Back to Kotletti

Identity-First Healthcare

A doctor takes an oath to keep your secrets. Then they type those secrets into a centralized database accessible to thousands. The oath is sincere. The architecture makes it impossible to honor.

Finland's Kanta system stores the health records of 5.5 million people in one place. The US has Epic and Cerner, each holding hundreds of millions of records. The UK has the NHS Spine. Every one of these is a honeypot — a single point where a breach exposes everything.

The P2P model eliminates the honeypot. Patient data exists only where the patient has explicitly shared it. The architecture enforces the oath.

The Current Model: Everyone Gets a Copy

When you visit a doctor today, this happens:

  1. Doctor examines you, writes notes
  2. Notes go to the hospital's central system
  3. The central system syncs to the national system (Kanta, NHS Spine, etc.)
  4. Billing extracts data for insurance
  5. Lab systems pull orders, push results back
  6. Pharmacy systems pull prescriptions
  7. Researchers query the database for studies
  8. IT administrators maintain all of it

Your intimate medical details — mental health notes, STD tests, substance abuse history, genetic information — now exist in multiple centralized databases maintained by multiple organizations. Each copy is a target. Each administrator is a potential leak. Each system boundary is an attack surface.

The entire security apparatus — access control lists, role-based permissions, audit logs, consent management platforms, GDPR compliance layers, breach notification procedures — exists to compensate for one architectural decision: putting everyone's data in one place.

What if we didn't?

The P2P Model: Data Flows Only Where You Send It

The Patient Is the Record

In the identity-first model, the patient's medical record is not a row in a hospital database. It is a collection of documents owned by the patient's identity, stored on the patient's devices.

Every actor in the healthcare system has a cryptographic identity:

  • Patient — owns their medical record
  • Doctor — writes clinical notes, prescriptions, referrals
  • Medical device — produces measurements and imaging
  • Lab — processes samples, produces results
  • Pharmacy — dispenses medication
  • Specialist — provides focused expertise
  • Hospital — institutional identity that employs professionals
  • Insurance — processes claims
  • Researcher — studies anonymized data

Data flows between identities through explicit sharing. Nothing goes to a central database. Nothing is accessible by default.

How a Doctor Visit Works

Patient ──────────── Doctor
   │                    │
   │  1. Share history  │
   │ ──────────────────>│
   │                    │
   │  2. Examination    │
   │    notes           │
   │ <──────────────────│
   │                    │
   │  3. Prescription   │
   │ <──────────────────│
   │                    │
   │        ┌───────────────────── Lab (anonymous sample)
   │        │  4. Sample          │
   │        │  (blind ID only)    │
   │        │                     │
   │  5. Lab results    │<────────┘ (results signed against blind ID)
   │ <──────────────────│
   │                    │
   │  6. Patient takes prescription to pharmacy
   │ ──────────────────────────────────────────> Pharmacy
  1. Patient shares relevant history with the doctor. The patient chooses what to share — their full history, or just what's relevant.
  2. Doctor writes examination notes. Documents signed by the doctor's identity, shared with the patient. The doctor may retain a copy — they have a legitimate clinical relationship.
  3. Doctor creates a prescription. A document signed by the doctor, given to the patient. The patient carries it to any pharmacy they choose.
  4. Doctor orders lab work. The doctor assigns a blind identifier — a random number with no link to the patient. The lab never learns who the sample belongs to.
  5. Lab produces results. Signed against the blind ID. The doctor matches them to the patient and shares the full chain. The patient holds verifiable proof without the lab ever knowing their identity.
  6. Patient takes prescription to pharmacy. The pharmacy verifies the doctor's signature cryptographically. No call-back to a central system. The math verifies it.

At no point did data enter a central system. The hospital doesn't have a database of all patient records. The national system doesn't exist. The lab — which processes some of the most sensitive tests — never knew whose samples they were handling.

Prescriptions

A prescription is a document signed by a doctor's identity and handed to the patient:

Medical Board ──attests──> Doctor Identity ──signs──> Prescription ──given to──> Patient

The patient takes this to any pharmacy. The pharmacy verifies the chain cryptographically. No central prescription database. No fax machines. No phone calls. The math verifies it.

Preventing double-dispensing. Pharmacies publish the hash of each fulfilled prescription to a shared ledger. The ledger contains only prescription hashes and remaining quantities — no patient identity, no medication details, no pharmacy identity. Just completeness tracking.

This supports split dispensing naturally — a patient can fill part of a prescription at one pharmacy and the rest at another. Each publishes the updated remaining quantity. The ledger tracks completeness without revealing who, what, or where.

Referrals

A doctor refers a patient to a specialist. The referral is a signed document shared with the patient. The patient then shares it — and whatever medical history they choose — with the specialist. The specialist doesn't query a central system. The patient brings their data.

Lab Work and Imaging

The blind identifier pattern: The lab doesn't need to know whose sample it's processing. The doctor assigns a random ID, sends the sample with only that ID, and keeps a signed mapping. The patient ends up with a verifiable chain: lab-signed results + doctor-signed mapping = proof these results are theirs, from that lab, without the lab ever knowing.

This matters most for sensitive tests — STD screening, genetic testing, drug panels, psychiatric evaluations — where the lab having the patient's identity creates unnecessary risk.

Imaging follows the same pattern where applicable. An MRI machine has a cryptographic identity. The scan is signed by the machine. Results can't be tampered with in transit because the machine signed them.

Hospital Admission

When a patient is admitted, they grant access to the hospital's care team. The scope can be specific: the orthopedic surgeon sees musculoskeletal history but not psychiatric notes. The anesthesiologist sees allergies and drug reactions. The billing office sees procedure codes but not clinical details.

When the patient is discharged, they can revoke or narrow the grants. The hospital retains what's clinically and legally required — their own notes about the care they provided — signed by their own identities.

Insurance

Insurance is the most over-engineered part of the current system, precisely because it operates on a broken model: the insurer gets access to clinical data they shouldn't need in order to process financial transactions.

In the P2P model: the patient shares billing codes, not clinical notes. If a claim requires clinical justification, the patient shares the specific relevant notes — not their entire history. Insurance never has access to the full record.

Research

The P2P model enables patient-controlled research participation. A research institution publishes a study identity with its parameters. Patients who want to participate share the specific requested data. The researcher never sees the full record. The patient can withdraw at any time.

This is consent that actually means something — the patient actively chose to share specific data, rather than signing a form that gives blanket access to a database they've never seen.

Medical Devices as Peers

Every medical device that produces data is a peer in the network with its own identity.

Continuous Monitoring

A heart monitor worn by a patient shares real-time data with the patient and the patient's cardiologist. Nobody else receives this data — not the device manufacturer, not a cloud service, not the hospital's general IT infrastructure.

Hospital Equipment

Hospital beds with sensors, infusion pumps, ventilators — each has an identity. Data flows to the attending care team and the patient's record. A breach of one device reveals data about patients currently connected — not every patient in the hospital's history.

Home Devices

Blood glucose meters, blood pressure monitors, pulse oximeters — in the P2P model, the device sends data to the patient's identity. The patient shares it with their doctor. The manufacturer never sees the data. No cloud account. No integration platform.

Emergency Access

The argument for centralization is always emergencies: "What if you're unconscious in the ER?" This is a real problem. But centralization is not the only solution — and it's a solution with massive costs. Several P2P approaches address it, and they can be layered:

Medical Summary Card

The patient maintains a medical summary — allergies, blood type, current medications, chronic conditions — on a device or physical card (NFC). Signed by the patient's identity and cryptographically verifiable as authentic.

Emergency Contacts

The patient designates people who can share medical data on their behalf. Identity-level grants: "If I can't authorize access, these identities can." This mirrors reality — your family knows your medical history. The P2P model formalizes this with cryptographic authority.

Emergency Responder Access

A special class of time-boxed, scope-limited access for verified emergency medical identities. The patient pre-authorizes: emergency professionals with valid credentials can access critical data for a limited period.

Limited Central Registry

For patients who want maximum emergency coverage: a minimal central registry holding name, identity public key, emergency contacts, and a medical summary. Not the full record. Just enough for emergency care.

These approaches coexist. A patient might use all of them, or none. The architecture doesn't mandate centralization for emergencies — it offers graduated options, all under patient control.

What Disappears

When the architecture itself enforces privacy, enormous categories of infrastructure become unnecessary:

Access Control Lists. In the central model, you maintain complex rules about who can see what. In the P2P model, there is no database to control access to. You see what was shared with you. Period.
Audit Logging. Central systems maintain logs of who accessed what record when, because anyone could access any record. In the P2P model, if you have the data, it's because the patient gave it to you.
Consent Management Platforms. Entire software systems exist to track what each patient consented to. In the P2P model, consent IS the act of sharing.
Breach Notification for Millions. A central breach affects millions. In the P2P model, a breach affects the data on the compromised device — not every patient in the system.
Role-Based Access Control. Elaborate systems defining what a nurse vs. doctor vs. billing clerk can see. In the P2P model, each person sees what the patient shared with them.
Cross-Border Data Transfer Compliance. GDPR, HIPAA, and other regulations govern how medical data moves between jurisdictions. In the P2P model, the data is on the patient's device — the patient shares it directly, wherever they are.

The current healthcare IT industry is enormous precisely because it's building compensating mechanisms for a fundamentally broken model. When the architecture is right, most of those mechanisms are simply not needed.

What This Enables

True Patient Agency

The patient sees everything. Every note, every result, every image. They decide who sees what. They can get a second opinion by sharing their complete record with any doctor in the world — not by requesting a records transfer that takes weeks.

Portable Records

Your medical history is yours, on your devices. Change doctors, change cities, change countries — your records come with you. No forms. No fax machines. No waiting.

Medical Privacy That's Real

A patient can see a psychiatrist without that visit appearing in a database accessible to their employer's insurance administrator. Privacy isn't a policy to be enforced — it's an architectural fact.

Doctor-Patient Relationship Without Intermediaries

The doctor and patient communicate directly. No hospital portal. No patient messaging system that's really a feature of the EMR vendor. No intermediary mining the communication for data.

Honest Clinical Notes

When the doctor knows the note goes only to the patient and stays between them, the clinical narrative can be more honest and more useful.

The Architectural Comparison

Centralized P2P
Record location Central database (Kanta, Epic, NHS Spine) Patient's devices
Access model Role-based access to central DB Patient shares with specific identities
Breach impact Millions of records exposed One device's current data
Doctor's oath Honored in spirit, violated by architecture Honored by architecture
Emergency access Central DB lookup Layered: card, contacts, escrow, mini-registry
Insurance access Broad access to clinical data Patient shares billing codes only
Research Database queries with ethics approval Patient-controlled data sharing
Cross-border Complex regulatory compliance Data travels with patient
Second opinion Request records transfer (weeks) Share directly (instant)
Device data Through manufacturer cloud Device → patient → doctor
Security infra ACLs, RBAC, audit logs, consent management Not needed — architecture enforces privacy

Open Questions

These are real challenges that need elegant solutions. We're noting them rather than forcing premature answers:

Institutional Identity and Staff Turnover. A hospital employs hundreds of doctors who come and go. How does the institutional identity delegate authority to individual practitioners? How is authority revoked when someone leaves?
Legal and Regulatory Access. Courts may subpoena medical records. Medical boards may need records for malpractice investigations. How do these work when there's no central database to subpoena?
Mandatory Reporting. Some conditions require reporting to public health authorities. In the P2P model, reporting depends on the healthcare provider sharing specific data with the authority's identity. The obligation is the same — the mechanism is different.
Record Integrity. A patient shouldn't be able to modify a doctor's notes. But can a patient selectively hide unfavorable records when seeking a second opinion? Is that their right, or is it dangerous? This is an ethical question, not a technical one.
Historical Data. Patients accumulate decades of medical data. Device storage and sync become significant. Medical imaging alone is gigabytes per scan. This is a scale problem, not an architectural one.
Identity Loss. What happens if a patient loses access to their identity? Medical records can't be "reset." Recovery mechanisms need to be robust enough for irreplaceable data.
Transition. Billions of medical records exist in central systems today. Any realistic path forward must include a way to export from the old model and import into the new one.
Device Trust. Medical devices must meet rigorous standards. An MRI machine's identity needs to be attestable — not a spoofed identity producing fabricated results.

Conclusion

The healthcare system stores the most intimate data about human beings in centralized databases protected by passwords and policies. The security industry built around these databases is an admission that the architecture is wrong. You don't need guards around a vault if the valuables are in the owner's pocket.

The P2P model puts medical records back in the patient's pocket. Data flows only where the patient sends it. Doctors, labs, pharmacies, and devices communicate directly through cryptographic identities.

The patient's oath-bound doctor no longer has to choose between honoring confidentiality and using the tools they're given — because the tools enforce confidentiality by design.