The EPD is essentially a central registry that stores links (references) to patient records. The system is intended for exchanging patient records at a National scale in the Netherlands. Over time, patients that have not opted out may find numerous records relating to their medical history registered in the EPD system. Patient information can be highly privacy sensitive, and confidentiality of this information is very important - this directly relates to patient-doctor confidentiality, and each person's fundamental right on privacy. Therefore, a system which has the purpose of exchanging patient information has to be very secure.
However, we found several significant flaws in the security architecture of the EPD. These make the potential damage caused by a succesful attack on the central LSP system or on one of the decentral information systems attached to the LSP unnecessarily large.
A very serious vulnerability is that the system comes with a weak delegation mechanism (the mechanism used by physicians to, allow employees to access patient records on their behalf) which can easily be abused. Misuse of delegation makes any access control rule in the EPD -such as exclusion of a neighbour who is a physician from a patient's records- straightforward to bypass. Also, because the EPD's access control mechanism leans almost completely on auditing after the fact, it will be almost impossible to catch a criminal in the act. We believe that much more emphasis should be placed on verifying authorization (including delegation) before permitting operations on the EPD, such that abuse can be prevented, rather than only detected after the fact. Furthermore, a patient portal that provides access to the EPD's access logs is crucial, as security of the system leans on verification of access control decisions after the fact. However, the patient portal is not finished yet. In addition, the mechanism that is planned for patients to 'log in' to their EPD creates some vulnerabilities.
It is generally emphasized that the EPD is decentralized - that is, the patient records are stored in the information systems of health organizations, and not in a central database. However, the system's security architecture is actually centralized. Access control and logging takes place centrally. In fact, the system's security mechanisms do not provide decentralized information systems with enough information to independently verify the authenticity of incoming requests - let alone define their own access control rules. Furthermore, more information is stored centrally than generally known - for example, access logs which indirectly relate to medical treatment. Also, we have found that it is likely to be impossible to remove all information related to a patient record from the LSP once it's there. This information is vulnerable in the event that the LSP gets compromized.
In conclusion, the EPD does not currently live up to its claim of being a sufficiently secure infrastructure to exchange medical information. We believe it should be improved in many ways before it can make such a claim.
Finally, the EPD comes with an 'informed consent' model based on opt-out. An opt-out may become impractical for patients to maintain if they want efficient care when the EPD becomes the de-facto standard for exchanging medical information. In view of our findings above, but also considering that even if the system is improved there will always be a risk of information leaking from the system - simply because the information is there - there are real risks that originate from the usage of the EPD and the more than likely interpretation of the lack of an opt-out as an assumed consent.
To protect security and privacy sufficiently also in the future, not just the technical architecture should be improved, but the consent model should also be adapted to ensure that patients can keep medical information out of the National EPD - if they consider this necessary.
Back to the main EPD page.