Overview
- Investigations by NDR and Süddeutsche Zeitung reported that KIM’s security assurances were not fully met over years of use.
- Research presented at the Chaos Communication Congress showed KIM signatures confirm system delivery rather than true sender identity, allowing address spoofing.
- The researcher also reported that messages could be decrypted in some setups and that a few misconfigured modules were reachable from the internet.
- Gematik issued hotfixes to close the most serious gaps and said additional checks will target deceptive account names.
- Germany’s BSI assessed immediate patient danger as unlikely, yet updates must be installed by countless practices and some clinicians have reverted to less secure faxes and couriers.