Identification by video (Videoident) is currently stopped at health insurance companies. The background to this is a successful attack by the Chaos Computer Club (CCC), in which it was possible to access an electronic patient file of a test person with manipulated identification papers. Fearing misuse of the sensitive patient data that could be accessed in this way, the health insurance companies have now initially blocked all Videoident providers, regardless of any known security vulnerabilities.
Are Videoident procedures still safe in terms of data security?
Where is Videoident used?
To date, videoident procedures have been used in many areas where online access to sensitive data is possible. When registering for a bank account, for credit checks, insurance contracts, checks for car-sharing services and in the healthcare sector, the videoident process is a significant component of digital data security.
Since 2021, the Videoident procedure has enabled access to the so-called ePatient file and, in the meantime, also to the e-prescription.
How can Videoident be duped?
At Report of the CCC the security researchers explain how "open-source software and a bit of red watercolor paint were used to trick six Videoident solutions by 'video recombining several source documents' and to make the employees or the software believe they were someone else. The attacks went unnoticed.
The CCC thus gained access to the test subject's health data. This was possible with little prior knowledge, in a short time and with little effort. On the other hand, the risk and the sensitivity of this data were very high.
Even the use of an AI in the process does not fix this major security flaw, they said. The security researchers stated, "The assumption that modern videoident procedures can fix the known weaknesses 'through the use of artificial intelligence' has proven to be false in practice."
Why stop all Videoident procedures right away?
Based on the CCC's findings, Gematik prohibited health insurers from using any Videoident procedures even before the report was published for security reasons.
The IT industry association Bitkom criticized this sweeping decision. People who now have to identify themselves to the health insurance company would be forced to choose analog paths. This would create an "unnecessary hurdle on the way to digital healthcare". Instant identification via the Videoident process is "essential to make digital services available quickly, securely and easily," he said. It must therefore be immediately re-approved by health insurers.
The CCC, on the other hand, demands "that this unsafe technology no longer be used where there is a high potential for harm."
Statement of the Ministry of Health and Interior
The Federal Ministry of Health, like Gematik, was in favor of blocking.
The Federal Ministry of the Interior described the Videoident procedure as "a bridging technology that is currently used for remote identification due to its market penetration and availability." Whether and to what extent it could continue to be used would be carefully examined.
Do you need support in the area of data security or data protection? Our team of experts will be happy to help you!