The Dutch Electronic Patient Record System

A Security Analysis of the Dutch EPD system

This page presents a security analysis, describing vulnerabilities we found in the design of the Dutch electronic patient record system (EPD).

Nederlands

Nieuws (update 6 juni 2014).

Defunct link: FAQ - Feit en fictie over het EPD

Alles op een rijtje (aanbevelingen in het kort).

Archief

English

A paper about the security architecture of the EPD system was published at the ACM Computer and Communications Security Conference SPIMACS workshop, October 2010. See publications

Detailed summary of the security issues.

Here is a brief summary of the key findings in English.

Here is an overview of all available documentation.

A technical paper describing the EPD's system architecture and security aspects can be found here: Technical Report UVA-SNE-2010-01.

The letter that I wrote to the senate, summarizing the main findings of this research (in Dutch) can be found here.

The ministry (VWS) issued a sharp response after the findings were reported, describing the work as "unfounded." Instead, the response is unfounded. Here is my reaction to that.