Massive breakdown in the national organ donation register of the “Swiss National Foundation for Organ Donation and Transplantation” (Swisstransplant): Experts from the IT security company ZFT.Company discovered that it was possible to enter any person in the online directory without their knowledge and consent and thus almost involuntarily turn them into organ donors. In this context, the researchers pointed out “significant safety deficiencies”.
In order for organs and tissue to be removed for donation or research purposes in Switzerland, the person concerned must give their informed consent (opt-in). In addition to a living will or the physical organ donation card, the Swisstransplant register is a digital option for documenting such a decision. According to ZFT, one of the major challenges is “the determination of the identity of those involved”.
“Poor registration and consent process”
According to their report published on Tuesday, the security experts have already identified critical vulnerabilities during a “cursive examination” of the online database. They only deal with “high risk” ones. They include an “inadequate registration and consent process”, the “insufficient authentication mechanism and an inadequate check of the input parameters”. Furthermore, it was possible to read and download all files on the application server.
The consequences of the identified shortcomings “are a complete loss of confidentiality, authenticity and integrity” of the data recorded in the register, the researchers complain. In particular, it cannot be proven who wrote which decisions in it. Alleged consents “could be given easily and without risk of discovery on behalf of third parties”.
According to their own statements, the discoverers reported the defects to those responsible. They also informed the Foundation, the Federal Office of Public Health (FOPH), the Federal Data Protection Commissioner (FDPIC), Adrian Lobsiger, and the National Center for Cyber Security (NCSC).
Identification with an additional identification document
The Swiss broadcaster SRF has checked the allegations. The ZFT consultant Sven Fassbender registered an informed reporter for him via tablet with his personal details, including a photo. He had previously found the journalist’s address, date of birth and picture on the Internet. After just a few minutes, an e-mail address created in the test person’s name received a confirmation: “Thank you very much for your entry in the National Organ Donation Register. We have checked and activated it.” The note: “In an emergency, your decision will be presented to the relatives and implemented without a doubt.”
After the report, Swisstransplant temporarily took the register offline and at least partially fixed the security gaps. The database is now online again, but registration via the website or by post is currently not possible. They are “in close contact” with the FDPIC, “which is currently examining the matter”. Both sides jointly evaluated “further steps”. “In the case of online registrations, the aim is at best identification with an additional identification document”.
No viewing or processing of personal data
In a statement to the SRF, the foundation had previously emphasized that it had made the registration process “consciously user-friendly”. The requirements for two-factor authentication are met, since a password and an email or SMS are used. In an emergency, a decision to donate an organ would be presented to the relatives and could be changed if it did not correspond to the presumed wishes of the deceased.
“Personal data could not be viewed or edited at any time. The existing register entries are secure,” emphasizes Swisspatent in a public statement. As an immediate measure, the intensive care units were instructed “to validate the portrait photo, e-mail and signature additionally with an identification document of the deceased person in the conversation with relatives if there is an online register entry”.
By mid-January, around 130,000 people who were willing to donate had entered the register. The data protection officer Lobsiger did not want to comment on the question of whether these notes now all have to be checked because of the ongoing proceedings against the SRF. However, he emphasized that it was important to him to maintain trust in the organ removal system.
(bme)