eHealth: Extended identification procedure for access to HealthID approved

Gematik has recently approved the identification procedure "Nect Ident with ePass" for the creation of the HealthID. The HealthID can be created using the identity card with PIN or the electronic health card (eGK) and its PIN. For the PINs, insured persons must go to the citizens' office or a health insurance branch, for example.

After the classic video identification procedure was prohibited for the healthcare sector, insured persons will receive a biometric alternative to the eID with the procedure approved this year to access the e-prescription or the electronic patient record. Access to other services of the health insurance companies will also be possible.

As early as August 2025, Gematik had approved the same procedure for ordering the PIN for the health card. Users therefore no longer have to wait for a postal delivery order. In the future, digital delivery of the PIN should also be possible. In an interview, we spoke with Bennet Jürgens from Nect Ident.

heise online: Gematik has now successively approved Nect Ident's ePass procedures for use in central health services. Can you explain how your automated identification works?

Benny Bennet Jürgens: Our procedures use AI-based technologies for secure identity verification via video, checking biometric data and security features of identification documents. The procedures must comply with the strict eIDAS requirements for security, data protection, and tamper resistance.

Should this conformity no longer be guaranteed, for example due to insufficient security measures or lack of real-time verification, the approval for the automated identification procedure must be revoked to guarantee legal certainty and consumer protection.

When did the topic first come up?

About three years ago – at that time in close exchange with the BSI and the biometrics department. In this context, we also presented our new procedure. So it is by no means new.

The problem is that the coordination for technical guidelines in Germany takes a very long time. By the time the test catalogs are available, the technology has usually already evolved. While, for example, a video identification is still being tested, work is already underway on NFC-based procedures or wallets. At the European level – for example at ETSI – this happens faster and, above all, more technology-open.

How would you describe your procedure yourself?

We call it "automated video identification with NFC supplement". The term "video identification" alone is too short, as it is often confused with classic real-time video identification involving a human agent. Our procedure, on the other hand, combines automated video analysis with NFC reading of the identification document. This allows us to achieve a very high level of security that prevents replay attacks and manipulation.

Gematik approved the procedure without the BSI or BfDI's review?

To my knowledge, Gematik has the right to conduct a review according to Gematik-LoA-high (Level of Assurance). However, the criteria were reportedly developed in consultation with the BSI. For the approval, TR-03147 was used as the basis – even if the BSI itself has declared the procedure not yet fully verifiable.

The BSI has known our procedure since the beginning and is involved in the dialogue, but a formal review according to the relevant technical guidelines has not yet taken place. This is mainly because the necessary test catalogs and formal prerequisites for this have not yet been finalized.

Will you also have your identification procedures reviewed by the BSI in the future?

Yes, we are generally interested in a BSI review and will undergo the process as soon as the relevant test catalogs are fully available and the testing bodies are accredited. Our goal is for the procedure to fully meet both eIDAS requirements and national BSI specifications in the long term. At the moment, it is simply the case that the technical framework conditions for this review have not yet been finalized.

Are there any other providers in the approval process for your procedure that health insurance companies can use?

No, currently we are the only ones with approval for this procedure. It is important to distinguish here: As early as August 2025, our procedure was approved for ordering the PIN for the health card. The new, current approval goes a step further and allows its use for the direct creation of the HealthID, which enables access to applications such as the ePA or the e-prescription.

How do you achieve a high level of security?

Through a combination of different levels. For example, we force attackers to perform live manipulations through random factors during video recording, we have a highly hardened app structure, and integrated tamper detection. This requires an attacker to have significantly more expertise and resources to even attempt an attack.

The identification procedure only works via the app and not in the browser. This is the only way we can ensure maximum control and security. Fake webcams or manipulated data streams are easier to inject into browsers. A native app, on the other hand, allows hardening measures that practically prevent replay attacks.

How often do such attacks occur?

Every day. There are a large number of attempts to circumvent systems. However, these are often not highly professional attacks, but thoughtless attempts. The systems are continuously adapted.

Is there also a human component?

Yes, according to German regulations, 4 percent of all cases must currently be manually reviewed – both successful and rejected identifications. For less common documents, this manual review also occurs more frequently.

Many health insurance companies are now relying on activation letters again. What do you think of that?

That is questionable in terms of security. A letter is easier to intercept than a biometrically verified digital identification. The step back to postal delivery therefore does not solve the actual problem.

You also develop wallet solutions. How does that fit into the EUDI strategy?

We have been offering a wallet for six years – developed independently, i.e. proprietary. As soon as the EUDI standard is production-ready, we will get certified. Until then, we are taking a hybrid approach: Users with an eID will receive a EUDI wallet, everyone else a wallet identity based on our existing structure.

The EUID wallet is supposed to come in 2026. How realistic is that?

That will be ambitious. In addition to the technical guidelines, accredited testers are still missing. But we will be ready in time.

And how do you view the current data protection and surveillance concerns?

They are justified. But if Germany holds back, other countries or large US providers will take over this role – and then data sovereignty will be completely lost. It is crucial that we set high security and data protection standards here in Germany and maintain control.

It is crucial that regulators, providers, and testers cooperate more closely – instead of hindering each other. Only then can digital identity remain truly secure and user-friendly.

(mack)