The German Health Card

Today was "Staatsbesuch", an open house extravaganza in the ministries in Berlin. This is becoming a regular favorite in the Berlin calendar, as the ministries set up dog-and-pony shows for the taxpayers to show them what it is that they do all day. They print up entire forests worth of brochures for the purpose, but it is really a good way for them to get close to interested citizens and to hear what they have to say.

They may not like what they have to say. But at least they are listening.

I chose 4 ministries today, the health ministry was a special target because they are introducing a national "health card" (WP-DE, official ministry page) which is a plastic card with a chip on it that is supposed to, well, actually no one knows, but surely will save tons of money and work for someone. Maybe. Sometime in the future. It is a future technology. It is modern. It uses cryptography.

It is also costing the taxpayers, or rather the insured taxpayers, a pretty penny (4.5 billion Euros). The doctors are mad about it, because they have to buy new equipment and spend extra time on it and are not getting paid extra for it.

It was supposed to be introduced on April 1 of this year (no joke). But this didn't happen. The Chaos Computer Club has a good bit of information on this (1, 2, 3). Seems they were running a little test in Flensburg that bombed completely. People could not cope with the system.

I went to their stand to have a good look. I joined in one discussion, but got myself brushed off by asking about the strength of the cryptography. They did get a guy over who could talk computing, but he didn't really know. He wanted to explain how the cryptographic protocol worked, I wanted to know the strength of the system. It is to get tested every year by the BSI, the German governmental organization for security of information technology, so I guess that's all right. He dug out a "white paper" for me, but it is not all that reassuring, either. It just wants me to trust the government.

I had him run me through the entire procedure, they had stations for the insurance company, information kiosks, primary care physician, specialist, and the pharmacy set up.

  • At the insurance company I could change my address. Wow. Saves them having to send me a new card, just because I move. I can't enter in Berlin addresses that have weird stuff like HH 2 li (back house, second floor, links) in them, but there is a field for extra stuff, so I guess it can get itself recorded.
  • At the kiosk I first wanted to know where these are supposed to be. Oh, at insurance offices and chemist's. Who is going to pay for that? Oh, this is just a prototype. Then they had a language choice: German and Simplified German. I kept pushing "Simplified German" and they kept correcting that, until I said I wanted to see what that was. Oh, this is just a prototype. The first screen just said "Eingabe" instead of "PIN-Eingabe". The rest was the same. Duh.
    Then I was demonstrated the function for "checking" your PIN. Seems so many people forgot their PIN (that they had to make up the first time they used the card) in the trials, and the card is invalidated if you enter the PIN 3 times, you can then use one of these kiosks to try out different combinations until you get it right. Double-Duh and extra points for spotting the security implications of this.
  • At the primary care physician there were a gazillion fields that could be filled out. The screen layout has lots of room for improvement. It does not seem to be fitted to the workflow, but as usual, fits the data containers on the chip. The doctor can spend time with you entering your emergency information and your allergies and such. These can be read without a password in an emergency if the emergency response team happens to have a mobile reader with them. It was a cute thing with a screen and a little keyboard, but the chances of the battery on the thing being low is probably pretty high. I asked if the doctors get paid to put this information on the card. No. So why would any doctor do this?
    Then we had some medicine prescribed. I was asked for my favorite medicine. I just said "pick one". The list presented was not the ordering normally used by doctors - they have their "Bible", the Red List, that is ordered systematically. This list was offered alphabetically - a long way to scroll down to Zolim .... I commented on this, the reply was: this is just a prototype.
    Turns out, all of the archaic software systems currently running in doctor's offices will all have to be upgraded to interact with this system. At least they have a connector module that uses and offers web services. So there was at least one architect on the project that understood how to work with legacy systems.
    So we ordered two medicines on this card, and proceeded to the next station.
  • At the specialist's it was just another doctor with just another system for entering in the cards and the PINs. Here I requested to see how the doctor's letter works. My demonstrator was choosing to write to the primary care physician at the previous station. I thought it would be nice to have a letter written to a different physician so that I could see how the cryptography works. There was a list of (silly) doctor's names, so we chose one. I immediately thought this would be a lovely application for a public key infrastructure, with the specialist signing with his private key and encrypting with the addressing doctor's public key. Oh yeah, that's how it works, the guy said. We wrote some gibberish into the letter, and "signed it". After 20 seconds it crashed. Oh, he forgot the PIN. We wrote the letter again, signed it, put in the PIN, waaaaaaaited, and then it was done - the letter should now be out there on the Healthnet, ready for the doctor it was addressed to to download and read it.
    Nasty me wanted him to show me the results. He assuredly went back to the other station, inserted the card for a doctor that the letter was not addressed to, and downloaded the letter.
    It was perfectly readable, i.e. not encrypted. Um, this is just a prototype, the doctor's letter is a new module. Triple-Duh (no, not Triple-DES).
  • So we landed at the Pharmacy. We put the card into the pharmacist's machine, typed in my PIN and the pharmacist's - and there was no medicine prescribed for me on the card. Darn. The doctor forgot to sign the prescription. I remarked that the patients might not like this, as they get to the pharmacy and discover that the doctor got distracted and did not complete the transaction and now they have to go back to the doctor's office. Oh, but that could happen today, too, the guy said. Not hardly likely - if I don't have a prescription in my hot little hand, I notice! And, I can theoretically read the prescription. I can't read the plastic thing.
    So he gets another card that has a prescription on it for me, and fills it, and then sells me aspirin, which will have an adverse reaction with one of the things prescribed. Indeed, an error window opens with a completely unintelligible message on it, that can possibly be interpreted to be a cross reaction warning. Whoopie.
I thanked the guy for putting up with me.

It would seem to me that the government is pouring tons of money into a project just because someone thinks this is somehow futuristic. They let a bunch of programmers determine what to do, instead of studying workflows and studying the users. Even after the system bombed in Flensburg, they have the nerve to demonstrate a half-baked piece of software. They could at least have faked it a bit more convincingly. But I really do not see how they can sell this to all of the stakeholders in the health care system - the only one to profit is the insurance companies, who get nice digitized data already nicely linked to the user number for their data mining applications. I think this is is a big waste of taxpayer money.

Not that anyone listens to me.


Vijairaj said...

Most probably this is an incomplete demo but the real system would be a lot better, I assume.

WiseWoman said...

Demonstrating a system that is incomplete and already quite late is rather embarrassing, especially as they want to get people to trust the system.