(This article is also available in German)
Around 130,000 clinics and medical practices in Germany exchange their health and patient data with the health insurance companies via the telematics infrastructure (TI). Since the data is very sensitive, strict security requirements apply. Specially secured routers – so-called connectors – establish the connection to the TI. Their crypto certificates expire after five years.
The digitization agency Gematik, which is largely controlled by the Federal Ministry of Health (BMG), is responsible for the TI. According to Gematik and BMG, the certificates cannot be renewed, meaning that the connectors have to be completely replaced after five years. The old devices become “electronic waste”, as Thomas Kriedel, board member of the National Association of Statutory Health Insurance Physicians (KBV), describes it. We have now opened a connector and checked whether there is another way.
Issue of certificate extension
There are currently three manufacturers who offer connectors: CGM, RISE and Secunet. In 2017, CGM provided the KoCoBox. At that time, 15,000 of these connectors were installed, which will have to be renewed this year. The same obligation to replace applies to the approximately 115,000 other connectors – including newer models from RISE and Secunet. They will follow in the years to come.
“The old devices become electronic waste”
As one of the shareholders of Gematik, the KBV has agreed to the exchange: “After sufficient testing, Gematik was not able to offer us a secure alternative, even with the manufacturers of the connectors,” explained Kriedel in an interview published by the KBV. The manufacturers could come up with a software solution cannot guarantee that no connector will fail.
The manufacturer CGM wrote in an FAQ about hardware replacement on its website: “Since the certificates are permanently installed in the connectors and cannot be removed or replaced for security reasons, their replacement is technically not possible.” According to the Federal Office for Information Security (BSI), a two-year extension of the certificates via software would be sufficiently secure without having to replace the connectors now.
We have checked the statement of the manufacturer CGM and examined a KoCoBox more closely. To get to the inside of a KoCoBox, we had to remove six “Torx Plus Security” type security screws. We managed to do that with a simple blade screwdriver.
In contrast to the card terminals in the medical practices, only individual software components were certified for the connector according to the international IT security standard Common Criteria and not the hardware and software as a whole. This may be one reason why the KoCoBox, unlike the terminals, has no electronic protection against manipulation. There are only two adhesive seals on it, which can be easily removed without a trace and renewed by a technician during a repair.
The main board of the KoCoBox comes from os-cillation. On the left are three holders for gSMC-K cards – these contain the expiring crypto certificates. On the right is the CPU board’s orange heatsink – not red gold, as one would expect given the prices.
Inside the KoCoBox, a main circuit board fills the housing. It contains the power supply, backup battery, Ethernet access and a driver module for the display. There are three SIM card slots on the left, which contain small, device-specific Security Module Cards (gSMC-K). The gSMC-K cards are mini smart cards with just those crypto certificates that expire after five years. The crypto tasks were distributed to three Secure Module Cards (SMC) because the processor performance of a single SMC would be too weak for the everyday operation of the connector.
We were able to remove and reinsert the three gSMC-K cards together with the backup battery without any problems. The KoCoBox then booted without complaint and could continue to be used. This contradicts CGM’s statement that the certificates are permanently installed. When we confronted the manufacturer, they changed the text on their webpage to “The certificate on the card and the connector are inseparable. It is possible to physically separate them, but both are subsequently non-functional.” Another FAQ for the KoCoBox MED+ also talks about permanently installed certificates.
The three gSMC-K cards with the crypto certificates can be easily pulled out and reinserted.
Here, too, we have to disagree: We were even able to reanimate a KoCoBox that no longer booted by briefly removing and reinserting the gSMC-K cards and backup battery. We did not find any security fuses or similar safeguards that would prevent the connector hardware from being re-paired with a fresh set of gSMC-K cards. We asked CGM about such fuses. However, the manufacturer did not want to give us an answer.
As far as we know, there is every indication that the gSMC-K cards are bound to the connector hardware, but apparently not the connector hardware to the gSMC-K cards. Accordingly, one could create a new set of cards with fresh certificates for the connector and avoid expensive hardware replacement.
For CGM, the complete hardware replacement of the connectors is quite lucrative: According to the official price list, the manufacturer charges between 2161 euros and 2330 euros net for an on-site replacement of its KoCoBox. Of this, 1586 euros are allotted to the hardware alone. Although the manufacturers RISE and Secunet have not yet given any replacement prices, in the past the manufacturers’ prices differed only marginally.
When asked, CGM justified the high prices with the use of “highly secure and highly specialized components” – a statement that does not match our test results. Because the mainboard largely corresponds to a standard industrial model that os-cillation GmbH from Siegen uses under the name BaseBoard for Qseven modules For the KoCoBox, only the HDMI and a third Ethernet connection were removed and the SMC slot was supplemented by two more.
The heart of the KoCoBox is this processor board from Congatec. Series models are available in stores at a unit price of 250 euros.
A Congatec CPU board with the designation QM6XLC0 belongs to the mainboard. It is a slightly slimmed-down special version of the “Conga QMX6/QC-2G eMMC4” series model, which is currently available individually for 250 euros. If you add another 150 euros for the other components such as the main board with connections, housing, display, keypad as well as assembly, final inspection and packaging, then 400 euros can be estimated as the upper limit for the manufacturing costs of the connector hardware.
Certificate extension via software
There are also gSMC-K cards in the connectors from RISE and Secunet, but these do not have to be replaced. Because both connectors support a certificate extension via software.
RISE informed us: “A concept for the exchange was coordinated with Gematik and the feasibility was of course possible for RISE. The cryptographic private key on the gSMC-K should continue to be used and a new certificate should be created for it. That would be sufficient for the connector , in order to continue to be used and to meet all requirements.”
Avoidable hardware replacement
If you set a total production price of 30 euros for three gSMC-K cards, you could save around 1556 euros per exchanged KoCoBox. We assume that the labor costs for replacing the card, installing new firmware, reconfiguring the practice IT and getting there and back are roughly the same as for the calculation for the CGM connector replacement.
It is incomprehensible why Gematik still insists on replacing all connectors and makes no distinction between the models of the three manufacturers. Instead of 300 million euros for the exchange of 130,000 connectors, the exchange of the gSMC-K cards of the KoCoBoxes would only cost a fraction. The software extension of the other connectors from RISE and Secunet would be significantly cheaper. When asked about the reasons for the complete replacement, Gematik simply replied: “The connectors have to be replaced”, without further explanation.
The doctors could perhaps be left with the costs, since the health insurance companies have so far only reimbursed the initial equipment for the connection to the TI. However, the doctors’ representatives are currently still negotiating with the central association of health insurance companies for participation. Nevertheless, the apparently avoidable hardware replacement unnecessarily deprives the healthcare system of a lot of money.