eHealth: switch to ECC encryption by 2026 causes production stress

After Gematik warned the Federal Ministry of Health and its shareholders about the slow exchange of electronic health professional cards (eHBA) and practice and institution ID cards (SMC-Bs). Production at one of the trust service providers Medisign is now running at full speed. Otherwise, thousands of doctors and pharmacists would only be able to use the telematics infrastructure (TI) to a limited extent at the turn of the year. They would no longer be able to sign e-prescriptions or fill electronic patient records, for example.

All Generation 2.0 eHBAs and SMC-Bs must be replaced by Generation 2.1 cards by 31 December 2025. The reason for this is the changeover from the previous encryption with RSA 2048 to ECC 256 (Elliptic Curve Cryptography). In doing so, the parties involved are fulfilling the requirements of the German Federal Office for Information Security. ECC 256 offers significantly shorter key lengths and therefore faster processing times with the same security level.

The situation is also dicey for pharmacies, as the Pharmazeutische Zeitung emphasised in its article. Insured individuals will no longer be able to fill e-prescriptions in affected pharmacies. Outages and TI malfunctions lead to losses for pharmacies in particular, which is why pharmacists recently called for more reliability in e-prescriptions.

According to Gematik, 13,000 connectors that are only RSA-capable still need to be replaced. In May, the National Association of Statutory Health Insurance Physicians (KBV) had already warned of bottlenecks and called for the deadline to be extended, as has been decided in other countries.

Production is running at full speed

A Medisign spokesperson admitted to heise online: "Unfortunately, the changeover to an entirely new application and production system has resulted in a delay in card production of around four weeks. The data from the old system had to be migrated to the new system, which proved to be very complex and time-consuming. We are currently working flat out to optimise various processes and functionalities for card applications."

With a new production line, the aim is to issue up to 15,600 cards per 6-day week. The trust service provider intends to complete the special exchange on schedule by the end of the year. In the first three days after the changeover, on 27 September, 2,511 SMC-B and eHBA cards were already produced. Medisign has made up for the production backlog.

In addition, all affected practices and pharmacies will be informed in good time by e-mail. Medisign also wants to offer customers a "simplified procedure agreed with Gematik: Only the card itself will be exchanged – Re-identification is not necessary if the ID card data has not changed," says the spokesperson.

Security researcher Bianca Kastl says of the card swap: "Traditionally, the problem with cryptographic material in the telematics infrastructure is that the identification or correct delivery of cards is weakly verified. Provided that new cards cannot simply be delivered to the cheese counter again and are instead delivered securely with identification, this may be enough to swap the cards. Otherwise, new attack scenarios will arise.

The difficulties at Medisign are part of a series of difficulties in the digitalization of the healthcare system. As recently as August, there were compatibility issues between CGM practice software and Rise connectors, which prevented access to the electronic patient file for weeks. For the further development of the TI, Gematik will be relying on a zero-trust security concept in future, which is to be gradually introduced from mid-2026. Federal Health Minister Nina Warken recently announced an update to the digitalization strategy – This should also benefit the operational stability of the TI.

(mack)