Healthcare: Fintech entrepreneur on security, skepticism about EU ID & more

Many doctor's and dentist's offices face similar problems. The technical foundation ranges from decades-old practice management systems to newer or various cloud services. At the same time, data protection requirements are increasing due to the connection to the healthcare network and complex billing procedures.

Providers like Nelly Solutions advertise that they digitize the “complete patient journey” – from anamnesis and documents to payment. In an interview, co-founder Lukas Eicher explains how the offering can be categorized and where the start-up consciously draws boundaries.

Nelly is described as a FinTech startup. However, your website also mentions the “digitization of the complete patient journey,” while at the same time emphasizing that Nelly is neither a practice management system nor directly connected to the TI. So, what exactly is Nelly?

Lukas Eicher: We don't see ourselves as a pure FinTech. Yes, we have financial products and operate in the classic German factoring market – that's a significant part. But the core is: We develop software for practices. Our largest technical department is called “Automation” – that's where the products are created that automate practice processes, such as digital patient registration, consents, pre-billing checks, documentation, and patient communication, including appointment reminders. The second largest department is “Integrations and Core Data” – this deals with interfaces to practice management systems (PVS) and data unification. The financial products are technically the smallest of the three units. So, we neither replace practice management systems nor the TI, but rather act as an additional layer around them and automate the processes before and after these systems.

For patients, this means they receive a link or QR code, for example, fill out anamnesis and consent documents on their smartphone, sign digitally, and later receive invoices digitally, which they can pay online or by card. So, we neither replace practice management systems nor the TI, but rather act as an additional layer around them and automate the processes before and after these systems.

Nevertheless, you are not a practice management system?

No, we are not a PVS. We connect to existing systems and integrate them. Integration is elementary for us: We only create real added value when data doesn't have to be manually transferred from a portal to the PVS. The challenge is that many PVS still run on-premise and are technically very heterogeneous.

Are there systems that you say, “We won't touch them for security reasons”?

There are systems that are very “old” – for example, with dBASE databases and proprietary dialects, where hardly anyone today understands what's happening in detail. These are often historical constructs, heavily grown legacy systems. Even large market players still have old systems that, in our view, are very difficult to make future-proof – sometimes they've been trying to establish modern cloud variants for years and aren't making much progress.

For a young company, IT security is vital. A major incident could quickly destroy Nelly. How do you protect yourselves?

That is absolutely existential. We have our own IT security department and a compliance department that defines the policies. The technical implementation is then carried out by the product and platform team. We conduct internal and external penetration tests and have so far had no serious non-conformities, only minor findings.

In parallel, we rely on certifications and audits. We are in the process of a C5 certification, and before that, we had TÜV data protection audits – this is more of a signaling effect, but they look more closely at health and financial data. We have an internal control system, and both our CTO and I have many years of experience in regulated environments such as financial services, qualified electronic signatures, and ISO 27k-related setups.

Technically, we rely on industry standards: secure software development, defined test and QA processes, clean encryption “at rest” and “in transit,” and regular review of our security architecture.

How do new EU regulations and initiatives like the EU ID Wallet or eIDAS developments affect your company?

We are following this very closely, of course, especially everything related to digital identities. I've commented on eIDAS in previous roles and worked closely with identity solutions. Fundamentally, I wish for the ID Wallet to succeed, but I'm rather skeptical whether it will be implemented cleanly from a political and organizational standpoint.

Regarding EU data protection and IT security requirements, we haven't had to fundamentally adapt our processes so far because we had already implemented many things in such a way that we operate within the scope of the stricter requirements.

Many companies actively advertise data protection and security. Do you too?

To some extent, yes – for example, with seals like TÜV or soon C5. For us, adhering to international, national, and industry-specific regulations to maintain the highest data protection standards is essential.

Some parts of the market loudly demand data protection but don't truly practice it in crucial areas. On topics like credit bureaus, some practices that are commonplace here would not be permitted in other EU countries.

And in practice: some practices are not very interested in delving deeply into data protection or security concepts, while others are. For these cases, we have data protection impact assessments, detailed documentation, and processes, but the demand is not as widespread as one might think.

You are active in factoring, private, and sometimes statutory health insurance services. Do you have direct interfaces to the Telematics Infrastructure (TI)?

No, we do not have direct TI interfaces. Everything runs through the PVS. We prepare data for practices in a structured way, which then flows through the PVS into TI processes and, for example, into the electronic patient record. In individual cases, we also pre-finance statutory health insurance services, but ultimately, we always rely on the output from the practices from the PVS.

I am not unhappy that we do not operate direct TI interfaces ourselves. Likewise, we try to avoid approvals as medical devices as much as possible – the regulatory complexity increases enormously as soon as you go deep into core medical processes. Our focus is consciously on administrative processes, communication, and billing.

Your main customer group is dentists. Why them specifically?

There are several reasons for this. Firstly, we originally entered the market with a clear focus on dental practices – focus is extremely important in product development. Secondly, the dental sector is large: around 40,000 dental practices in Germany, and in terms of the number of practices, only general practitioners are essentially ahead of them. Thirdly, the proportion of self-paying patients in the dental sector is high. Although there is a north-south and west-east divide in privately insured patients, legally insured patients in particular often pay for additional services themselves.

Our sales model relies on a lot of personal interaction. We have local offices in Munich, Cologne, Hamburg, and Heidelberg, each with about five to ten people for sales, onboarding, and local support. This is only worthwhile if a certain revenue per practice is possible. In specialized fields where the software budget is capped at 49 euros per month, this effort simply doesn't pay off.

We experimented in some other specialized fields last year, but since this year, we have strategically refocused on depth in the dental sector. If you offer not only financial products but also software for process automation, you have to delve very deeply into the specific processes and documentation of the field, including customized interfaces and logic. This is a significant investment per specialization, and therefore we have to consider it carefully.

Nelly is heavily venture capital-financed. Especially in the healthcare sector, this causes reservations for some keywords: aggressive growth, dumping prices, market displacement. How do you deal with that?

I understand these reservations. In the factoring and debt collection sector, there are players who have built their reputation through sometimes very harsh collection practices. That is not our approach. Our business model is not based on driving small companies out of the market with dumping prices. To my knowledge, there is also no company that does what we do.

We use the capital to build software, integrations, and strong regional support. This leads to rapid growth – today we are between 90 and 100 people at the main Berlin location, plus the local offices. But our goal is to establish sustainable, better-organized processes in practices, not to collect market share at any cost in the short term.

(mack)