In Germany, each member of a public health insurance plan was issued a health insurance card (Krankenversichertenkarte or KVK) by the end of 1994. In 1996, the private health insurance plans also began to issue their own smart cards, which are compatible with the public KVKs. These cards, of which more than 72 million have been issued, have thus achieved a level of penetration in the whole of the German population that exceeds that of phone cards. Originally, it was only planned to introduce a magnetic-stripe card, but in consideration of possible future developments it was decided to use smart cards instead. The least costly solution was to use memory cards, since at that time microcontroller cards were much more expensive. However, the system is designed such that memory cards can be replaced by ‘real’ smart cards in further development stages over the course of several years. The result is a nationwide system that can form the basis for a future smart card health-care system, should this be necessary. The health insurance member card has two basic functions for the insured person. Its first function is to identify the person to the doctor who treats that person. It thus replaces the paper health insurance card. Its second function is to act as a machine-readable data storage medium for the computer in the doctor’s clinic. Usually, the terminal is connected to a PC in the clinic, which also controls the terminal. The card can be read using the terminal, and the billing data obtained in this manner can be further processed automatically. If the doctor manages his or her practice using traditional methods (that is, without a computer), the terminal can directly transfer the data from the card to a printer and thereby to a printed form. Three different entities can access the health insurance card. The first is the doctor’s clinic, where data can only be read from the card. Here there is no intention of allowing data to be written to the card, and the terminal software prevents such access. The second entity is the health insurance organization, which again can only read the data in the card. Here the insured person can read and check the personal information stored in the card. The health insurance organization also has special terminals that allow data to be written to the card. This can for example be necessary if the insured person moves to a new address. However, many insurers simply issue a new card to the insured person instead of modifying the data in the existing card, and request the cardholder to destroy the old one. This is logistically significantly simpler and
thus less costly.

In the initial phase of the KVK project, consideration was given to storing a wide variety of patient information in the card. Some people wanted to include all possible information in the card, ranging from the blood type to allergies, so it would be a sort of emergency card. However, after all the objections related to the protection of personal data had been resolved, only the personal information listed in Table 14.1 was left to be stored in the chip in the card. The information contained in the card is essentially also present on the outside of the card, so the insured person knows his own information – although only to the extent that it is fixed and person-specific. The address is held only in the memory of the card, so that in principle it is not necessary to generate a new card if the insured person changes addresses. The requirement that the information in the card be generally known was also one of the prerequisites for the approval of the overall system. No information that is secret or not known to the insured person is allowed to be present in the card. It must also not be possible to write additional data to the card at a later date without authorization. To exclude the possibility of writing data to the card, neither doctors nor insurance organizations receive terminals that have this capability. Only a few administrative terminals located in the insurance organizations can write data to the cards. However, no special authentication key is needed for this, so data could easily be written using any suitably equipped terminal. From a purely external perspective, a health insurance card behaves as though it contains only a single transparent file. Data can be freely read from this file using offset and length parameters. Certain administrative terminals can also write data to the memory, but for reasons of personal data privacy this only occurs as an exception.
When the arrangement of the data elements was specified, it was very important for it to be possible to make future extensions or modifications without creating any compatibility problems. Consequently, all personal data in the health insurance card are structured using the ANS.1 data description language. They are stored in the card’s memory in a TLV structure. This makes it possible to add other data objects in the future or change the codes used for existing data objects. The tags to be used are prescribed by a specification, so the data elements of all health insurance cards are structured in the same manner. The health insurance card is not a microprocessor card. It is a memory card, with hardware similar to what has been used for years in phone cards. The EEPROM that is used must have a capacity of at least 256 bytes. This is equal to the amount of all necessary data located in the health insurance card. If the EEPROM is exactly this large, the necessary data just fit and it is physically impossible to write any additional data to the card in violation of data privacy legislation.

The clock-synchronous data transmission protocols depend on the specific type of chip that is used. Each terminal must therefore be able to fully process all possible protocols. The card body can be manufactured using injection molding or a multilayer technology. The useful life of the health insurance card is specified to be six years. After this time, the insured person automatically receives a new card. This means that around 15 million new cards must be issued each year. If the terminal is connected to a computer, it is controlled by the computer using the T = 1 transmission protocol as specified in ISO/IEC 7816-3. There is one restriction in this regard, which is that data chaining may not be used in the protocol. Doing so would not add any functionality to the application, but it would increase the amount of memory needed in the terminal. Incidentally, this is a typical example of the fact that real applications often use only the necessary parts of standards, and it is uncommon for all of the functions specified in a standard to actually be implemented. There are only three possible commands that the terminal can execute. The first command is a reset to the health insurance card, followed by reception or reading of theATR. This command is always used at the start of a session to activate the health insurance card. The second command is READ BINARY with the ISO coding, which can be used to read selected portions of the data or all of the data via the terminal. The third command is WRITE BINARY, also in accordance with ISO/IEC 7816-4, although this command is only available in administrative terminals. It is blocked in all other types of terminals. The health insurance cards of the private insurers have write protection implemented using PINs that are known only to the insurance organization. The cards for the public health insurance plans can be freely written if the necessary commands are known. If the terminal is directly connected to a computer, its essential function is only to provide a conversion between the T = 1 protocol and the hardware-dependent synchronous protocol of the health insurance card. Nevertheless, it can be clearly seen that it would be possible to switch to microprocessor cards without undue effort or expense. With microprocessor cards, the only function of the terminal would be to transparently relay the commands received from the clinic computer. The response from the card could also be transparently returned to the control computer, without any processing by the terminal.