Letter Ministry of Health, Welfare and Sport to the Speaker of the House of Representatives^–General

Our reference MEVA/ICT-2922193

Dear Chairman,

The letter of 19 February 2009 (MEVA/ICT-2914041) following the Electronic Patient Record Bill reported that measures are being taken to address a vulnerability recently identified in a laboratory environment in the computational mechanism of the chip on the UZI^–pass under^­catch.

The smart cards affected by this vulnerability are widely (inter^­national) applied, both in the public and private sectors. In the Netherlands be^­hits in the public sector the UZI^–pass and the Defence Pass. The Ministry of Transport, Public Works and Water Management also uses them in the Digital Tachograph and has provided them for the On-board Taxi computer.

Vulnerability

The vulnerability identified concerns

the application of the Chinese Remainder Theorem (CRT) to far the performance of certain calculations^­snellen. In a laboratory setting, experts have been able to figure out the private key of a chip. Each time, to retrieve a private key, it is necessary to have the smart card and associated PIN, great expertise and specialised equipment. With this, a private key of a chip can be obtained. Incidentally, this can then only be used as long as the original smart card has not been revoked by its rightful owner.

Implications for UZI^–pass

After contacting suppliers, VWS has determined that the vulnerability poses a very low operational risk to the use of the UZI^–pass for accessing the EHR. This partly in view of the fact that the UZI^–pass is not the only security measure. A healthcare provider must, for example, prior to^­closure on the national link point meet the requirements for a Well-Managed Care System (GBZ). This involves guarantees regarding correct and care^­filling registration, processing and provision of data. For access to the EPD, the UZI pass can only be used within a HIS within which the relevant pass is authorised. In addition, the national switch point and the HPS permanently record who has access to which data and when, the so-called^­naming log data.

However, it is important to remove vulnerability in the short term. For the UZI^–pass, this transition to a more modern chip (without the identified vulnerability) is scheduled for mid-third quarter 2009. From then on, every new UZI pass will be fitted with the new chip.

In communicating to current users of the UZI^–pass will be additionally emphasised that the pass and PIN should be kept separate and ensure^­must be managed with care. If the pass is lost or stolen, it should be withdrawn immediately. This can be done 24 hours a day via the website of the UZI^­register.

The validity of UZI^–passes is three years. From the time the new chip is available, passes already issued will not be replaced after three years, but after two years. If a user wishes, exchange can take place earlier.

Impact on Defence Pass

For Defence, the vulnerability is not relevant at the moment because the private key is not yet in use. Defence has taken measures to eliminate the vulnerability in the computing mechanism before the private key is put into use.

Consequences for on-board computer taxi^–pass

To what extent the discovered vulnerability is an issue for digital tachograph passes is currently under discussion with colleague^­Ministries of Transport and the European Commission. As soon as more is known about this, you will be further informed.

Sincerely,

The Minister of Health, Welfare and Sport,

Dr A. Klink

the State Secretary for Defence

Drs J.G. de Vries

Secretary of State for Transport,

J.C. Huizinga-Heringa