summaryrefslogtreecommitdiff
path: root/updates/2008/egk-verzoegern.en.md
blob: 3d16491a8018d4e89e6406f8ca11c208da7136d0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
title: Electronic Insurance card: Please don't Smile
date: 2008-07-22 00:00:00 
updated: 2009-04-18 19:12:41 
author: frankro
tags: update


Some German health insurance funds started asking their members to send in photos for newly issued electronic insurance cards, despite the fact that important security questions regarding the system are still unanswered. The Chaos Computer Club advises all members to not send a photo as yet. 


<!-- TEASER_END -->

In the past few days we received information about health insurers
asking their customers to send photos as part of the issuing process for
new insurance cards. The trade guild sickness fund of Saxony ("IKK
Sachsen") even insists on a picture that meets current biometric Photo
ID requirements, and refers to a legal obligation for providing it.

The concept of the electronic insurance card that is known to the Chaos
Computer Club bears some serious issues, such as in the implementation
of so called "voluntary services" ("freiwillige Dienste"). With the
electronic health record, the sensitive details leave the protected
environment of the doctor's practice and are stored on a central server.
According to the specification this information will be encrypted prior
to transmission, but there is no conclusive concept about who has access
to the cryptographic keys.

Without these additional services, the introduction of the new
electronics health insurance cards would neither be economically
justifiable nor bring any value-add for health insurances, doctors or
patients. Consequently, the introduction of such an ill-conceived system
is irresponsible. We therefore advise all policyholders to not comply
with the request for sending in a photo, so that the ubiquitous
implementation of the new health insurance card will be delayed until
these fundamental questions around protecting sensitive information are
clarified.

As a matter of fact, § 291 German Social Security Code
("Sozialgesetzbuch") indicates that the health insurance card shall bear
a "photograph of the insured person", but the law in question does not
contain any further requirements about its nature. So there are no
limits to creativity. A biometrically usable picture, as it is used in
the controversial electronic passports, is not at all required by law.

Retention of the photo, exceeding the time frame required to produce the
card, is not required by law and therefore prohibited.