Exclusive
Status: 08/11/2022 12:50 p.m
Because of a security gap in a practice software were noisy NDR and WDR Data from treatment courses and certificates can be viewed by strangers. One problem: Manufacturers are not obliged to supply data protection-compliant software.
The “inSuite” software is intended to make everyday practice easier for doctors: through an appointment booking tool, digitized patient files or the option of sharing documents such as laboratory results directly with patients or other treating doctors. Anyone who goes to the website of the Berlin company Doc Cirrus is overwhelmed with advertising promises: the software is “maintenance-free and worry-free”, a “tailor-made” and “future-oriented solution” for every medical practice. And of course – as the manufacturer writes – the patient data is absolutely secure: He promises a “360° IT security concept” and “protection against unauthorized access.” The website also features awards and certificates that seem to confirm the quality and security of the IT product: from the National Association of Statutory Health Insurance Physicians and the DQS certification body, among others.
Laboratory findings and blood values accessible to third parties
But despite all these promises, software experts from the Decomposition group have discovered several serious problems with Doc Cirrus. “Zerforschung” is a civil society group that has set itself the task of uncovering IT security gaps. According to their own statements, the activists were able to gain access to the e-mail accounts of the medical practices registered with “inSuite” in a very short time. In this way, all e-mail communication between doctor and patient could also have been viewed by unauthorized persons. Through other gaps, they were able to access the personal data of registered patients. Even highly sensitive documents such as diagnoses, laboratory results, blood values or certificates were accessible to third parties.
As usual, the activists informed the company concerned, in this case Doc Cirrus, and the Berlin data protection officer. The confirmed at the request of NDR and WDRthat he had received information about a security gap in health data that “affected more than 60,000 patients from more than 270 practices”. In total, there are more than a million data records, which also contain “documents, diagnoses, blood values, laboratory results and sick leave”. “Based on the available information, we currently assess the security gaps known to us as significant,” the Berlin data protection officer announced. DocCirrus said after learning about the vulnerabilities, they closed them immediately. At no time was sensitive data leaked.
Company speaks of programming errors
In addition, the company published after the request of NDR and WDR posted a statement on its website, acknowledging “programming errors” and “vulnerabilities in doctor-patient communication” that would have allowed “access to facility and patient data from some of our customers.” The company writes that there is no reason to assume that practice and patient information “was actually viewed or tapped by third parties” – apart from the IT activists from Zerforschung.” “The services concerned” are “immediately from been “deactivated and checked” by us,” the company reports.
Beyond this statement, Doc Cirrus is taciturn. The company does not want to answer how many medical practices in Germany use the software and were affected by the security gap, nor whether the patients affected by the security gaps were informed.
In some practices there were apparently technical problems as a result – for example in the AOK Nordost health center in Berlin, one of Doc Cirrus’ customers. Among other things, it was not possible to book appointments online for more than a week. The services are now active again. However, the AOK Nordost does not want to say how many patients were affected by the security gap. “Please understand that we do not provide an answer to this question in view of the trade secret,” said a spokesman via e-mail. The affected patients were also not informed. According to their analysis, there was no data breach. The AOK had previously rejected a discussion about the security gap.
Certificates – not for privacy
But does a company that produces software that doctors use to store health data and communicate with patients not have to have data security checked? Does none of the many certificates that the National Association of Statutory Health Insurance Physicians (KBV) has issued for the DocCirrus software affect data protection? No, the KBV reports on request, “the IT security of the individual practice management systems is in the hands of the respective provider.”
The spokesman for the Federal Data Protection Commissioner, Christof Stein, explains: “In fact, a software manufacturer has no obligation to design its software in any way in compliance with data protection.” This also applies to software that processes sensitive data. According to him, the doctor’s office is ultimately responsible. You have to check that the software is data protection compliant – and shouldn’t rely on any certificates or seals of approval: “The motto ‘The more certificates, the better’ should always be questioned anyway, because those who issue the certificates naturally also have very specific ones Create criteria that consumers may not even know,” says Christof Stein.