The manufacturer CGM defends itself in a letter to doctors about connector replacement with questionable and shortened statements. An analysis.
On August 30, 2022, CompuGroup Medical (CGM) sent “important contractual information” to its contractual partners for the KoCoBox – a special router (connector) for connecting to the telematics infrastructure of the healthcare system for the exchange of patient data. CGM’s letter is in response to our reporting on the connector replacement that our research has determined is not necessary. In this letter, CGM informs its customers about “the need for a connector exchange” because “due to various rumors and publications, uncertainties surrounding the telematics infrastructure (TI) and the need for a connector exchange” were created.
CGM writes there, among other things:
“One […] Possibility to postpone the replacement of a connector for a short period (until 12/31/2024) is a software solution. However, this can and requires uncertainties in the operation of such connectors […] by December 31, 2024 at the latest, also the replacement of the connectors. According to our calculation, taking all the facts into account, this solution is significantly more expensive than an immediate replacement (and that’s at today’s prices).”
These statements are in (clear) contradiction to our findings. CGM indirectly warns of rising prices if the doctors do not commission an “immediate replacement”. However, CGM had already announced last year that it had bought “tens of thousands of devices for millions of euros” for the upcoming connector exchange. CGM’s margin appears to be large enough that prices were immediately reduced to the reimbursement amount after medical associations protested. CGM will hardly be able to push through subsequent price increases in the market.
Furthermore, CGM alludes to unspecified “uncertainties in operation” after a runtime extension that does not exist after the “normal but enormously important process” of replacing the connector. We wonder what “uncertainties” that should be: The software solution mentioned by CGM is the specification published by Gematik on June 30, 2021 for the “Feature runtime extension gSMC-K 1.0.0”. This should make it possible to replace expiring certificates in the connectors’ crypto cards with fresh certificates in order to prevent the upcoming connector exchange.
The Federal Office for Information Security (BSI) has confirmed to us that they have no security objections to this Gematik specification. The lifetime extension was planned as a mandatory part of product type version 5 (PTV5) for connectors and would therefore have been subject to certification according to Common Criteria protection profiles and approval by Gematik.
CGM writes in the letter to the doctors:
“This specification was initially planned by CGM for development, but was not implemented because Gematik’s shareholder resolution to replace the connectors on February 28th, 2022 was clear.”
CGM refers here to the decision made on February 28th to replace all connectors with expiring certificates; the runtime extension feature was then removed from the specifications (see below). An explanation from Gematik as to why the extension of the term was withdrawn is still pending.
Interestingly, the competitors RISE and Secunet had already implemented the feature, which according to Gematik is mandatory, in December 2021, but CGM had not yet implemented it eight months after publication of the specification. When asked why CGM did not do this, CGM spokesman Jürgen Veit referred us to this letter to the contractual partners. CGM did not provide a concrete answer.
However, CGM itself provides hints: Apparently, the KoCoBoxes of the 1st and 2nd generation are among the devices that have a runtime limit due to the encryption technology:
“Several connectors on the market are affected by this runtime limitation caused by the encryption technology. However, this does not affect the 3rd and 4th generation connectors currently sold by CGM.”
One possible explanation: Despite being certified by Gematik, the older CGM devices do not meet the requirements for long-term operation. It is striking that the generation of new, sustainable key material (ECC 384 bit) in the crypto cards themselves, which we mentioned in our appeal to Health Minister Karl Lauterbach and have been planned since 2017, are not mentioned by either Gematik or CGM. This feeds our suspicion that in the haste of the introduction in 2017 these forward-looking specifications were not implemented and the correction of this omission is now to be paid for by the solidarity community.
“The final version of the PTV5 that has been approved no longer contains the specification for extending the term of the crypto certificates.”
Taken in isolation, this statement is correct but misleading. It is true that the “approved final version” of the PTV5 no longer contains the specified specification. However, CGM does not mention that the extension of the term of the crypto certificates was only removed in the specification 5.2.0-0 from May 9, 2022, i.e. after the decision for the connector exchange.
In the letter to the doctors, the manufacturer increases the pressure to make a decision by always emphasizing that the connectors used up to now will expire on December 31, 2024:
“The current encryption technology will no longer be permitted as of 01/01/2025.
Gematik and the BSI recently made it clear that it is not possible to extend the period in which RSA2048 keys and their certificates are permitted for encryption beyond December 31, 2024.”
In any case, these statements are wrong with regard to the BSI, because according to the authorities, operation with the RSA keys currently used in the connectors with a length of 2048 bits would be justifiable until the end of 2025. At the request of voonze online, the BSI pointed out that according to the specifications of ENISA – the European Union Agency for Cyber Security – the RSA keys would only have to be at least 3000 bits long from 2026.
With its statements, CompuGroup Medical also offers a target for attack insofar as the company has caused the current situation. Because the fact that CGM had not implemented the “feature runtime extension” in breach of duty, the connector exchange got rolling in the first place. It is necessary to clarify elsewhere why Gematik has not done anything to counteract this.
But what can you do as a doctor who has been contacted? First you should check when the KoCoBox’s crypto certificate actually expires. For KoCoBoxes from 2019, the expiration date is printed on the serial number plate, alternatively you can read the date via the admin GUI of the connector.
If the certificate expires in the coming weeks, please contact the editors. Otherwise there is no reason to replace the connector now. Apart from that, 2300 euros are set for the replacement of the devices, regardless of the manufacturer. Implied price increases will therefore be difficult to enforce. You could also consider changing the connector provider, because the PTV5-capable connectors from RISE and Secunet already support the comfort signature and the electronic patient file 2.0 (ePA 2.0).
There are also connector-as-a-service offers that connect practices to the telematics infrastructure via data centers. Here, too, you should make sure when making your selection that the connectors support the functions possible with PTV5.
Should a provider oppose a necessary connector change or demand additional fees, a reference to the planned Hospital Care Relief Act (KHPflEG) could persuade them to give in, because it sees an “obligation for providers and manufacturers of information technology systems, subject to fines [vor]to guarantee a non-discriminatory integration of the components and services of the telematics infrastructure required for contract medical care without charging additional costs or fees for service providers”.
According to the current status, alternative solutions such as the mentioned term extension are only possible for devices whose certificates expire from September 2023. But we wouldn’t be surprised if there were other options earlier to relieve the community of solidarity and avoid e-waste.
