Risk evaluation and security analysis of the clinical area within the German electronic health information system

Abstract

Germany is currently introducing a nationwide health information infrastructure. This infrastructure connects existing information systems of various service providers and health insurances via a common network. An essential step towards the implementation of this system will be the introduction of an electronic health care smart card (eHC) for patients and a counterpart health professional card (HPC) for care providers. This article provides a risk analysis on the handling of these cards by both patients and physicians from an organizational point of view. On the basis of the information security audit methodology of the Federal Office for Information Security (BSI), the currect security status of German healthcare telematics on the clinical side is evaluated. For this purpose, an appropriate framework specifically designed for the clinical area is first developed and explained in detail. Based on these perceptions it is possible to precisely check the workflows “patient admission”, “accessing emergency data” and “prescription of medicine” for inherent organizational threats. As a result, we proposed appropriate steps to mitigate potential risks and derived valuable hints for future process re-eingineering by the introduction of the new smart cards in hospitals. This article is based on our paper presented at Bled Conference 2011.