The gematik security and product assessment by TÜV NORD CERT builds trust in digital healthcare by testing the compliance of telematics infrastructure (TI & TI 2.0) applications with the highest security standards. Approved assessors carry out independent tests and audits to ensure the protection of patient data.
Contact us
The digitalisation of the healthcare system is one of the most important developments of recent years. With the applications of the telematics infrastructure (TI & TI 2.0) - from electronic patient files (ePA) and e-prescriptions to communication in the medical sector (KIM) and TI messenger to TI gateway, point of presence provider (PoPP) and digital identities - gematik is laying the foundation for secure digital communication between doctors' practices, hospitals, care facilities and health insurance companies.
The most important goal here is to protect patient data in accordance with the highest security standards.
To this end, every provider is obliged to provide proof of conformity with the current security requirements (profile requirements) of the gematik specifications in a security and/or product report by an independent expert.
TÜV NORD experts authorised by gematik are entitled to carry out the necessary inspections, tests and audits.
The gematik security assessment evaluates the security and data protection measures of providers and specialised services within the telematics infrastructure in the German healthcare system. It includes the technical and organisational evaluation of applications and systems, e.g. communication services, the electronic patient file or an e-prescription service - based on the requirements (Afo's) of gematik.
All relevant security aspects such as data protection, IT security, protection of personal data and the confidentiality of medical information are taken into account as part of the gematik security assessment.
In the product review, the TÜV NORD reviewer checks and evaluates the implementation of the technical requirements for products in accordance with the gematik specifications on security (e.g. cryptography, key management, logging) as well as the functional requirements for interoperability and compatibility with the telematics infrastructure.
The gematik security and product report is aimed at all providers and product manufacturers who wish to operate within the telematics infrastructure of the German healthcare system, including
gematik GmbH - the national agency for digital medicine, founded by the Federal Ministry of Health - defines the technical and organisational requirements and issues the approvals. These standardised security requirements are defined in provider type, product type and application profiles. Conformity with these requirements is a prerequisite for an expert opinion that is suitable for the successful approval of a provider or product.
TÜV NORD CERT is an internationally recognised and reliable partner for testing and certification services. Our experts have in-depth knowledge and many years of experience in telematics infrastructure services. Your benefit: An independent expert opinion supports the development of your company with products and services in the telematics infrastructure.
As soon as the core functions are in place, the relevant gematik specifications have been implemented and no more fundamental architectural changes are planned - but there is still time for adjustments.
Depending on the complexity, several weeks to several months; good preparation of documentation and tests significantly shortens the process.
Above all, system and security documentation, data protection concept, evidence of cryptography/key management/logging as well as test concepts and test results for the Afo's.
The deviations are documented, discussed with you, rectified by you and then checked again before the report is finalised.
Yes, it is often possible to combine both reports in one project so that synergies can be utilised and duplication of effort reduced.
Significant changes may necessitate a reassessment; major adjustments should be coordinated with TÜV NORD CERT and, if necessary, gematik at an early stage.
The gematik expert opinion is specifically geared towards TI requirements and Afo's, while classic certifications are more focussed on general standards and management systems.
Yes, for example through preliminary discussions, workshops or document reviews to clarify requirements and the scope of the audit.
Giesecke+Devrient Mobile Security GmbH
Telekom Healthcare Solutions
German Federal Ministry of Health