E-prescription soon on paper?

Just weeks before the switch from RSA to Elliptic Curve Cryptography (ECC) in healthcare, the National Association of Statutory Health Insurance Physicians (KBV) is sounding the alarm and has written to the Federal Network Agency (BNetzA) in a letter obtained by heise online.

By the end of the year, according to BNetzA regulations, RSA keys with a length of 2048 bits are no longer to be used. However, the KBV warns that numerous practices will no longer be able to actively use the telematics infrastructure (TI) � the “data highway of the healthcare system.” According to Gematik, over 50,000 electronic professional qualification cards (eHBA) have yet to be exchanged, according to the letter. However, practice cards (SMC-B), card terminals, and connectors also need to be replaced.

Despite ongoing production by suppliers, such as Medisign, where cards of generation 2.1 are now being manufactured in a 6-day operation, the complete exchange cannot be completed by the end of the year, the KBV states. In the letter to BNetzA CEO Klaus Müller, the KBV board requests an extension of the deadline: RSA-based eHBAs must continue to be permitted for qualified electronic signatures (QES) on an interim basis. Otherwise, “tens of thousands of practices” could no longer create e-prescriptions, e-medical certificates, or electronic doctor's letters from January onwards.

“Serious consequences for patients”

Not only the electronic patient record (ePA) would be affected, as e-prescription data flows into the medication lists of the ePA, but above all e-prescriptions and electronic doctor's letters. Doctors would then have to switch to analog procedures. “Such an exclusion of thousands of practices (and pharmacies) from the now established digital care processes would therefore have serious consequences not only for the practices but also for the patients who rely on functioning digital care. In the worst case, the whole thing would lead to the corresponding processes being widely switched back to paper—financed by health insurance funds,” writes the KBV.

According to the KBV, production and application problems are emerging with individual providers, especially with one provider. “Following an internal technical modification, the company medisign GmbH is currently (as of October 28, 2025) not yet providing a fully functional interface, which is required for the state medical associations to confirm that you are a doctor,” writes the German Medical Association (BÄK).

Only if the application data has not changed will the applications for special exchange be processed. “However, if important data has changed in the years since your current eHBA was applied for, e.g., name or change of the responsible medical association,” confirmation from the respective medical association is required. In these cases, pre-filled subsequent applications via member portals of the medical associations or already submitted applications cannot be used. “Against this background, you must decide whether you want to wait for the full functionality to be restored or, if necessary, switch to another provider,” advises the BÄK.

According to the German Medical Association, D-Trust customers are also affected. It advises a quick exchange: “Please react to this as soon as possible and start the special exchange process!” The BSI and the Federal Network Agency had already announced the expiry of RSA 2048 for qualified signatures. So far, Gematik is sticking to the roadmap and refers to the specifications of the security authorities.

Continued use of components without ECC

The KBV is now calling for a binding assurance that "RSA-only" eHBAs may be used legally at least until mid-2026. Only in this way can a relapse into paper-based procedures be avoided. In France, for example, the use of RSA 2048 keys for electronic signatures is permitted until 2030, which the KBV had already pointed out in mid-2025. Other components, such as practice cards and device-specific security module cards of the card terminal (gSMC-KT cards), are also to be, according to Gematik, used beyond January 2026.

(mack)