The Frankfurt am Main Public Health Department has developed the GA-Lotse, a central platform that consolidates a wide variety of citizens’ health data—including information on school entrance examinations, measles vaccinations, travel medicine advice, and statistical analyses. Since this data is particularly sensitive, the platform had to meet the highest standards for data protection and IT security in the healthcare sector.
To independently validate the platform’s security level, the Frankfurt Public Health Department commissioned iteratec to conduct a comprehensive penetration test. A crucial step before going live.
IT security standards were implemented throughout the entire development process of the platform. The goal was to create a modern yet trustworthy solution for nationwide use in public health departments. The final penetration test served as the last hurdle and ultimately determined whether the platform could go live.
The independent audit conducted by iteratec was intended not only to verify the effectiveness of the security mechanisms but also to demonstrate that a forward-looking security approach is feasible in a government setting.
For the project, iteratec developed a customized testing strategy that went well beyond standard compliance checks. The application penetration test consisted of three components:
Cloud Configuration Check
Web Application Pentest
Keycloak Security Test
Of particular note: For the Keycloak analysis, the iteratec experts used a custom-developed open-source tool designed specifically for this use case, which is publicly available on GitLab.
“For us, data security is not merely a technical obligation, but also an expression of professional respect and care for every person who places their trust in us. Only by setting the highest standards in IT security can digital transformation truly contribute to the well-being of the population and build trust in public health. That is why we make no compromises when it comes to data security and privacy, and are setting new standards for secure digital health services.”
Management of the Frankfurt am Main Public Health Department
The penetration test identified areas for improvement. Even a robust security strategy can still have vulnerabilities. For example, configuration flaws were discovered in the IAM system that could have allowed unauthorized access. These vulnerabilities were addressed before the launch, and a subsequent retest confirmed that the platform meets high standards for information security and data protection.
The insights gained were incorporated not only into the optimization of the application but also into preparations for a planned certification. At the same time, they helped establish modern concepts such as cloud-native architecture and zero-trust principles in public administration—a true leap forward in innovation that was recognized with the InfoSec Impact Award from NExT e.V. and the Federal Office for Information Security (BSI).
The collaboration between the Frankfurt am Main Public Health Department and iteratec serves as a prime example of how IT security is becoming a key success factor for digitalization in the public sector. A comprehensive penetration test, custom-developed testing procedures, and open communication eliminate potential vulnerabilities and establish sustainable security standards.
The GA-Lotse is a pioneering project for modern administrative platforms and demonstrates the successful implementation of security concepts such as Zero Trust in government IT.
The Frankfurt am Main Public Health Department offers a wide range of services for health counseling, promotion, and protection.
“True IT security can only be achieved through critical and ongoing review of implementations. In the best sense of the word, iteratec took a second, close look to ensure that everything was truly secure.”
Technical Lead and Product Owner for GA-Lotse, Frankfurt am Main Public Health Department
If you have any concerns or questions about a project for your company, please send us a request and we will get back to you.
