Loss of data has serious consequences for German electronic health card
Test runs with Germany's first-generation electronic health cards and doctors' "health professional cards" have suffered a serious setback. After the failure of a hardware security module (HSM) holding the private keys for the root Certificate Authority (root CA) for the first-generation cards, it emerged that the data had not been backed up. Consequently, if additional new cards are required for field testing, all of the cards previously produced for the tests will have to be replaced, because a new root CA will have to be generated.
The electronic health card is in many respects a large and ambitious project. Among other things, it involves the construction of the world's largest private key infrastructure (PKI). This is supposed to allow 80 million health cards and health professional cards to check each other for authenticity. To permit this check, each card holds a card-verifiable certificate (CVC) which ultimately depends on a root Certificate Authority (root CA). All card manufacturers refer to this root CA when they store certificates on their cards.
Besides its use in authentication, the root CA is also important for card withdrawal (the revocation service). Public and private keys are generated and stored by a hardware security module (HSM), a particularly powerful smart card that has its own processor and random-number generator. The data is then stored using a special back-up procedure, for the HSM has its own protective software designed to detect attacks and respond to anomalies (incorrect PIN input, voltage drops etc.) by shutting down the HSM.
The company in charge of the project, Gematik, commissioned D-Trust, a subsidiary of the Bundesdruckerei, to provide the root CA as a service to the operation of the health card PKI. Matthias Merx, the firm's managing director, told heise online that following a voltage drop, something happened in D-Trust's "Trustcenter" that does occasionally occur. "The HSM independently deleted the data because it suspected an attack."
Because no back-up copy had been made the Trustcenter's usual routine for restoring the data could not be applied. Merx explained that "Gematik decided to 'do without a back-up'. As a service provider, we have to accept that," adding that, when the actual health card system is started up, there will indeed be back-up copies of the root CA data. He said a new root CA would have to be created, but that was no problem. "The test system can keep on running as long as no new cards need to be issued."
Speaking to heise online, Gematik spokesman Daniel Poeschkens poured scorn on the statement that Gematik had insisted on the service provider carrying out a test without backing up the root CA private keys. "We did not decide against a back-up service. The fact of the matter is that the service provider took over the running of the test system, so it also has to warrant its continuous operation. How it fulfils this obligation is its own responsibility."
heise online has seen a circular to test partners in which Gematik spells out what the failure means. "As a consequence, this means in particular that no more samples of first-generation health professional cards can be produced that are able to effect successful card-to-card authentication with the correct first-generation sample electronic health cards currently in circulation. Please note, therefore, that the correct sample health cards that have been distributed for the North Rhine interoperability test are exclusively for use in tests as part of the basic roll-out scenario, and are to be destroyed after the basic roll-out tests have been concluded. Although the sample health cards are correct, they will have to be replaced for tests on the telematics infrastructure at future stages."
This squabbling about the data integrity of a root CA that supports a relatively small number of test cards may appear trivial. It's surprising, however, that a central service that transmits to all the test cards of a generation can be handled so negligently. The assurance that everything will be correctly backed up in the real system may, or may not, convince everyone. A system of distributed root CAs, as proposed by Thomas Maus, a security expert at Karlsruhe University and a critic of the health cards, might help out here.
Andreas Bogk of the Chaos Computer Club, who testified to the Bundestag a few weeks ago at a hearing on the health card system, draws attention to a point he considers comparatively important. "The same problem is also going to affect the data in individual electronic health records. The back-up problem can't be solved merely by backing up the private key. But that invalidates the promise of complete security ("central storage is not a problem, because the key is only held on the card, so the patient retains power over it").
(Detlef Borchers) /