Several German health authorities’ IT systems reportedly harbor significant security vulnerabilities, putting the sensitive data of numerous citizens at risk. According to a report from Zeit Online, these vulnerabilities are known but instead of addressing them, the weaknesses are allegedly being downplayed, with specific cases cited in Rheinland-Pfalz.
The security issues often originate on a financial level, with municipalities lacking the funds and expertise to securely manage their IT infrastructure. The report states that administrators frequently lack formal IT training, often being administrative staff.
This non-specialized IT personnel is tasked with managing a software called Mikropro Health, deployed by health authorities as a unified data processing platform. However, experts argue that Mikropro Health does not meet modern technological standards. An external analysis revealed multiple security problems with this software.
The security issues are diverse, including the fact that user account access credentials for setting up the software are stored in the source code. This means that anyone with access to the code can potentially “view, download, and modify” all data, create new accounts, and grant extensive rights unless the default password has been changed. Additionally, Mikropro stores user passwords in plain text for certain applications by default.
Furthermore, in the default configuration, Mikropro’s database allows arbitrary SQL queries without verifying whether the user is authorized. Any user with database access can thus access, modify, or delete all data. While this issue could be addressed, the responsibility lies with the administrators who typically lack the necessary knowledge.
Another security concern is that the support from Mikropro’s manufacturer potentially has access to all health authority data. The support often requests the transmission of the entire unencrypted database for troubleshooting, granting access to all contained information.
Moreover, Mikropro’s permission concept is reportedly flawed, allowing employees from one department to view data from all other departments, even those unrelated to their responsibilities, as explained by Zeit Online.
Despite these issues, the State Data Protection Commissioner of Rheinland-Pfalz, Dieter Kugelmann, allegedly sees no problems with the project. According to him, his office has no information about vulnerabilities, and they have not expressed any data protection concerns about the state government’s digitization strategy. He has shifted responsibility onto the district administrations, stating that they are accountable for “data security.”
The reported problems are not limited to Rheinland-Pfalz, with Zeit Online noting that similar issues exist in many municipalities. The technology in use is described as outdated, and those in charge were reportedly warned about security gaps but made no changes to their plans.
In recent weeks, numerous German municipalities have been targeted in cyberattacks, with health authorities being attractive targets due to the highly sensitive data they handle.
READ MORE: Tchibo Mobil Upgrades Smart Plans to 5G with More Data, Unchanged Prices
