A Security Analysis of the Dutch EPD system

This page presents a security analysis, describing vulnerabilities we found in the design of the Dutch electronic patient record system (EPD).


Nieuws (update 6 juni 2014).

Defunct link: FAQ - Feit en fictie over het EPD

Alles op een rijtje (aanbevelingen in het kort).


A paper about the security architecture of the EPD system was published at the ACM Computer and Communications Security Conference SPIMACS workshop, October 2010. See publications

Here is a brief summary of the key findings in English.

A technical paper describing the EPD's system architecture and security aspects can be found here: Technical Report UVA-SNE-2010-01.

The letter that I wrote to the senate, summarizing the main findings of this research (in Dutch) can be found here.

The ministry (VWS) issued a sharp response after the findings were reported, describing the work as "unfounded." Instead, the response is unfounded. Here is my reaction to that.