Holland shows Belgium how to not to take any risk with ehealth projects : A secure democratic Net is a fundamental right

« evoting in Belgium : back to the future with past code | HomePage | Lernaut, the Belgian crook-clown is at it again in China this time »

05/14/2009

Holland shows Belgium how to not to take any risk with ehealth projects

A Dutch Cabinet minister has stopped the development of the eHealth card as security researchers have successfully discovered the secret encrypted key on that card.an attack that ia already old and analysed the electromagnetic fields on the chip of the card. It was also possible because the chip didn't use the best security to be able to handle transactions faster. This was done in an university (where are our universities doing such important work ?) and you need also the pincode to be able to do something with it (but hey we got keyloggers for that and most people keep all those pincodes together or they use the same). So theoretically it is only useful in a very targeted attack or by a lucky theft (in which you have the card and the pincode).

The chip is not only used for the ehealth card but also in other smartcards. The chips have to be replaced. Meanwhile the development of the ehealth card has been stopped but some just think that this is because there are numerous other technical difficulties and because opposition against the card is bigger than expected and still growing. The main objections are the information about the patients can be found on laptops and computers of all kinds of medical staff and institutions, while the security of those installations can differ enormously.

Security has to follow the data. If you claim that some data is more important and others, it must have more security than other data at all times wherever it is to be found. Even if Holland has a very stict law (dutch) that for some kind of data even imposes penetration testing, it is not sure that it would be implemented acros the board at all times. The minister has announced that the ehealth infrastructure and card will be tested by penetration testers and hackers. That is in Holland off course. Maybe they should test their incident response at the same time.

In Belgium we also have ehealth, but we don't have the technical norms, laws and controls as the USA nor the critical penetration testing, research and oversight by professionals and researchers as in Holland. There are some promises but these are words in the wind. On paper the ehealth business controls its own business. If you would do that in any other business, they would have a word for it. Especially in times like these when everybody wants to implement more controls. I hope we don't need 10 years to realise that we ought to implement much more controls and overight and laws about the security and privacy of ehealth after something went awfully wrong.

the dutch articles (about which the Belgian press wrote NOTHING)

330.000_bezwaren_tegen_patientendossier

Invoering_medisch_dossier_ligt_stil_na_kraak_pas

Klink verliest geloofwaardigheid door uitstel EPD