The Clock Is Ticking on a Hidden Piece of Health IT Infrastructure

In the next 12–24 months, many healthcare organizations will discover that a certificate they rely on for health information exchange can no longer be renewed. A quiet shift in the global certificate ecosystem will cause connections to fail and ultimately impact the flow of records.

‍

The Quiet Backbone of Data Exchange

When your EHR or integration engine connects to a Health Information Exchange or trading partner, both systems must verify each other before any patient data is exchanged. This process,  known as mutual TLS (mTLS), mutual authentication, or two-way TLS, ensures both sides are trusted. This authentication is powered by digital certificates issued by Certificate Authorities like DigiCert, IdenTrust, and Sectigo.

For years, organizations simply purchased these certificates, configured them, and connections ran quietly in the background. Most teams rarely had to think about it, but that’s about to change.

‍

What’s Forcing Organizations to Act

Policy updates to Google’s Chrome Root Program now limit publicly trusted certificates to website authentication only thus removing the client authentication capability required for mTLS.

Deadlines to know for your certificate:

• Original deadline: May 2026
• Updated deadline: March 15, 2027
• Some Certificate Authorities may stop earlier

At the same time, certificate lifetimes are shrinking:

• ~398 days today
• ~200 days by 2026
• ~100 days by 2027
• ~47 days later in the decade

Your organization’s timeline depends on your certificate expiration and your CA’s policy. More renewals mean more chances for failures.

‍

How Prepared Is the Industry?

Since late last year, reactions have fallen into three categories:

1. No awareness
Some organizations haven’t heard about the change.

2. Partial solutions
Tools like AWS Private CA, but without proper CA infrastructure, can function like self-signed certificates — creating risk rather than solving it.

3. Last-minute surprises
Others discovered the issue during renewal with only weeks to respond.

‍

Why You Should Pay Attention Now

If your organization connects to any HIE-based exchange whether a regional,  direct peer-to-peer with a health system, a payer, or a local care community — you likely rely on mTLS today and will see impact.

When certificates expire, connections can fail silently so it is important to know your options and take prompt action.

‍

Your three options to consider:

1. Find a Private CA That Can Issue the Right Certificates

Private Certificate Authorities can still issue mTLS certificates. This model is used by networks like Carequality and eHealth Exchange, but not all private CAs are created equal. Running a CA requires more than software; it involves governance, revocation capabilities, lifecycle management, and audit practices. If you take this route, make sure your provider can clearly demonstrate that operational rigor. Otherwise, you may be introducing risk instead of solving it.

2. Use Your Existing CA's Managed PKI Service

Most commercial CAs are actively pitching this option and it may be your most practical path forward. Your CA provides the infrastructure and expertise to operate a private CA under your organization’s name. You gain control and flexibility without building from scratch, and your vendor handles the complex pieces like key management and revocation. 

Many organizations, including QHINs under TEFCA, already follow this approach. The tradeoff is ongoing cost and continued vendor dependency, but for many health systems, it’s a reasonable and scalable path forward.

3. Build Your Own Private CA

Building your own private CA offers the most control and long-term independence, but it’s also the most complex. It requires secure infrastructure, defined policies, revocation capabilities, and a trust framework that trading partners will accept. For large health systems with mature security programs, this can make sense. For most organizations, though, a managed PKI is typically the more realistic starting point.

‍

Don’t Wait for Certificate Failure

mTLS isn’t going away but the way organizations implement it is. For years, this infrastructure ran quietly in the background. That’s changing. Organizations that plan early will avoid disruptions and keep patient data flowing.

The timeline is uncertain. That’s exactly why now is the time to prepare.

‍