the three gSMC-K cards and then read them out with SMC readers. So the SMCs have been powered and might have realized they weren’t plugged into a connector. They could have deactivated themselves permanently – but this did not happen. We then started the connector with and without various SMC partial assemblies. It did not then boot into operational readiness, but it might have recognized that it had been opened and the SMCs had been manipulated. After that, the connector could have been permanently deactivated – but it didn’t. We then restored the original condition and thereby made the connector functional again.

Our conclusion from the experiment is that there do not appear to be any security features that render the device unusable as soon as an SMC is removed. Such fuses could, for example, be security fuses that blow as soon as the connector boots without its SMCs. Such security mechanisms are built into game consoles, for example, which prevent a firmware downgrade to start illegally copied games. However, such safeguards were not present in the connector opened by c’t (KoCoBox from CGM).

Of course, if you were to use any SMCs from another connector, it cannot work, since the SMCs are linked to the serial number of the hardware and encrypt the file system and data traffic with the TI. According to our findings, however, there is nothing to prevent the manufacturer of the SMC cards from creating a new set with fresh certificates, which can then be reconnected to the connector. Apparently this is just a question of will and software. Previously, you might have to create a backup of the old configuration and restore it after the change.

Incidentally, a similar exchange of the gSMC-KT cards inserted there is planned for the card terminals (KT) connected to the connectors. Their SMC cards also have to be changed when the connector is exchanged, which the health insurance companies reimburse with 100 euros per SMC card, according to the KBV.

In this respect, we cannot understand why Gematik is sticking to its previous strategy:

In our opinion, the solution proposed in the heise / c’t report of replacing the gSMC-K is not a solution for use in practices, since, among other things, the security specifications are violated. As was confirmed to us by all manufacturers on request, the described exchange of the gSMC-K is technically not possible.

In its reaction, Gematik does not explain which security requirements make such a card exchange technically impossible for the connectors. She only speaks of “technical reasons” without specifically explaining them.

If there are such requirements, the question would be whether they really have to be adhered to so meticulously, or whether, given the almost 400 million euros estimated for the replacement, they could not be adapted without further jeopardizing the security of the TI. Finally, Gematik reacted in a similarly flexible manner when approving the ORGA Protect attachments, which are intended to reduce ESD problems with the card readers from Worldline Healthcare. Such attachments are actually forbidden at the card terminals, but Gematik turned a blind eye.

According to a report by the Handelsblatt, the Federal Office for Information Security (BSI) had no fundamental reservations about extending the security certificates with a software update. Such an update should be possible without any problems, at least for the connectors from RISE, as the manufacturer confirmed to us. Gematik boss Leyck-Diecken also said in an interview in April that the “extension of the previous connector” would also be possible as an alternative to replacing the connector.

With the software update described by the connector manufacturer RISE, the service life of the connectors with the current gSMC-K cards could be extended at least until 2025. From 2025, new security keys with longer lengths will be necessary. However, since the encryption with the keys takes place entirely on the gSMC-K cards, we see no reason why the security requirements from 2025 onwards could not be met by replacing the cards.

According to the CGM, “pairing” of the connector with new gSMC-K cards is “not permitted”, as the CGM told the Handelsblatt. According to the manufacturer Secunet, a card exchange would not work. “As a result, the device shuts down again immediately after the card has been checked,” Secunet told the Handelsblatt. In our opinion, both formulations indicate that a card exchange with adapted software – with appropriate security precautions – would be technically feasible.

You have to distinguish very carefully here whether the reasons for not exchanging a card are a factual impossibility or an actual security threat to the TI – or the unwillingness or inability of individual manufacturers. The latter ultimately benefit from the sale of the new connector hardware.

The National Association of Statutory Health Insurance Physicians (KBV) is also not satisfied with the statements made by Gematik: KBV board member Dr. In a letter to Gematik boss Dr. Markus Leyck Dieken a “clarifying assessment as soon as possible”. Because the KBV only agreed to the expensive connector replacement in February based on the statement by Gematik “that after consultation with the manufacturers and the Federal Office for Information Security (BSI) there was no possibility of installing a new certificate in the connector”.

The health insurance companies are to reimburse doctors for a total of 400 million euros – including money for further software updates for the electronic patient file (ePA 2.0). However, the National Association of Statutory Health Insurance Physicians (KBV) rejects the arbitral award because the sum does not cover costs.

KBV board member Dr. Kriedel on the arbitral award on the connector exchange

According to Kriedel, the reimbursements of 2,300 euros per practice awarded by the Federal Arbitration Office are far from covering the costs. So far, practices have paid an average of 9,000 euros in addition to the reimbursements for the connection to the TI. Therefore, even after the arbitral award, the doctors have an interest in keeping the costs as low as possible.

The latest statement by the KBV shows that it was apparently incompletely informed at the shareholders’ meeting on February 28th and was therefore unable to make a well-informed decision to replace the connector. The KBV is now demanding that Gematik resolve a number of issues by the next meeting in August, including the following:

  1. Are we correct in assuming that the shareholders at the shareholders’ meeting on February 28, 2022 were presented with a complete set of facts at that point in time, on which they could make the decision?
  2. If not, what facts were missing and why were they not made available?
  3. Were the gSMC-K exchange approaches shown in the c’t article checked before the shareholders’ meeting on February 28, 2022 – both technically, legally and regulatory (according to the Gematik and BSI specifications)?
  4. If so, why were these results not presented to the shareholders at the shareholders’ meeting on February 28th?
  5. If not, by when will Gematik check, evaluate and make the results available?

According to the Handelsblatt, insiders are currently assuming that the extended TI (TI 2.0) will not start until 2027. With the TI 2.0, the connectors should become superfluous because the data communication is then secured by software. The date is pushed further and further into the future from year to year, originally January 2023 was mentioned. If there are any further delays, the now-updated connectors may need to be swapped out again before TI 2.0 actually launches at some point. With a software update, one could at least secure a time buffer and also sit out the currently tense procurement situation for electronic components, with which the manufacturers justify their high prices, among other things.

Last but not least, the manufacturers justify their cost calculations with the disposal of the old connectors. You could probably relieve them here if you handed in the old devices – which the practices bought and paid for – free of charge at the nearest recycling center after the certificates had expired. After all, it is supposed to be electronic waste that the manufacturers cannot recycle.

(hag)

To home page

c't 3003: Hacking device Flipper Zero hands-on Previous post c’t 3003: Hacking device Flipper Zero hands-on
Sleep without toner dust |  hot online Next post Thunderbird opens browser window | hot online