The transition to a new encryption standard within Germany's healthcare system is underway, affecting healthcare professional ID cards (eHBA), institutional cards (SMC-B), and connector devices. The switch from the RSA 2048 encryption protocol to the more advanced ECC 256 (Elliptic Curve Cryptography) method has long been scheduled, and most pharmacies and medical practices have already begun or completed the necessary upgrades.

Despite significant progress, a substantial number of eHBAs--over 30,000 according to estimates from Gematik, the national agency responsible for the digital health infrastructure--still need to be replaced to meet the updated security requirements. The replacement process is essential for maintaining secure digital communications and ensuring compliance with Germany's healthcare IT framework.

Implementation and Support for Transition

Gematik has managed the transition with clearly defined deadlines, binding technical protocols, and escalation provisions to address non-compliance. Comprehensive guidelines and testing resources have been provided to healthcare providers, facilitating a structured approach to the upgrade process. Many organizations have proactively taken steps to update or replace affected components.

However, with a significant number of cards still using the outdated RSA encryption, an interim solution has been adopted to avoid potential disruptions to healthcare services, such as the electronic prescription system (E-Rezept), which relies on valid, up-to-date digital signatures.

Extended Validity and New Production Guidelines

Following extensive coordination with the Federal Network Agency and the eIDAS certification body SRC, Gematik and its shareholders--which include the Federal Ministry of Health and key associations representing health insurers, physicians, and pharmacists--have agreed to extend the transition period for healthcare professional cards using RSA encryption. These cards will remain valid until June 30, 2026. Without this extension, key digital processes in healthcare, such as the signing of electronic prescriptions, would have been impacted for users without ECC-enabled certificates.

From January 1, 2026, manufacturers will only be allowed to produce and distribute cards that support ECC encryption, excluding any RSA-based certificates. Gematik has clarified that during the transition period, existing cards with the older encryption standard must not be deactivated to ensure uninterrupted service across the healthcare sector.

Impact on Healthcare Providers

The extended timeframe is designed to provide healthcare providers with sufficient opportunity to complete the exchange of affected cards and devices. Pharmacies, clinics, and medical practices are encouraged to prioritize this process to maintain compliance and avoid last-minute complications. The extension also grants manufacturers and service providers additional time to handle logistical challenges and coordinate card replacements efficiently.

The ongoing upgrade is a crucial step in enhancing the security and interoperability of Germany's digital health infrastructure. By transitioning to ECC 256, the system will benefit from improved cryptographic protection, safeguarding sensitive medical data and supporting the continued evolution of digital healthcare services.

Continued Monitoring and Next Steps

Gematik and its partners will continue to monitor the implementation process, providing updates and support as needed. Stakeholders are urged to remain informed about upcoming deadlines and technical requirements, ensuring a smooth and secure migration to the new encryption standard.

This coordinated effort underscores the importance of robust digital security measures in healthcare, aiming to protect patient information while facilitating efficient and innovative care delivery across Germany.