Case Study
CompuGroup Medical Germany: A Highly Secure VPN Access Service for the Entire Healthcare Sector
The construction of the telematics infrastructure is considered to be the largest IT project in the healthcare sector. It networks doctors, pharmacies, hospitals and health insurance funds and enables access to the health data of 70 million people in Germany covered by the statutory health insurance. Considering the highly sensitive nature of the data, it is also a major IT security project. The development of the first approved VPN access service shows what special challenges needed to be solved.
According to gematik (Gesellschaft für Telematik-Anwendungen der Gesundheitskarte mbH, the official body for the e-Health infrastructure in Germany) approximately 70 million people covered by the statutory health insurance, 180,000 registered doctors and dentists, 20,500 pharmacies, 2,000 hospitals and 118 health insurance funds use the telematics infrastructure ("TI"). "The telematics infrastructure has been in productive operation since November 2017. Regular operation follows a three-year trial phase including a multi-year approval phase for a number of security-relevant components," explains Arthur Steinel, General Manager in the TELEMED Division of CompuGroup Medical Deutschland AG. As project leader for the VPN access service, a central component of the "TI," he has detailed insight into the entire project. CompuGroup Medical (CGM) SE is a leading eHealth company with software products for supporting all medical and organizational tasks in doctors’ offices, pharmacies, laboratories and hospitals.
Secure telematics Infrastructure
The "TI" handles the comprehensive digital networking of the stakeholders in the healthcare sector and serves as a secure platform for the exchange of information and the use of specialist applications. In the first step, it enables the online check and updating of the master data of the insured. The qualified electronic signature (QES) is performed in the second step. This enables the legal signature, e.g., of the doctor, in digital form. It is thereby possible to, among other things, send signed invoices or send doctors’ letters electronically. The "TI" also lays the foundation for providing the data of the patients (e.g., doctors’ letters, emergency data, data about medication) in an electronic patient record or in a patient folder for the patients.
The "TI" is a closed network based on a VPN access service (virtual private network) to which only registered users are granted access.
The security requirements included the creation of a VPN network that is separated from the Internet. Here, the secure authentication of the participants, e.g., in a doctor’s office, takes place using chip cards (a card specific to the doctor’s office or institution). They communicate via a so-called "connector," a VPN router with permanently installed chip card.
The TI platform supplies the infrastructure and makes available the basic security functions that build upon this infrastructure. The most important elements are
- secure, encrypted communication and protection against access to sensitive information
- secure authentication of the communication partners
- use of a qualified electronic signature
- the used cryptographic processes are periodically examined by the German Federal Office for Information Security (BSI) and adapted to the latest developments
- a data protection and information security management system (DSMS/ISMS) monitors the data protection-compliant and secure operation of the "TI"
A Comprehensive VPN Access Service for the Healthcare Sector
"As the regulatory authority, gematik places very high requirements on a comprehensive VPN access service with respect to functionality and security," reports Arthur Steinel. To participate in the trial phase of the VPN access service, the central high-security components, firewalls and VPN concentrators had to show proof of certification by the BSI on the basis of protection profiles according to the Common Criteria (CC) for IT products. With the protection profiles, the BSI sets minimum standards for selected product groups such as network and communication products. "The solutions of the German IT security manufacturer genua GmbH, which are regularly certified by the BSI, satisfy these high requirements," says Steinel.
genua is a German IT security manufacturer based in Kirchheim near Munich. Used as the central firewall and VPN concentrator the genuscreen firewall & VPN appliance. genuscreen is a high-quality IT security solution with CC EAL 4+ certification and approval up to German classification level "Restricted."
Physically separated from the rest of the telematics infrastructure, the participants have the possibility of a secure Internet access. The so-called "Secure Internet Service" (SIS) is extra secure. The project leader calls the three-level firewall used for this purpose another important security component. For the protection of data networks with medium or high protection requirements, the BSI recommends the use of multi-level firewall solutions that are made up of various systems. The genugate firewall consists of an application level gateway and a packet filter and, on that basis alone, offers two levels. This concept also convinced the BSI, which has certified genugate multiple times according to CC level EAL 4+. The strong resistance against direct attacks was always emphasized during the certifications. Here, genugate is the only firewall in the world to satisfy the CC requirements of level EAL 7.
The genugate firewall, combined with an additional packet filter, produces the desired three-level security solution. The three firewalls are connected in series. First, a packet filter (PFL) inspects the data on the network level and transport layer. Next comes the application level gateway (ALG) on the application level. Following as the third level is another packet filter through which the data must pass as it makes its way through the entire firewall system.
"The components of the VPN access service had to ultimately demonstrate in hundreds of tests that they actually satisfied the functional and security requirements of the product description," explains the project manager. The requirements for the VPN access service alone encompassed more than 300 pages. And a test verification had to be furnished for each requirement. The verifications included various things, such as covering the correct behavior of the service in the event of faulty cryptographic cards or that the required encryption algorithms are supported in the IPsec (Internet Protocol Security) security protocol and that they also function, while non-secure algorithms may not be used.
Numerous Hurdles During the Construction of the telematics Infrastructure
The construction of the telematics infrastructure proved to be a difficult marathon course with a number of additional hurdles. First, CompuGroup Medical had to be certified in accordance with security requirement ISO/IEC 27001 on the basis of IT-Grundschutz and implement an information security management system (ISMS) against the hazards of IT security.
"In such a large security network with very many participants and extremely sensitive applications, the highest possible availability of the systems is a critical requirement. All systems are therefore used in high availability clusters. In addition, a replacement system, located in a spatially separated second computer system, is present in the computer center for each cluster," says the project manager. Should a component fail, only a short time is available in which the switch to the replacement component must be made. "In the initial phase, we, as the operator of an essential component of the TI as critical infrastructure according to the IT Security Act, had an emergency situation that required reporting caused by a power failure at a main Internet node. During the switch to the backup computer center, there were unexpected difficulties with components. Here, the specialists from genua contributed to the decisive solution," adds Steinel. Through the simultaneous access of a large number of connectors, an overload situation arose that had to be rectified manually. The technicians from genua then developed a solution that now ensures an automatic switch in the event of similar situations.
The ongoing adaptation of the TI specifications also required repeated changes to the VPN access service. As an example, Steinel mentions an update to the IKE (Internet Key Exchange) Internet standard for the cryptographically secured key exchange with the IPsec protocol. The change to the new IKE variant could be realized quickly since this update had already been implemented in the systems from genua.
High-Security Components Have Proven Themselves
The project manager of the VPN access service draws an overall positive conclusion from the experiences made with the used security components: "With the start of productive operation, we offer the VPN access service in open competition. Certification of the components in accordance with the BSI protection profile is no longer required. But after having had very good experiences with the components from genua, we continue to do so. This has paid off." He also makes reference to good experiences with the support of the German manufacturer. Contrary to the typical philosophy, we did not acquire additional know-how on our own but rather relied on the good advice from the specialists at genua.
He considers it a special benefit of the solution that the technology is designed especially for very high security requirements. "These are complete appliances with matched hardware and software components. Security and functionality are already optimized for the increased requirements. The genua company brings a great deal of experience in this area," concludes the project manager.