heise PlusAbo
Anzeige

"Exchange campaign is a sign of non-functioning technology"

National Association of Statutory Health Insurance Physicians criticizes renewed mass exchange of electronic health professional ID cards and resulting chaos.

listen Print view
Keyboard with one finger on the Enter key. Next to it, a schematic representation of a form field.

(Image: janews/Shutterstock.com)

4 min. read
By
Contents

The National Association of Statutory Health Insurance Physicians (KBV) sharply criticizes the chaos surrounding the exchange of electronic health professional ID cards (eHBA). Doctors need the eHBA, which is valid for five years, among other things, to electronically sign e-prescriptions and sick notes. For KBV board member Dr. Sibylle Steiner, the exchange campaign is “a sign that the technology of the TI is still not running smoothly in the background.” The conversion of the encryption method was already “a huge undertaking” and had cost practices “a lot of time and money.” Now, “new vulnerabilities are constantly emerging,” so that practices have to take action again – “not to mention the constant TI outages.”

Specifically, it concerns eHBAs of generation 2.1, which must be exchanged, even if they are sometimes only a few months old. The KBV appeals to those affected to “comply with the request of their provider and immediately apply for an exchange card or subsequent card.”

Videos by heise

Deadline ends June 30, 2026

The background includes the conversion of the telematics infrastructure to Elliptic Curve Cryptography (ECC). Other components, such as TI connectors, are already “ECC-ready.” Cards that do not support the ECC procedure will “no longer be usable” from July 1st. Since an increased order volume from manufacturers is still expected, those affected by the exchange should not wait any longer to order.

Due to production and delivery problems of the card manufacturers last year, the KBV had been able to enforce a deadline extension. Originally, all non-ECC-capable cards were to be replaced by the end of 2025. However, the manufacturers could not keep up with production.

Security vulnerability at D‑Trust and SHC+Care

In addition, ECC-capable cards from certain providers must also be exchanged. Impacted are eHBAs of generation 2.1 from D‑Trust and SHC+Care, which are based on cards from the manufacturer Idemia with Infineon chips. A vulnerability had become known for these chips. Affected ID cards can be recognized on the back by the inscription “Idemia.” D‑Trust states that these customers will be informed directly by e-mail and “do not need to take any action themselves.” Furthermore, there will be “no costs” if the eHBA is exchanged in this context and no changes are made to the certificate data. SHC+Care also informs its customers.

Empfohlener redaktioneller Inhalt

Mit Ihrer Zustimmung wird hier ein(e) Umfrage/Quiz (Drid GmbH) geladen.

Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (Drid GmbH) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.

In mid-2025, manufacturers still issued cards that were about to expire to avoid jeopardizing supply: “Firstly, there was no risk whatsoever for users (which has been judicially confirmed twice), and secondly, an immediate, complete, and months-long issuance stop would have massively endangered the supply of health professionals with eHBAs and thus medical practice operations – especially since several of the only four certified providers were affected,” says SHC+Care. However, D-Trust and SHC do not want to say how many cards need to be exchanged nationwide. The Hessian Medical Association speaks of around 50,000 cards, referring to information from the German Medical Association.

Medisign stops issuing new cards

Just a few days ago, it also became known that cards from the provider Medisign must also be exchanged again. On the instruction of Gematik, issuance was stopped on February 18, 2026. Affected are all eHBAs of generation 2.1 issued since January 1, 2026, which are declared as “ECC-only.” According to Gematik, Medisign had not adhered to the specifications.

With these cards, an RSA certificate was additionally generated in the personalization process, although the RSA key “was not deactivated as required on 01.01.2026.” According to Medisign, there is “no security problem,” but rather it could lead to “problems regarding interoperability with connectors.” All affected cardholders will be informed about the exchange by e-mail; a new application and identification will not be necessary.

Doctors are unsettled by delivery problems, misconfigurations, and security vulnerabilities. Furthermore, they face additional organizational effort – under considerable time pressure. Without a functional eHBA, central TI applications such as e-prescriptions or electronic sick notes can no longer be issued digitally from July onwards.

(mack)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten