Why a new prescription is needed for healthcare’s chronic trust problem
A global standard can be effective in fixing the challenges of authenticating and authorizing data exchange across organizational boundaries.
Healthcare data exchange relies on trust. Hospitals, clinics and partners must know with absolute certainty that data comes from who it claims and that only authorized parties can access sensitive information.
For the last two decades, this trust has been managed with digital certificates and protocols like OAuth. In most cases, these were never designed for cross-domain trust or were built in such a way to have critical foundational exploits now commonly used in attacks.
These may have been effective solutions in the past and, to their credit, certificates have managed to scale alongside the Internet. But in the modern threat landscape, all these legacy tools have begun to show their age. In practice, today’s trust models leave critical gaps that undermine security and limit scalability of trust in cross-organizational health data exchange.
They’ve unlocked the data flows at scale, but the rapid expansion in the wake of HITECH has left behind trust. The question is no longer “Can we connect?” We can. Instead, we’re forced to ask, “Can we trust this connection?”
That’s a question the industry still can’t answer with any confidence.
When you zoom out, the signs are everywhere. For example, we're still sitting at all-time highs when it comes to cyberattacks on health data. And the latest from Censinet shows three-fourths of those attacks are coming from third parties. It’s not exactly a trustworthy interop environment.
As a result, entire swaths of the healthcare data ecosystem still haven't onboarded to TEFCA. Beyond the risk, their reticence is fueled by the onslaught of lawsuits where the question of trust is front and center. While the much-opined Epic v. Health Gorilla case is a visible example, it’s certainly not unique. And regardless of that court's ruling, the court of public opinion has taken note.
When you look under the hood, we’ve built a system where at-scale connections are based on a mix of contracts, asserted trust and these outmoded verification models. While that might hold up on a small scale, it breaks when you go national. Which is exactly where we've landed.
It’s time for new protocols and a new approach.
Organizational ID: Importing a solution
Healthcare isn’t the first industry to run into this problem. After the 2008 financial crisis, regulators uncovered a major blind spot. They couldn’t reliably tell who controlled the organizations participating in transactions, specifically, "What entities are owned by what bank?"
As regulators, how do you decide which banks to let fail if you can't understand the second-order impact of those decisions? The lack of clarity made the global financial risk nearly impossible to manage.
The response? The G20 authorized the creation of the Legal Entity Identifier (LEI) and appointed the Global Legal Entity Identifier Foundation (GLEIF) to manage it. For more than a decade now, GLEIF has issued standardized, globally recognized identities for organizations. In fact, they’re the only entity on the planet with the support of the world economies to establish cross-domain trust at scale.
That alone was a major step forward, but until recently, it still relied on manual paper processes.
vLEI: Modernizing identity
The ISO standard verifiable Legal Entity Identifier (vLEI) takes the established LEI system and modernizes it. The vLEI is a cryptographic credentialing framework through which systems can verify two things instantly.
First, “Is this entity (organization/person/server) who it claims to be?” and second, “Do you have permission to take the actions you’re asking to take?” In other words, the vLEI proves authentication and authorization across organizational boundaries. It’s purpose-built to do so in a way no other protocol can.
It also eliminates longstanding concerns from legacy systems, like "phone home" authentication and the reliance on assertions from third party certifiers.
While the vLEI starts as an organizational identifier, it doesn’t stop at the organization level. It enables verified organizations to extend authority to the people and systems acting on its behalf. The technical term here is that it creates cryptographic delegable authority, and this is authority that can be safely asserted across trust domains.
Practically speaking, the vLEI enables receiving systems to stop trusting context clues, shared secrets or prior relationships. They can verify, on the spot, that the entity requesting access to data is legitimate, that it represents a verified organization and that they are authorized for the action being taken.
When compared with legacy authentication, the vLEI sits in a new category of trust.
What's under the hood?
To establish trust across businesses and geographic boundaries — really, to build in trust at Internet-scale — GLEIF had to break new ground.
In pursuit of creating the vLEI, the team at GLEIF spent significant time and resources to find something that was cryptographically secured, scalable and could adapt to future problems (for example, quantum computing). Like many others, they started with standard PKI (such as X.509, OAuth, mTLS and others) and found these longstanding systems insufficient.
So they moved on to the much-discussed "Web3" suite of technologies, mainly blockchain. And while blockchain provides a tangible upgrade to legacy solutions, there's a reason it has never seen broad adoption outside of cryptocurrencies.
Namely, that’s the scaling problem. The compute and governance required to scale a blockchain effectively are the Achilles Heel of Web3 solutions in the digital trust problem. The financial incentives to conquer those problems are clear when talking about fungible tokens and currency. But they fall apart when discussing the secure trust and identity needs of other types of transactions.
That left GLEIF with a problem. If they need cryptographic, future-proofed identity and they need it at scale, where would they turn? The answer was Key Event Receipt Infrastructure (KERI). An open-source project now standardized by the Linux Foundation, KERI provides a path to cryptographic identity at true Internet scale. Created by Samuel M. Smith, PhD, KERI changes how identity is managed at a fundamental level.
Instead of relying on static certificates issued by a central authority for authentication or requiring the total global ordering of a blockchain for authorization, KERI decentralizes those acts, puts them in the hands of the end point and binds them to an identifier. Every key change and every rotation are all cryptographically validated. The result is the scalable, cryptographically secure framework on top of which the vLEI rests.
More information on how the process works on a technical level can be found here in Dr. Smith’s KERI whitepaper.
It's important to recognize the successes that KERI rests upon. Internet security experts have spent decades building the legacy certificate authority model, PKI and centralized trust anchors. That model is the grandfather of securing the Internet. In fact, it still underpins many APIs in healthcare today.
But it was designed for a different era when connections were far fewer, "complex" meant SFTP, and AI agents remained firmly in the realm of Sci-Fi. And what's worse? Today’s attackers are well-versed in the current system’s flaws.
Importing the vLEI
Healthcare is perfectly suited for the advances the vLEI provides, and organizations are moving quickly out of theoretical gains into real-world pilot testing of this technology. Groups like the CARIN Alliance and DirectTrust are actively evaluating the vLEI as a potential path forward for establishing trusted Organizational ID across CMS-aligned healthcare networks. These are the right organizations to shepherd in the vLEI.
The benefits for all are clear.
Onboarding becomes faster because trust is no longer negotiated from scratch every time. It is simply just presented and verified. That alone removes a massive amount of friction across networks.
Access decisions become clearer. Instead of inferring authority from context or prior relationships, systems can validate it directly in the moment it matters most.
Third-party risk becomes more manageable. When vendors and partners are required to present proven credentials tied to their organization and authority, oversight becomes transparent and enforceable.
None of this removes the need for governance, which is why the vLEI is an ideal solution. It is open source, ISO standard and marries a strong governance model to a strong technology stack.
Where this goes next
Over the course of this year, expect to see the first meaningful pilots of the vLEI inside real healthcare workflows. Production-ready code, tooled to use cases where identity, authority and trust are under real pressure. If those pilots succeed (and there is strong reason to believe they will), they mark the start of healthcare’s path to fully trusted exchange.
This model is already being advanced in other industries. In telecommunications, KERI serves as the underpinning for the Open Verifiable Communication standard, where identity is no longer assumed or brokered through intermediaries, but proven directly between parties. Imagine a world with no more spam calls – the core technologies under the vLEI are rapidly creating that reality.
Now imagine a world where healthcare's data ecosystems aren't just interoperable, but trustworthy. If healthcare's vLEI adoption follows a similar trajectory, it has the power to become the trust layer that finally fills the gap. Finally, the industry can have trusted networks providing patient data in the way that’s been needed for so long.
In the same way FHIR promises to become the backbone of interoperability, the vLEI can become the backbone of trust. When that happens, we’ll finally stop asking, “Can we trust the system?” And instead, begin to ask what sort of future can we build on top of that trust.
Jared Jeffery, FACHDM is CEO of healthKERI.