Abstract
Germany is currently introducing a nationwide health information infrastructure. This infrastructure connects existing information systems of various service providers and health insurances via a common network. An essential step towards the implementation of this system will be the introduction of an electronic health care smart card (eHC) for patients and a counterpart health professional card (HPC) for care providers. This article provides a risk analysis on the handling of these cards by both patients and physicians from an organizational point of view. On the basis of the information security audit methodology of the Federal Office for Information Security (BSI), the currect security status of German healthcare telematics on the clinical side is evaluated. For this purpose, an appropriate framework specifically designed for the clinical area is first developed and explained in detail. Based on these perceptions it is possible to precisely check the workflows “patient admission”, “accessing emergency data” and “prescription of medicine” for inherent organizational threats. As a result, we proposed appropriate steps to mitigate potential risks and derived valuable hints for future process re-eingineering by the introduction of the new smart cards in hospitals. This article is based on our paper presented at Bled Conference 2011.
Similar content being viewed by others
References
BDSG - Bundesdatenschutzgesetz. Datenschutzrecht. DTV-Beck, München; 2009.
BSI - Bundesamt für Sicherheit in der Informationstechnik. Technische Richtlinie - Komfortsignatur mit dem Heilberufsausweis. Version 2.0. BSI, Bonn; 2007.
BSI - Bundesamt für Sicherheit in der Informationstechnik. BSI-Standard 100-2 IT-Grundschutz Methodology. Version 2.0. BSI, Bonn; 2008.
Dinnie G. The second annual global information security survey. Inf Manag Comput Secur. 1999;7(3):112–20.
Gematik. Ergebnisse des Kommentierungsverfahrens (Fachkonzept Daten für die Notfallversorgung). Version 0.9.0; 2006.
Gematik. Facharchitektur Daten für die Notfallversorgung (NFDM). Version 1.7.0; 2008.
Gematik. Facharchitektur Verordnungsdatenmanagement (VODM). Version 1.5.1; 2008.
Gematik. Fachkonzept Versichertenstammdatenmanagement (VSDM). Version 2.8.1; 2008.
Gematik. Fachkonzept Verordnungsdatenmanagement (VODM). Version 2.6.0; 2008.
Gematik. Übergreifendes Sicherheitskonzept der Telematikinfrastruktur. Version 2.4.0; 2008.
Häber A, et al. Leitfaden für die Einführung der elektronischen Gesundheitskarte im Krankenhaus. Westsächsische Hochschule, Zwickau; 2009.
Huber M, Sunyaev A, Krcmar H. Security analysis of the health care telematics infrastructure in Germany. In: ICEIS 2008 - Proceedings of the tenth international conference on enterprise information systems. Barcelona, Spain; 2008. vol. ISAS-2, pp. 144–53.
ISO/IEC. 27001 - Information technology - Security techniques - Information security management systems - Requirements; 2005.
Jürjens J, Rumm R. Model-based security analysis of the German health card architecture. Methods Inf Med. 2008;47:409–16.
Kuckein C, Schermann M, Sunyaev A, Krcmar H. An exploratory study on physicians’ diligence when dealing with patient data. In: Proceedings of the 18th European conference on information systems; 2010.
Sunyaev A, Göttlinger S, Mauro C, Leimeister JM, Krcmar H. Analysis of the applications of the electronic health card in Germany. In: Proceedings of Wirtschaftsinformatik; 2009. pp. 749–58.
Sunyaev A, Kaletsch A, Mauro C, Krcmar H. Security analysis of the German electronic health card’s peripheral parts. In: Proceedings of the 11th international conference on enterprise information systems (ICEIS 2009); 2009. pp. 19–26.
Sunyaev A, Leimeister JM, Krcmar H. Open security issues in German healthcare telematics. In: Proceedings of the third international conference on health informatics (HealthInf 2010). Valencia, Spain; 20–23 Jan 2010. pp. 187–94.
Sunyaev A, Kaletsch A, Duennebeil S, Krcmar H. Attack scenarios for possible misuse of peripheral parts in the German health information infrastructure. In: Proceedings of the 12th international conference on enterprise information systems (ICEIS 2010). Funchal, Madeira, Portugal, 8–12 June 2010. Volume DISI, pp. 229–35.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Sunyaev, A., Pflug, J. Risk evaluation and security analysis of the clinical area within the German electronic health information system. Health Technol. 2, 123–135 (2012). https://doi.org/10.1007/s12553-012-0016-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12553-012-0016-5