The German health agency Gematik has decreed that health insurance companies are no longer allowed to use the videoident procedure when applying for an electronic patient file (ePA). Procedures that work with on-site identification of the insured person, for example when the insured person appears at a health insurance office, are not affected.
Videoident was banned from the telematic infrastructure after security researchers were said to have succeeded in having third-party identities verified by six different providers of electronic patient files. In at least one case, the researchers were also able to apply for an electronic patient file for a third person, which was then pre-filled by the health insurance company with data such as the last hospital stays and sick notes.
Videoident procedures are also used in other areas, such as when applying for bank accounts, where the identity must be checked according to the Money Laundering Act. So far there are no restrictions.
The stop of the videoident procedure ordered by Gematik is explosive. Because an ePA can still only be created with the opt-in procedure, in which the identity of the insured person is checked. Here, the Videoident procedure played an important role for the health insurance companies. It is not yet known what the security researchers apparently commissioned by Gematik found out. It is assumed that deepfakes were used.
It is also not known whether the identities of all insured persons who used the videoident procedure when applying for their ePA will have to be checked afterwards. That would undermine the acceptance of the ePA among many insured persons. There are currently around 530,000 of these files.
Doctor’s ID for “Dr. Cyber” at the cheese counter
The stop of the procedure is not final: “A decision can only be made about the re-authorization of videoident procedures when the providers have provided concrete evidence that their procedures are no longer susceptible to the weaknesses shown,” says Gematik.
Once before, a serious identity accident was discovered in the telematic infrastructure. In 2019, security researchers led by Martin Tschirsich used the electronic identification process to order a doctor’s card for a “Dr. Cyber” and then have it delivered to a cheese counter. They demonstrated the identity gaps at the Chaos Computer Club’s year-end convention.
To home page