The role of the Health ID in the healthcare system
At present, the electronic health card (eGK) serves as the primary means of identity verification for insured individuals. When a patient visits a GP or specialist for the first time – or at the start of a new quarter – they insert their eGK into a card reader at reception. The system then verifies their identity, checks their insurance status, and allows the practice software to access their patient records.
Going forward, digital identities will be introduced alongside the eGK to authenticate users within the telematics infrastructure (TI) of the healthcare system. In fact, insured individuals can already request a Health ID from their health insurer. This digital identity contains key information such as the patient’s health insurance number (KVNR) and their insurance provider.
Health ID: Practical applications
The Health ID enables access to various TI applications without the need for a physical card. For instance, patients can use it to log into their electronic health records or access e-prescriptions via a smartphone app.
- To set up the Health ID, users must first authenticate themselves using their electronic health card or national ID card.
- Once registered, they can use their smartphone to log in.
- For security reasons, re-authentication is required at regular intervals.
- In the future, simpler authentication methods such as fingerprint or facial recognition are expected to be introduced.
- In the long term, the Health ID will also enable access to digital health applications (DiGAs) and third-party services, as well as patient portals used by hospitals.
Timeline for the Health ID
From 2026, the Health ID will be accepted as an alternative to the eGK for verifying insurance status at medical practices. Whether it will eventually replace the eGK entirely will depend on various factors, including technological advancements, security considerations, and regulatory developments.
The introduction of the Health ID is part of a broader effort by the legislator to simplify access to online healthcare services and transition towards a card-free and hardware-independent TI 2.0.
Ensuring the security of digital identities
The security level required for the Health ID is equivalent to that of the national ID card’s online authentication function. For health apps, two-factor authentication is intended.
To ensure the security of digital identities, gematik, the company responsible for telematics applications in healthcare, has established specific technical requirements. Manufacturers must demonstrate that their devices and applications meet these standards. This includes obtaining a security assessment from Germany’s Federal Office for Information Security (BSI) and undergoing extensive testing to receive functional approval from gematik.
Development using the Virtual Card Kit by achelos
Applications and devices within the TI must meet strict security and functionality standards. To develop solutions such as card readers, many manufacturers rely on a specialised tool: the Virtual Card Kit, developed by achelos GmbH.
This system – a combination of software and hardware components – simulates various card types, including electronic health cards, professional ID cards for healthcare providers, and device-specific cards. In essence, it replicates all smart cards certified by gematik for use in the telematics infrastructure.
By using this simulation, developers can test how their systems respond to critical errors, such as invalid data or expired certificates. The Virtual Card Kit behaves like an actual health card, allowing developers to analyse the entire authentication process and the communication between the card and the reader.
A key advantage of the simulation is that developers can intentionally introduce errors at the press of a button. They can observe whether their device stops communicating, ignores the error, or continues the process incorrectly. Such comprehensive testing is not possible with real cards, as they cannot generate the full range of potential errors.
Integrating the PersoSim ID simulator for further testing
The BSI’s published specifications require the Health ID to be periodically re-verified using either the online authentication function of the national ID card or the eGK with a PIN. As a result, it is essential to test the authentication process with national ID cards, which play a key role in accessing online healthcare applications.
To facilitate this, the PersoSim ID simulator – an open-source application developed by the BSI – can now be integrated into achelos’ system. This allows testing not only with health cards but also with national ID cards, benefiting manufacturers, app developers, and health insurers alike.
During the simulation, all commands can be monitored and logged in real time. Developers can also manipulate data at the APDU (Application Protocol Data Unit) level, allowing them to interfere with protocol-level communication to simulate errors. This includes altering names, introducing syntax errors, or testing how the system responds when a card reader encounters incorrect data. The goal is to determine whether the reader terminates the process, repeats the request, or proceeds with the faulty data.
A powerful tool for development and quality assurance
By simulating both the national ID card and the electronic health card, the Virtual Card Kit is a valuable tool for ensuring the quality of card readers and other devices. It accelerates development by enabling comprehensive error testing, significantly increasing the chances of obtaining approval from gematik.
Authors:
- Gorden Bittner, eHealth-Direktor, achelos GmbH
- Holger Volke, Technical Director, achelos GmbH
