BSI Project SiPra: Security of Doctor's Office Software

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) is running the project SiPra in order to assess the current state of security of management software for doctors’ offices (Praxisverwaltungssysteme) in Germany. The goal is to get an overview over the state of the market and derive guidance and recommendations for doctors’ offices and their IT environments.

As part of this project, ERNW is conducting a security assessment of four distinct products chosen by the BSI. All chosen vendors were contacted by the BSI and asked for cooperation. The goal was to be assisted during the installation process, with documentation, and if possible access the source code to conduct a white-box assessment to utilize the short time-frame as efficiently as possible.

In this presentation, we will share the results from our market analysis and findings of the technical security assessments. We highlight common vulnerabilities and vulnerability types identified in the different software products. We also discuss their implications for healthcare providers, and provide practical recommendations for potential remediation. Additionally, we address potential regulatory actions that can improve the security landscape of these systems in Germany.

These results serve as a foundation for further research and regulatory discussions between the BSI and software vendors.

Presentation about the BSI SiPra Project (WIP)