eHealth: Connector replacement is a €300,000,000 grave without valid reason

eHealth: Connector replacement is a €300,000,000 grave without valid reason

(You can find the German version of the article here)

About 130,000 clinics and doctors’ practices in Germany exchange their health and patient data between themselves and with health insurance companies via a special national telematics infrastructure (TI). Since the data is very sensitive, strict security requirements apply. Specially secured routers—so-called connectors—establish the connection to the TI. Their crypto-certificates expire after five years.

Responsible for the digitization of the health care system is the agency Gematik, which is largely controlled by the Federal Ministry of Health (Bundesministerium für Gesundheit, BMG). According to Gematik and BMG, the certificates cannot be renewed, so the connectors must be completely replaced after five years. The old devices become “electronic waste”, as Thomas Kriedel, board member of the National Association of Statutory Health Insurance Physicians (National Association of Statutory Health Insurance Physicians, KBV), describes it. We have now opened a connector and checked whether there is another way.

At present, there are three manufacturers that offer connectors: CGM, RISE and Secunet. In 2017, CGM had provided the KoCoBox. 15,000 of these connectors were installed at the time and will have to be renewed this year. The same replacement obligation applies to the approximately 115,000 remaining connectors – including newer models from RISE and Secunet. They will follow in the coming years.

The KBV, as one of the shareholders of Gematik, agreed to the exchange: “After sufficient examination, Gematik was unable to offer us a safe alternative, even with the manufacturers of the connectors,” Kriedel explained in an interview published by the KBV. With a software solution, the manufacturers could not guarantee that no connector would fail.

The manufacturer CGM wrote in a FAQ about the hardware exchange on its website: “Since the certificates are integral part of the connectors and cannot be removed or replaced for security reasons, their exchange is technically not possible”. According to the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI), a two-year extension of the certificates via software would be sufficiently secure without having to replace the connectors now.

We checked the claim of the manufacturer CGM and examined a KoCoBox more closely. To get to the inside of a KoCoBox, we had to remove six security screws of the type “Torx Plus Security”. We manage this with a simple blade screwdriver.

In contrast to the card terminals in the doctors’ offices, only individual software components of the connector were certified according to the international IT security standard Common Criteria and not the hardware and software as a whole. This may be one reason why the KoCoBox, the terminals, has no electronic protection unlike against manipulation. There are only two adhesive seals on it, which can be easily removed without leaving a trace and can be renewed by a technician during a repair.

The main board of the KoCoBox comes from the company os-cillation. On the left, there are three holders for gSMC-K cards – these contain the expiring crypto certificates. On the right is the orange heat sink of the CPU board – not red gold, as one would expect considering the prices.

Inside the KoCoBox there is a main board on which the power supply, buffer battery, Ethernet access and a driver module for the display are mounted. On the left-hand side are three SIM card holders, in which small device-specific Security Module Cards (gSMC-K) are inserted. The gSMC-K cards are mini smart cards with the same crypto certificates that expire after five years. The crypto tasks were distributed among three Secure Module Cards (SMC) because the processing power of a single SMC would be too weak for the everyday operation of the connector.

We were able to remove and reinsert the three gSMC-K cards together with the backup battery without any problems. The KoCoBox then booted and could be used again. This contradicts CGM’s statement that the certificates are hard-wired. When we confronted the manufacturer, they changed the text on their website (in German) to “The certificate on the card and the connector are inseparable. It is possible to physically separate them, but both are subsequently without function.” Another FAQ on the KoCoBox MED+ (in German) also still talks about hard-wired certificates.

The three gSMC-K cards with the crypto certificates can be pulled out and reinserted very easily.

Again, we have to disagree: We were even able to reanimate a KoCoBox that no longer booted by briefly removing and reinserting the gSMC-K cards and backup battery. We did not find any security fuses or similar safeguards that would prevent re-pairing of the connector hardware with a fresh set of gSMC-K cards. We asked CGM for such fuses. However, the manufacturer did not want to give us an answer.

According to our findings, it appears that the gSMC-K cards are bound to the connector hardware, but apparently not the connector hardware to the gSMC-K cards. Accordingly, one could create a new set of cards with fresh certificates for the connector and avoid the expensive hardware exchange.

For CGM, the complete hardware replacement of the connectors is quite lucrative: according to the official price list, the manufacturer charges between 2161 and 2330 euros net for an on-site replacement of its KoCoBox. Of this, 1586 euros are for the hardware alone. Although the manufacturers RISE and Secunet have not yet named any exchange prices, in the past the manufacturers’ prices differed only marginally.

When asked, CGM justified the high prices with the use of “highly secure and highly specialized components” – a statement that does not match our test results. This is because the mainboard largely corresponds to a standard industrial model that os-cillation GmbH from Siegen sells under the name BaseBoard for Qseven modules. For the KoCoBox, only the HDMI and a third Ethernet port were removed and the SMC slot was extended by two more.

The heart of the KoCoBox is this processor board from Congatec. Distributors offer series models at a single board price of 250 euros.

The mainboard includes a Congatec CPU board with the identifier QM6XLC0. It is a slightly slimmed-down special version of the Conga QMX6/QC-2G eMMC4 series model, which is currently available for 250 euros in single quantities. If you add another 150 euros for the other components such as the main board with connections, housing, display, keypad as well as assembly, final inspection and packaging, then 400 euros can be estimated as the upper limit for the manufacturing costs of the connector hardware.

The connectors from RISE and Secunet also contain gSMC-K cards, but they do not need to be replaced. This is because both connectors support certificate renewal via software.

RISE informed us: “A concept for the exchange was agreed with Gematik and the feasibility of course possible for RISE. The cryptographic private key on the gSMC-K would continue to be used, and a new certificate would be created for it. This would be sufficient for the connector to continue to be used and meet all requirements.”

If we assume a production price of 30 euros for three gSMC-K cards, we would save about 1556 euros per replaced KoCoBox – assuming the same, the labor costs for replacing the cards, installing new firmware, reconfiguring the IT in the doctor’s office and the travel time as in the calculation for the CGM connector replacement.

It is incomprehensible why Gematik insists on replacing all connectors and makes no distinction between the models of the three manufacturers. Instead of 300 million euros for the exchange of 130,000 connectors, the exchange of the gSMC-K cards of the KoCoBoxes would only cost a fraction. The software extension of the remaining connectors from RISE and Secunet would be significantly cheaper. Asked about the reasons for the complete exchange, Gematik simply replied: “The connectors have to be exchanged”, without further explanation.

Doctors could perhaps be left to bear the costs, as the health insurance funds have so far only reimbursed the initial equipment for connection to the TI. However, the doctors’ representatives are currently still negotiating with the umbrella organization of the health insurance funds for a contribution. Nevertheless, the apparently avoidable hardware replacement is unnecessarily depriving the health system of a lot of money.

Censorship in China: Sina Weibo wants to take stronger action against "spelling errors". Previous post Censorship in China: Sina Weibo wants to take stronger action against “spelling errors”.
Connector replacement in doctor's offices: 300 million grave without valid reasons Next post Connector replacement in doctor’s offices: 300 million grave without valid reasons