The gradual introduction of e-prescriptions began in some doctor's practices . By spring 2023, it should replace the familiar red-pink paper slip . Gematik is responsible for the concept of the e-prescription.
gematik is a company founded by the leading healthcare organizations whose task is to develop technical specifications of the required data formats, services and components for the telematics infrastructure (TI). In the past, members of the CCC have had to deal with half-baked solutions from gematik. successfully attacked the issuing of practice cards and criticized the electronic health card (eGK) and the electronic patient file (ePA) .
A current analysis of the e-prescription also doesn't make gematik look good, even though the lead time is long, the costs are enormous and implementation should now begin immediately. However, the e-prescription suffers from many problems:
Poor availability
CCC experts criticize that availability requirements for the “medication supply” sector of the critical infrastructures (Kritis) cannot be met with the existing e-prescription system: If central services in the telematics infrastructure were to fail, as was the case most recently in 2020 , this would be impossible for weeks to redeem e-prescriptions. It is uncertain whether the paper procedures will remain in place in the event of an accident or disaster if the e-prescription is introduced as planned.
Insufficient understanding of encryption
The CCC experts also criticize the fact that with e-prescriptions, medical data is generated in plain text at a central location. Gematik does not provide for end-to-end encryption Instead, she uses deceptive wording to create exactly this impression:
“The e-prescriptions are transmitted from the doctor’s practice in encrypted form to a central service, where they are stored and processed in encrypted form and retrieved again in encrypted form by the pharmacy. This protects the e-prescriptions from unauthorized access.”
The crucial part – processing – takes place unencrypted. gematik promises to process the data in a “trusted execution environment” (VAU). However, this cannot be verified as a user; with a well-designed system, she does not have to blindly trust the server. In addition, this VAU is an outdated and repeatedly successfully attacked technology called “Intel SGX”, which is primarily used for copy protection.
This means that gematik, which is 51 percent owned by the state, is sitting on a huge mountain of data, and all that protects this data is the principle of hope and outdated Intel technology. Since gematik specifies the software and hardware itself, this data could be accessed through appropriate adjustment, for example after a change in the law. “Where there is a trough, the pigs gather,” the Federal Constitutional Court teaches us , unfortunately in many cases the past and recently again the reality: The CCC, together with the Society for Civil Rights, is suing against the central collection of health data through the new digital healthcare system. Law.
Not accidentally: security level unacceptable
To access the e-prescription with the electronic health card (eGK) in a pharmacy, the health insurance number is sufficient. The CCC researchers criticize this as unacceptable. “This is a level of security like we had with credit cards fifteen years ago and which has now even been banned there ,” said Fabian “fluepke” Luepke, a security researcher at the CCC. The presence of the eGK is only checked in the front end and therefore only insufficiently, as even gematik openly admits in its specification :
“The e-prescription specialist service can therefore neither check the integrity nor the authenticity of a test certificate. It is the responsibility of the AVS [pharmacy management system] to implement the processes […] in accordance with gematik’s requirements.”
Holm Diening, “Chief Security Officer” at gematik, justifies the approach of only carrying out checks in the front end . This is actually intentional:
“It is logical that such measures in the client can be overcome if they are intentional. […] So we are moving from prevention to detection + response. Not accidentally, but consciously.”
We deliberately avoid checking the backend – i.e. on gematik’s central data warehouse – and simply rely on the (online) pharmacy somehow checking the presence of the eGK. “According to this logic, gematik would not need to lock its data centers because burglary is prohibited ,” continued Luepke.
The door is even open for simple fraud: for example, if the insurance numbers of celebrities become known, an employee from the online mail order pharmacy sector can gain access to their prescriptions and sell them to the tabloid press.
There is an audit log, which could potentially show patients that pharmacies have misused their data. However, checking this regularly requires considerable effort and requires technical understanding. It is unclear what punishment pharmacies face and whether they can simply excuse themselves by attacking their systems.
demands
gematik must clearly commit to end-to-end encryption that deserves the name. The responsible patient should receive the (self-generated) keys for her health data.
In order to save the project in the short term, uploading the e-prescription should be completely avoided and instead the patient should be given a complete version of the e-prescription that is human and machine readable. In contrast, the previous QR code only links to the centrally stored full version of the recipe.
Even if a central system fails, prescriptions should still be able to be redeemed. The multiple redemption of a prescription can be prevented without transferring the contents Abusive behavior on the part of the patient can easily be detected and sanctioned afterwards.
The BSI and the BfDI should examine the specifications more critically in the future and not be fooled by phrases such as “encrypted throughout”.
Structurally, gematik should change to better represent patient interests during decision-making. The e-prescription is just one of many examples in which gematik has weakened supposedly cryptographically secure procedures with poor or even malicious specifications.
Links and further information
- CCC diagnoses vulnerabilities in the German healthcare network
- The Chaos Computer Club explains the electronic health card
- CCC: Planned Patient Data Protection Act does not protect patient data
- Lawsuit against the collection of health data of all 73 million legally insured people
Source: CCC press release
Also read: Doctor's prescriptions are becoming digital: The e-prescription
If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:
📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.
Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!
* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )

