ehex moves forward: Voluntary BSI certification for the easyTI hub’s KIM module
Berlin, April 22, 2026: eHealth Experts GmbH (ehex) is the first company to receive certification in accordance with BSI TR-03161. The KIM module of the easyTI hub underwent a rigorous audit in collaboration with SRC Security Research & Consulting GmbH. The successful certification was voluntary – thus ehex is setting a new benchmark for the security and reliability of TI applications. The symbolic handover of the certificate took place today at the BSI stand at the DMEA.
Security gaps in primary systems: An industry under observation
The IT security of software in the healthcare sector is under scrutiny. In March 2026, the BSI found in its own investigation that vulnerabilities in a majority of the primary systems tested could enable successful attacks from the internet. Binding security checks for software components that are connected to the TI do not yet exist.
TR-03161: The framework that provides orientation
BSI TR-03161 defines precisely such requirements: It specifies the level of security and data protection that TI applications must meet – with the aim of reliably protecting sensitive health data. ehex has now become the first company to voluntarily provide the necessary evidence – for the KIM module of the easyTI hub. For manufacturers of primary systems that integrate the easyTI hub, the certification has a concrete practical benefit: A significant part of the security-related risk is already covered by the BSI certificate. This simplifies subsequent security checks.
“With the voluntary certification, we are demonstrating that a higher level of security for the TI connection is not only possible, but can already be implemented today,” explains Frédéric Naujokat, Managing Director of ehex. “We hope that we can set an example with this. Because the TI needs a level of quality that deserves maximum trust.”
“Health data has the highest protection requirements. Yet primary systems, of all things, are hardly subject to any binding security requirements. The voluntary certification by ehex is a strong signal that security is not just a question of regulation, but also a question of attitude. We are delighted that ehex has gone the extra mile with us to improve security in the healthcare sector,” says Dr. Jens Putzka, who supported the project on behalf of SRC.
SRC as a test laboratory: a precedent for the TI
SRC is a BSI-approved testing laboratory for TR-03161 and accompanies manufacturers through the entire testing and certification process. To date, apps for insured persons – for the use of ePrescription and ePA – and DiGAs have primarily been tested as part of this technical guideline. The project with ehex shows that the testing framework can be successfully transferred to other types of application in the healthcare sector.
This has practical consequences: The question often asked in customer meetings as to whether a solution is “really secure” can now be answered with reference to a well-founded, BSI-recognized test – an argument with real weight.
SRC hopes that this example will set a precedent. Certified security can also be an effective component of a convincing security architecture outside of regulated areas – and a real competitive differentiator.
