FOCUS online – Electronic patient records pose data protection risks

Dr. Marco Rogert has, as part of a Contribution as an expert at FOCUS Online Assessments of the data protection risks of the electronic patient record (ePA) have been made. The introduction of the ePA is intended to make medical care more efficient and improve communication between physicians. However, there are significant concerns, particularly regarding its planned use by Federal Health Minister Karl Lauterbach.

Goal of the electronic patient record

The introduction of the ePA is being celebrated as a milestone in the digitalization of the German healthcare system. According to a report by "heise.de," Federal Health Minister Karl Lauterbach stated at Bitkom's Digital Health Conference: "After 20 years of sluggish development, we have successfully caught up. On January 15, the electronic patient record will be launched for 70 million insured persons. It is the centerpiece of digitalization in the healthcare system and will significantly improve patient care."

Lauterbach acknowledged that the ePA in its original form had significant weaknesses, but the delay made it possible to integrate state-of-the-art technological solutions that make the system more efficient.

A comprehensive treasure trove of data is created

In the future, all health data will be automatically stored in the ePA: from lab results and x-rays to medication information and hospital stays. "This data set is gigantic – there are one billion doctor-patient contacts in Germany every year," Lauterbach emphasized. The collected data will be combined at the Research Data Center for Health (FDZ) with additional information from over 400 medical registries and genome databases. Billing data from health insurance companies will also be part of the system, with all information linked via a pseudonymized health insurance number.

Use of artificial intelligence

A central element of the ePA is the use of artificial intelligence (AI). "This data set is made analyzable with the help of AI systems," Lauterbach explained. The structure of the ePA is already designed to be "AI-ready."

A central element of the ePA is the use of artificial intelligence (AI). "This data set is made analyzable with the help of AI systems," Lauterbach explained. The structure of the ePA is already designed to be "AI-ready."

Interest of international technology companies

Lauterbach indirectly confirmed this fear. "All major AI companies are interested in this treasure trove of data," the minister said. Meta, OpenAI, and Google, among others, are in discussion. The companies are interested in training their language models with German health data. Furthermore, the healthcare sector is a significant growth industry. "While many economic sectors are stagnating, we are experiencing dynamic growth here," Lauterbach said. With other data sources, pseudonymized health data could be attributed to a specific individual.

Opportunities and risks of the ePA

The advantages of the EHR are obvious: Important medical documents such as x-rays, reports, and doctor's letters are centrally accessible and can be accessed at any time. This can improve the quality of treatment and avoid duplicate examinations.

However, IT security experts have discovered serious security vulnerabilities in the ePA. This is particularly alarming given that it involves highly sensitive health data—perhaps the most vulnerable information a citizen has.

Poor data processing in healthcare?

Doubts about the professional processing of health data have existed since the coronavirus pandemic. The Paul Ehrlich Institute (PEI) was criticized for failing to provide reliable interfaces with health insurance companies and for publishing only incomplete data on side effects. While other countries such as the Netherlands, Denmark, and the USA created detailed side effect databases, the PEI merely provided an inaccurate Excel spreadsheet.

Data protection measures and their weaknesses

Lauterbach assured that Israeli experts had reviewed the data security of the ePA and that a balance had been struck between data protection and usability. A key point was the use of "confidential computing," in which data is processed within a protected environment without being encrypted. However, this statement raises questions: Wouldn't a truly confidential data set be precisely an encrypted data set?

Researchers can access health data upon request – the research purpose, not the identity of the requester, is crucial. The data should not leave the secure research environment. But how secure is this "trusted environment" really?

Lauterbach's vision: A world-leading health data set

The minister sees the ePA as the most important digital project in Germany and a breakthrough innovation. His goal: to build the largest and most comprehensive health dataset worldwide.

However, based on previous experiences with security deficiencies in the ePA and the ineffective data management of the PEI, there are legitimate concerns: Is the health data of 70 million insured persons really adequately protected?

Political discussion: Merz wants to create financial incentives

Lauterbach isn't the only one pursuing ambitious plans for the ePA. CDU leader Friedrich Merz has floated the idea of financially rewarding insured individuals for entrusting their data to the ePA. This could make the healthcare system more efficient.

According to a report in the "Berliner Zeitung," IT specialists are warning of significant security risks. Organized crime could steal patient data on a large scale. Intelligence agencies are also interested in this sensitive information. The Chaos Computer Club recently demonstrated at a conference how easily security vulnerabilities can be exploited.

"Experts have repeatedly pointed out security risks," said IT specialist Manuel Atug. "Yet only minimal improvements have been made. The responsible ministry is resistant to advice."

The ePA will be implemented via an opt-out procedure – those who do not opt out will automatically receive a digital patient record. Privately insured individuals, however, must actively apply for the ePA.

This is problematic from a data protection perspective. The GDPR requires explicit consent for health data. However, this uses an objection mechanism that is hostile to data protection, which many insured persons are likely unaware of.

Experts see four main scenarios in which the ePA could be misused:

Decryption of pseudonymized data: With the appropriate key, data could be re-identified.

Incorrect anonymization: Names or other identifying features may be inadvertently retained in medical reports or X-ray images.

Data reconstruction: By combining extensive information, individuals could be identified.

Tracking via service providers: A particular doctor's visit could allow conclusions to be drawn about a person's identity.

If health data falls into the wrong hands, there is a risk of serious consequences, ranging from unwanted advertising for medications to job loss, rejection of loans or insurance, blackmail by third parties or social exclusion.

Those affected can object to the electronic personal data (ePA) or have stored data deleted. There are also legal options to prevent the transfer of data to foreign companies.