The Federal Data Protection Commissioner and the BSI consider the method of redeeming e-prescriptions with the health card specified by Gematik to be inadequate.
Since it is cumbersome to redeem the e-prescription with the e-prescription app, Gematik GmbH, which is responsible for digitization, has specified an additional way by which the e-prescription can also be redeemed with the electronic health card (eGK). However, data protectionists consider this specification to be problematic. Both the Federal Commissioner for Data Protection and Freedom of Information (BfDI) and the Federal Office for Information Security consider this method of redemption to be non-compliant with data protection. For the time being, the 2D tokens required for e-prescriptions will continue to be printed out on paper or sent directly to the e-prescription app.
Access to unencrypted data in the health network
The BfDI considers it critical that, without proof of verification, access to the data of insured persons is possible, which is in unencrypted form in a trustworthy execution environment (VAU) for processing. For example, unauthorized persons could view the data of the e-prescription with just the insurance number, such as employees in a pharmacy or IT staff. As a possible solution, the BfDI proposes, among other things, that an access token can be issued by the insured master data management (VSDM). This can also be sent over the Internet – this is also possible with transport encryption. The specification “Redeeming without registration at the e-recipe specialist service in the E-RezeptFdV” from Gematik also provides for this.
A “direct communication between the VSDM service and the e-prescription specialist service and the assignment using a process number” is a conceivable alternative. Although this would require changes to the pharmacy management service and the e-prescription specialist service, this is also overdue for the other planned methods. The BfDI justifies its decision, among other things, with the fact that the risk of abuse “against the background of a central e-recipe store for all German insured persons is very high”. He also assesses the risk of occurrence as very high due to the more than 18,000 pharmacies in Germany with “varying levels of IT security”. Although he sees that the legislator wants to supplement the planned hospital care relief law with a fine in the event of misuse of e-prescription data, this regulation does not protect preventively. The GDPR is designed for prevention.
vulnerability deliberately chosen
After the Chaos Computer Club (CCC) had criticized, among other things, that the data in the VAU was unencrypted, Leyck Dieken replied that this security gap was accepted. An example was taken from other countries. The data is “deliberately not encrypted end-to-end” because Gematik wanted it that way. This would allow the data to be accessed again and research to be carried out: “We will never have structured data if we encrypt end-to-end.”
Redemption path on card was planned for November.
Originally, this additional method of redemption should be made possible in November, as the Association of Statutory Health Insurance Physicians of Westphalia-Lippe (KVWL) has demanded. Otherwise, in addition to the Schleswig-Holstein Association of Statutory Health Insurance Physicians, the KVWL with allegedly 250 practices no longer wants to “actively” participate in the introduction of the e-prescription.
