KV-SafeNet

from Wikipedia, the free encyclopedia

The KV-SafeNet is one of two approved connection options to the secure network of the Association of Statutory Health Insurance Physicians (KVen), which is intended to secure and facilitate digital communication between health care providers and KVs. In contrast to the second option - the KV-Flexnet - the procedure requires a safenet router from the service provider, which can be obtained from KV-certified providers for a fee. The connection via KV-Safenet is for existing networks such as B. clinics or medical care centers mandatory nationwide. Whether this also applies to individual practices or whether KV-Flexnet is offered as an alternative access in the respective federal state is decided by each state KV individually. The National Association of Statutory Health Insurance Physicians (KBV) has been responsible for the organization and further development of KV-SafeNet since 2008 . According to current estimates, there are now more than 50,000 physical KV SafeNet connections in practices and clinics across Germany.

The KVn's secure network connects individual doctors 'practices, medical facilities and hospitals with the KVs' data centers. Access authorization to the secure network of the KVn is only granted to users authorized by the KVn. Access by unauthorized persons to the network of the KVen, the data transferred in it and the applications and services provided, as well as the connected PCs should be excluded. Since July 1, 2015 (quarter III / 2015), the quarterly billing of all service providers has to be provided via the secure network of the KVn, a submission in paper form, on data carriers or the web portals of the state KVn is no longer accepted.

The term KV-Safenet is often erroneously used synonymously for the secure network of KVs, but, as described above, only represents a possible technical connection to this.

The safe network of KVs

Since 2008, all KVs and KBV have been networked with each other via the so-called KV backbone and form a cross-KV network. This network is known as the “safe network of the KVs”. In the “secure network of KVs”, in addition to applications for use by contract doctors and psychotherapists, infrastructure services such as B. DNS and NTP servers operated. The use of the Border Gateway Protocol (BGP) in combination with the public IP address space available for this network enables the subscriber to use the services offered across KV.

KV-Ident (Bavaria), KVH-Online (Hessen) and MediSign (Rhineland-Palatinate, Saxony, Schleswig-Holstein) or KV-Online (Westphalia-Lippe) via a software VPN with authentication via chip card or grid card are methods of authentication and are used for the unique identification of KV members on web portals. After successful authentication , the member receives authorization to use the web applications available in the web portal. The KVen web portals are alternatives for the transmission of online billing, but no connection to the KVen secure network and the applications and services available there is possible via the KVen web portals.

KV-SafeNet (network coupling) is an additional authentication service ("person-related") for clinics and other cross-network health facilities (doctor networks, MVZ with several BSNR via a physical IT infrastructure in the building, etc.). This additional service is offered via certified network coupling providers. Interested participants can use existing LAN or WAN structures to connect to the secure network of KVs (SNK) via a secure, centralized "KV-SafeNet Gateway" - after successful personal authentication on the KV-SafeNet network coupling router. All online services in the SNK can be accessed using this access variant. The situation is different with KV-Ident, KVH-Online, Medisign, KV-Online or via an eToken: The use of one of these access variants only allows the use of individual online applications of the state KVs - and only related to the workplace. These access options are rather singular (e.g. a doctor's practice would like to bill once per quarter).

technology

KV-SafeNet is the connection specified by the KBV to the "safe network of KVs" based on a hardware VPN . KV-SafeNet is therefore not an infrastructure of its own, but just a variant of the connection to an infrastructure, such as the "safe network of KVs".

The prerequisite for this connection via KV-SafeNet is any internet connection on the part of the participant and the availability of an internet-capable PC. The VPN channel is set up on the basis of an existing Internet connection. For this, the certified KV-SafeNet providers install and operate KV-SafeNet routers in the practices to be connected , and VPN concentrators in the KV data center. VPN tunnels encrypted with TLS or IPSec are established between KV-SafeNet routers and VPN concentrators , which secure the communication path and ensure that the data transported in the VPN tunnel is protected from unauthorized access. KV-SafeNet routers and VPN concentrators represent the so-called tunnel endpoints.

The KV-SafeNet Router is configured in such a way that an active connection from the Internet to the practice is not possible, thus preventing unauthorized third parties from accessing the doctor's practice network.

Access providers certified by the KBV are responsible for the connection via KV-SafeNet to the "safe network of KVs". The technical and organizational requirements imposed by the KBV on a KV-SafeNet provider are specified in the document "Framework Directive KV-SafeNet". This document forms the basis for the certification of access providers for KV-SafeNet.

The term of a certificate is three years. After this period, the provider must be recertified. This ensures that the security mechanisms on which KV-SafeNet is based always correspond to the current state of the art.

criticism

Data protection and security

The KBV names the introduction of the electronic health card (eGK) by the legislator as the original reason for setting up the secure network . There was already massive resistance from the medical profession against this, also because of data protection concerns. An administrator for practice IT at the Chaos Computer Club is fundamentally critical of the concept of the safe network of the KVen: With its establishment, the technical possibility of aggregating and evaluating sensitive personal data such as B. Diagnoses of millions of GKV insured persons in the first place. In addition, the security principle of the KV-Safenet as "security by obscurity" is questioned, which in the history of cryptography has never been successful in the long term. The service providers have no access to the secret router firmware. No responsible administrator would put a “black box” in the center of the infrastructure to be protected.

The introduction of the eGK only had something to do indirectly with the emergence of KV-SafeNet. The KV-SafeNet has a fundamental raison d'être: at that time, in 2002, the German Bundestag and the Bundesrat decided to launch a quality-assured mammography screening program. This was a nationwide first preventive measure, which was or is being accompanied in the roll-out process, heavily digitized. At that time the KBV received the order for the security. In addition to the screening units as such, various “online tools” had to be created. I.a. This resulted in the KV applications MaSc and Mammasoft of the KVWL and the KVB and a secure connection of the screening units (just over 90 permanent screening units (SE) with a total of approx. 300 "satellites" in the cities) to the KVs data centers . From the secure connection is the KV-SafeNet, emerged with all the control mechanisms for KV-SafeNet provider, such as certifications and audits. In the years that followed, further online applications were derived from this, such as the transmission of tumor documentation data (ONDIS) or cancer-related data to the epidemiological state cancer registrars - using the example of NRW via EPICAN: Here, a state KV was firmly anchored in the law as a psycho-anonymization office - safely transmitted with the help of KV-SafeNet.

costs

Compliance with the security requirements and the service provided by the provider is associated with additional costs that go beyond the costs of a simple DSL connection. This fact has caused a lot of criticism of the KV-SafeNet. The specifications for the KV SafeNet certification from the KBV do not contain any specific requirements regarding the technology to be used. The providers can therefore use devices from different price segments as long as the corresponding solution complies with the specification (framework directive KV-SafeNet V3.0). As a result, different price ranges should be covered. In any case, there are additional costs to the normal DSL connection.

Another major point of criticism is the link between the quarterly online billing and KV SafeNet. This gave many contract physicians and psychotherapists the impression that the transmission of the online billing is exclusively linked to KV-SafeNet as the transmission path. Many KVs had reacted to the criticism and made alternative and cheaper ways of online billing available, for example KV-Ident (Bavaria), KVH-Online (Hesse) and MediSign (Rhineland-Palatinate, Saxony, Schleswig-Holstein) or KV- Online (Westfalen-Lippe) via a software VPN with authentication via chip card or grid card . Many KVs have developed the possible ways to transfer the online billing in coordination with the responsible state data protection officers. Which transmission channels are offered for the transmission of the billing differs from KV to KV. However, a stop was put to these country-specific variants: From summer 2015, the KV Safenet will be mandatory for online communication with the KVs.

Web links

swell

  1. KBV: Secure network
  2. Electronic health card
  3. Chaos Computer Club: Data Slingshot No. 95, 2011.
  4. ^ National Association of Statutory Health Insurance Physicians : Guideline KV-SafeNet Version 3.1 of October 31, 2011.