2025-06-25 –, Track 1
The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) is running the project SiPra in order to assess the current state of security of management software for doctors' offices (Praxisverwaltungssysteme) in Germany. The goal is to get an overview over the state of the market and derive guidance and recommendations for doctors' offices and their IT environments.
As part of this project, ERNW is conducting a security assessment of four distinct products chosen by the BSI. All chosen vendors were contacted by the BSI and asked for cooperation. The goal was to be assisted during the installation process, with documentation, and if possible access the source code to conduct a white-box assessment to utilize the short time-frame as efficiently as possible.
In this presentation, we will share the results from our market analysis and findings of the technical security assessments. We highlight common vulnerabilities and vulnerability types identified in the different software products. We also discuss their implications for healthcare providers, and provide practical recommendations for potential remediation. Additionally, we address potential regulatory actions that can improve the security landscape of these systems in Germany.
These results serve as a foundation for further research and regulatory discussions between the BSI and software vendors.
Dennis Heinze is working as a Security Analyst & Researcher at ERNW Enno Rey Netzwerke GmbH. He earned his Master’s degree in IT-Security at TU Darmstadt with a focus on network and system security. In the past, he published research on the Bluetooth technology in the Apple ecosystem with a special focus on the analysis and security of Bluetooth protocol implementations. In his work at ERNW, the focus of his work is on pentesting mobile and embedded devices as well as their communication and back end systems.
Pascal Jeschke (he/him) studied computer science and social science and joined the Federal Office for Information Security (BSI) in 2021.
After supporting the secure development of the Corona Warn App and the digital CovPass App, his present main topic is Cybersecurity within doctors‘ offices.
In this field, he conducted multiple projects:
* SiRiPrax (Evaluation der IT-Sicherheitsrichtlinie) was the first project, focussing on the it-security within doctors’ offices with regard to persisting guidelines.
* Together with ERNW, SiPra (his current project) raises the question: How secure are practice management systems by default? Getting closer to an actual answer, four systems are pentested by ERNW and the results will be used to discuss further measures.
These projects align with additional projects of the BSI allowing a better evaluation of current Cybersecurity in doctors‘ offices.