The replacement of 130,000 so-called connectors in Germany's medical practices is expected to cost around 300 million euros - the devices are used for secure communication between the practices and the IT infrastructure of the health insurance companies. The affected boxes are only about five years old - now they should be replaced because internal security certificates have reached the built-in expiry date.
The health insurance companies want to reimburse the doctors for 2300 euros per device. However, an investigation by hackers from the Chaos Computer Club (CCC) shows that the expensive replacement would actually not be necessary. The hackers released a piece of software last weekend that is supposed to enable the certificates to be updated – without exchanging or opening the boxes in the doctor's office.
One manufacturer in particular had always denied this possibility. The hackers suspect that the companies involved want to earn hundreds of millions of euros with cheap hardware at the expense of the insured.
The dispute over the connectors has been going on for some time: Gematik GmbH, which is responsible for operating the so-called telematics infrastructure of the healthcare system, published a so-called feature specification for a lifetime extension as early as mid-2021. This includes the specification that the manufacturers of the connectors should make it possible to exchange certificates via software updates.
At the request of WELT, the Federal Office for Information Security, which is responsible for the security certification of the practice hardware, also stated that "for all connectors in the field and approved by Gematik", it applies that "when the certificate is about to expire - as an alternative to replacing the device – the service life of the affected connectors could be extended.”
But at the end of February, the shareholders' meeting of Gematik decided to replace the connectors instead - at exorbitant prices. Concerned queries from the National Association of Statutory Health Insurance Physicians about the necessity and costs of this measure were ironed out by Gematik in a statement at the end of July.
At the same time, the doctors were awarded a cost compensation of 2,300 euros from public and private health insurance funds. The manufacturers then promptly lowered the price of the devices to 2,300 euros, and the doctors' protests fell silent. On August 29, Gematik confirmed its decision to replace the devices.
The security experts at the CCC, on the other hand, do not want to rest: security expert Carl Fabian Lüpke, stage name Flüpke, had already opened a connector from the manufacturer CompuGroup Medica (CGM) in July. CGM has supplied more than 50 percent of all connectors in the German practices and would also benefit the most financially if the first 15,000 devices were replaced, whose certificates will be the first to expire within the coming months.
The manufacturer had claimed that "the certificates are permanently installed in the connectors and cannot be removed or replaced for security reasons", the exchange is "technically not possible". In the presence of experts from the specialist publication CT of the Heise-Verlag, Flüpke proved that at least one of the manufacturer's central claims was incorrect: the certificates were not permanently installed, instead they are stored on so-called SmartCards, which are similar to a mobile phone SIM card in the device.
After the publication of these results, Gematik and the manufacturer CGM retreated to the next line of defense: Yes, the certificate cards can be physically exchanged, but are linked to the respective devices via software, and the update is not possible.
Flüpke and his colleagues then got back to work and have now published a software solution with which the update is very well possible without unscrewing the devices and without expensive replacement. "We show that you can bring renewed certificates into the system yourself, without a screwdriver or soldering iron," explains Flüpke in an interview with WELT. "That gives me the suspicion that the manufacturers have known this for a long time and simply sat it out instead of implementing the Gematik requirements."
Dirk Engling, spokesman for the CCC, becomes clearer in a statement: "Here a cartel wants to earn a golden nose through strategic incompetence in the German health system. In doing so, immense costs for all insured persons, senseless effort for an exchange with all doctors and tons of electronic waste are accepted.
It is fitting that manufacturers, according to Flüpke, charge exorbitant prices for completely outdated hardware: the original connectors are already based on standard hardware from the Bavarian manufacturer Congatec, in which chips from 2007 were installed.
And the replacement devices are not significantly more powerful either. "These are solid devices, they are safe enough for use in the doctor's office," says Flüpke. "But I would be surprised if the manufacturer had to spend more than a tenth of the 2,300 euros on the purchase."
Manufacturer CGM responded in a statement: "Changing the connector specification and including the certificate extension in the specification is the sole responsibility of Gematik. According to a statement by Gematik, options for connectors with an expiry date of September 2023 are currently being explored. A certificate extension may be one of these choices in the future.”
At the request of WELT, Gematik reaffirmed that replacing the connectors was the only alternative: "For all certificates whose validity expires in August 2023, replacing the connector is the only sensible alternative due to outdated technology. The hardware replacement was identified as the safest and most economical solution overall,” according to a statement.
But at least Gematik wants to have it checked again to see whether replacing devices that can run for longer can be avoided.
Heise editor-in-chief Volker Zota hopes that this test will result in savings of hundreds of millions of euros for the insured: "Even if you exchange the CGM boxes, there will still be 200,000 devices whose certificates would expire by the end of 2026, for which an exchange could be prevented."
"Everything on shares" is the daily stock exchange shot from the WELT business editorial team. Every morning from 7 a.m. with our financial journalists. For stock market experts and beginners. Subscribe to the podcast on Spotify, Apple Podcast, Amazon Music and Deezer. Or directly via RSS feed.