TL;DR: Federal and state policy signals are pushing healthcare toward patient-controlled wallets built on W3C-DIDs and verifiable credentials, reducing reliance on centralized identity databases and limiting unnecessary data exposure, according to 1Kosmos. The governance shift is not optional anymore: existing IAM models built around institution-owned identity silos will not scale cleanly to wallet-mediated access.
NHIMG editorial — based on content published by 1Kosmos: W3C-DID health wallets and the future of healthcare identity
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: How should healthcare organisations prepare for W3C-DID health wallets?
A: Start by identifying where identity proofing, authentication, and record access are still tied to central databases.
Q: Why do central identity databases create risk in healthcare?
A: Because they concentrate identity evidence, repeated verification logic, and access decisions in one place.
Q: What do healthcare teams get wrong about digital identity wallets?
A: They often treat wallets as a front-end convenience layer instead of a new trust model.
Practitioner guidance
- Inventory identity data that is still centrally retained Map where patient, clinician, and partner identity evidence is stored, duplicated, or reverified across portals, exchanges, and clinical systems.
- Design for claim-level disclosure Define which healthcare workflows only need one verified attribute, such as coverage, licence, or immunisation status.
- Build revocation and recovery paths before wallet rollout Establish how a compromised, lost, or reissued credential will be revoked, re-provisioned, and re-bound to the right person across relying parties.
What's in the full article
1Kosmos's full blog post covers the operational detail this post intentionally leaves for the source:
- Federated healthcare identity flows, including how W3C-DIDs and verifiable credentials fit into TEFCA and Individual Access Services.
- Vendor-specific architecture details for wallet-based identity proofing, biometric binding, and credential presentation.
- Implementation examples for healthcare use cases such as EPCS verification, patient record access, and staff onboarding.
- Standards alignment detail for HIPAA, NIST 800-63-4, and California's digital identity direction.
👉 Read 1Kosmos's analysis of W3C-DID health wallets and healthcare identity →
W3C-DID health wallets: what they mean for IAM and HIPAA?
Explore further
Centralised identity databases are the wrong trust anchor for healthcare. The article is right to frame the hospital identity repository as the liability, not just the target, because central storage creates both breach concentration and repetitive verification overhead. In healthcare, the real weakness is the assumption that the institution must remain the permanent custodian of identity evidence. That assumption is already being challenged by wallet-based exchange, so practitioners should treat central identity silos as a governance debt to unwind.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, which shows how quickly unmanaged identity exposure becomes a business issue.
A question worth separating out:
Q: How do wallet-based credentials change HIPAA-oriented access design?
A: They push teams toward stronger proofing, less data retention, and narrower disclosure at the point of access. That is consistent with HIPAA’s minimum necessary principle and with reducing unnecessary identity storage. IAM teams should evaluate whether each workflow really needs a retained record or only a verified claim.
👉 Read our full editorial: W3C-DID health wallets are reshaping healthcare identity governance