---
title: "75 Million Lives, Two Keys"
date: 2025-01-05T23:42:00+01:00
draft: true
---

2025 has begun. In this new year, with its new national healthcare record system, the country of Germany will start one
of the largest rollouts of a cryptographic system in history. While the system has received scrutiny as well as
resulting harsh criticism from a number of parties ranging from NGOs to everyday civilians, the system has received
surprisingly little attention from the academic applied cryptography crowd. Additionally, previous criticism of
the system has largely revolved around organizational issues. While valid, we belive that some cryptographic issues at
the core of the system have escaped attention unitl now. In particular, at the core of the system is a key escrow system
that contains several questionable design choices and that in its overall design seems out of place in 2025.

The aim of the system is to serve as a shared storage for all healthcare records of a person. In the system, a person's
entire patient file with all documentation on the treatment process including test results, images and other raw data
will be stored in something vaguely resembling cloud storage such that all healthcare providers that the person visits
can access the entire file. This centralized, synchronized storage eliminates the need for transferring this data
between hospitals and doctors offices by fax, mail or physical media as it was common practice until now. After a
development and testing phase lasting approximately five years, the German government decided to roll out the system to
everybody insured under Germany's mandatory national health insurance scheme, totalling approximately 75 million people,
on January 15th 2025.

In this article, we will give an overview of the system's cryptographic design before highlighting a few odd
design choices that could amount to a viable attack vector to the powerful adversaies 

## Context and involved parties

Germany has a national, mandatory health insurance system. The system is open to any permanent resident of the country
irrespective of citizenship. The system is mandatory in that while residents can choose between a number of both
publically owned as well as private healthcare providers, it is not possible to opt out of the system. The public health
insurance providers cover approximately 90% of German residents. These providers are organized in an umbrella
organization named "GKV Spitzenverband". The resposibility of this umbrella organization largely revolves around
negotiating prices with pharmaceutical companies and with healthcare providers as a publically sanctioned cartel, but
also includes the specification and operation of shared IT infrastructure for billing and data exchange between
healthcare providers.

While GKV Spitzenverband is the party that ultimately holds responsibility for the regulatory administration of national
healthcare IT infrastructure, it has delegated large parts of both the technical specification of this infrastructure as
well as its day-to-day operation to Gematik GmbH, a state-owned limited liability corporation created specifically for
the purpose of developing and implementing national healthcare IT standards. The electronic healthcare record system we
describe in this article was standardized and implemented by Gematik GmbH under the direction of GKV Spitzenverband.

Healthcare providers in Germany need to be registered with GKV Spitzenverband to serve members of public health
insurance providers. Since these public providers constitute approximately 90% market share, the vast majority of
healthcare providers are registered this way.

## Design principles

## Cryptographic design

## The implied adversary model

While Gematik GmbH publishes detailed specifications of the systems they standardize, these specifications and some
associated implementation guidelines are about the extent of public information. Software implementations are being kept
secret, and while standardization results are available, a large fraction of design rationale is discussed behind closed
doors. From an academic perspective, the most glaring omission in Gematik GmbH's public documents is any definition of a
threat model or an adversary model. As a result of this, we will deduce an adversary model below by contextualizing the
published standards in the national healthcare setting. We will base our further analysis of the system on this
adversary model.

## Previous reviews and audits of the system

[0] https://www.destatis.de/DE/Themen/Arbeit/Arbeitsmarkt/Qualitaet-Arbeit/Dimension-2/krankenversicherungsschutz.html