Perspectives

Why Healthcare Needs a New Trust Layer

ggreve ·
Why Healthcare Needs a New Trust Layer

There is a thought experiment in philosophy called the Ship of Theseus. If you replace every plank of a wooden ship, one at a time, is it still the same ship? Healthcare IT has been running its own version of this experiment for three decades — replacing analogue components with digital ones, piece by piece, while assuming the underlying trust model would hold.

It did not.

The planks were replaced, but the hull was never redesigned for the new sea conditions. And the sea conditions have changed dramatically. Clinical data now crosses institutional boundaries by default. A GP in Zurich refers a patient to a specialist in Bern. A laboratory transmits results back to the ordering clinic. A pharmacy verifies a prescription from a physician it has never interacted with before. These are not edge cases. They are the ordinary operations of a modern health system.

The trust infrastructure underlying most of these interactions was designed for a world where institutions operated mainly within their own perimeters. That world no longer exists.

The Problem Is Not Access Control

Perimeter security works well when the threat is external and the actors are internal. A hospital’s firewall keeps outsiders out. Certificate-based authentication confirms a server is who it claims to be. These tools remain essential.

But here is the structural gap: existing infrastructure can verify that a message arrived from a known server. It cannot reliably verify that the message was authorised by a specific, identified human professional — and that the authorisation is still valid at the moment the receiving institution checks it.

The certificate authorities that underpin this system create their own problems. Every CA is a third party that holds trust hostage — an entity that can be compromised, coerced by governments, or fail operationally. Let’s Encrypt alone holds roughly 60% market share for TLS certificates. A single US institution as the structural single point of failure for the majority of internet transport security.

That is a steep price to pay for “trust.”

Thirty Years of Encrypted Mail — and Its Limits

Switzerland’s Health Info Net AG — HIN — has been running secure medical messaging infrastructure for thirty years. Today, SEAL processes more than 800,000 encrypted interactions per month across this network, connecting over 30,000 GP offices with hospitals, specialists, pharmacies, and laboratories.

That is a significant operational achievement. The Mail Gateway that preceded SEAL kept sensitive health communications private and authenticated since the mid-1990s. It did what it was designed to do.

But it was designed for an era of email. It operates at the message layer. It can confirm that a message is encrypted and that it arrived through the HIN infrastructure. What it cannot do is embed verifiable assertions about the sender’s professional credentials, their current institutional affiliation, or the specific permissions they hold — in a form that the receiving party can verify independently, without calling a central registry.

As health systems move toward structured data exchange — think FHIR-based clinical order workflows, cross-institutional referrals with consent-bound authorisation, real-time laboratory result routing — the message-layer model reaches its architectural limits. Not because it is broken. Because the requirements have grown beyond what it was built to handle.

What Replaces Perimeter Security

The answer is not a bigger perimeter. It is a fundamentally different trust primitive: cryptographically verifiable credentials held by the actors themselves, not just by the systems they use.

Instead of asking “did this message arrive through an authorised channel?”, the question becomes: “does this message carry cryptographic proof that the sender holds current, valid credentials issued by an authority the receiving party already trusts?”

This shifts trust from the infrastructure layer to the identity layer. A message carries with it proof of who sent it, under what professional authority, and whether that authority is current — without requiring the receiving party to query a central registry at the moment of verification.

The OAuth and certificate systems most organisations rely on today were not designed for this. They excel at session management within a single domain. But cross-institutional trust? OAuth assumes the party issuing the token is the party relying on it. When Institution A issues a token, it works within Institution A. Institution B has no reason to trust it. There is no native mechanism for that cross-boundary verification.

So organisations converge on a central identity provider — Google, Microsoft, Okta — recreating the centralisation problem in a new guise.

A distributed trust architecture — where each entity maintains its own cryptographic identity anchored to a self-certifying identifier, verifiable by any counterparty without a central broker — addresses this structural limitation. This is decentralised key management. And this is the architecture behind Stargate, the trust infrastructure that is transforming the HIN network.

The Ongoing Transformation

The HIN deployment is not a proof of concept. SEAL, the encrypted swarm delivery system that handles external communication to recipients outside the HIN network, processes those 800,000+ interactions per month in production. Recipients — predominantly patients — access their messages in any browser on any device. No app downloads. No accounts. No certificates.

But SEAL is the starting point, not the destination. Stargate is the full platform now being rolled out — replacing HIN’s legacy mail gateway with infrastructure that adds decentralised identity, verifiable credentials, structured data exchange, and cryptographic audit trails on top of encrypted communication.

The multi-year phased rollout continues. 2026 brings gateways to hospitals and institutions. 2027 targets HIN Clients in GP offices. HIN is undertaking this transformation with Vereign’s support — not as a rip-and-replace migration, but as an organic evolution where Stargate retains full backward compatibility with existing systems.

From an engineering perspective, the most important thing about this deployment is what it does not require: it does not require every participating institution to trust a single central authority. Each entity maintains its own key event log. Any counterparty verifies trust by reading that log directly — no bilateral negotiation, no shared CA, no intermediary trust agreement.

Beyond Healthcare

The pattern I have described here is not specific to Switzerland or to medical messaging. Every regulated sector — finance, legal, government, pharma, energy — faces the same structural challenge: actors who need to interact across institutional boundaries, with credentials that must be verifiable without central dependency, in environments where the audit trail is non-negotiable.

Healthcare proved it works at scale. 800,000+ verifiable interactions per month, tens of thousands of medical professionals, hundreds of institutional participants. The credentials are verifiable. The system is resilient. The compliance story is clear, because every assertion about professional identity carries its own cryptographic proof.

The trust problem is not a software bug to be patched. It is a structural gap that requires new infrastructure.

So back to the Ship of Theseus. Healthcare has been replacing planks for thirty years. What it needs now is not another plank. It is a hull designed for the waters it actually sails in — one where trust does not depend on a single authority staying honest, staying funded, and staying uncompromised.

That is what a trust layer means. Not a new perimeter. A new foundation.

Continue Reading

One Year of SEAL in Production
Healthcare

One Year of SEAL in Production

In technology, a product launch gets a press release. A product that works quietly for a year gets something more valuable: silence. No incident reports. No emergency patches. No “we’re aware of the issue” posts. Just a system doing what it was built to do, every day, at a scale that keeps growing. One year […]

Read more →
Reverse Google: From Email to Decentralisation — FOSDEM 2026
Events
· ggreve

Reverse Google: From Email to Decentralisation — FOSDEM 2026

Talk summary: On 1 February 2026, Georg Greve presented “Reverse Google: From Email to Decentralisation” at FOSDEM in Brussels (Track: Decentralised Communication, Room AW1.126). The talk made the case that email — the technology Google used to capture global identity in 2008 — is now the gateway through which we reverse that capture and rebuild […]

Read more →
How Distributed Trust Works in Regulated Sectors
Perspectives
· ggreve

How Distributed Trust Works in Regulated Sectors

In 1961, diplomats from dozens of countries gathered at The Hague to solve a surprisingly persistent problem: how does a document issued by authorities in one country get accepted as authentic by authorities in another? The answer they produced — the Apostille Convention — is elegant in its simplicity. A standardized certificate, attached to the […]

Read more →

Verified communication, built and deployed — not just described.

Vereign's trust infrastructure is live across Swiss healthcare. Book a 30-minute architecture review to scope what sovereign communication means for your organisation.

Book an architecture review
Swiss Data Protection GDPR Compliant Open Source AGPLv3+ Swiss Hosting