Healthcare runs on data. But the way we handle that data is broken.
Every time a hospital adopts a new scheduling app, a clinic integrates a billing service, or a consortium shares patient histories, they are surrendering data. They hand over complete patient records, relying on vendor promises and Business Associate Agreements (BAAs) to keep that data safe.
But policy is not protection. A BAA does not stop an autonomous AI billing agent from reading a patient's psychiatric history when it only needs a billing code. A SOC 2 compliance certificate only proves you had a policy; it does not enforce that policy at runtime.
This is the assumed trust model. It is exactly why the U.S. Department of Health and Human Services recorded more than 364 hacking incidents targeting healthcare organizations in 2025 alone. We are relying on promises instead of architecture.
At Baur Software, we built the Principal Agent Protocol (pap://) to replace assumed trust with cryptographic proof. It is a zero-trust infrastructure that ensures AI agents and digital systems access only the exact data they need — nothing more.
Here is how pap:// transforms healthcare data security across every level of the system, from single offices to federal agencies.
The Single Office: Stopping the Data Bleed
Consider a small private practice — a local dermatologist or a family physician. They do not have a dedicated IT security team. They rely on third-party SaaS platforms for scheduling, billing, and patient communication.
The problem: When a patient books an appointment online, the scheduling agent often requests full access to the patient's demographic and insurance profile. If the scheduling platform is compromised, the attacker gains access to all data it stores. The practice is exposed.
The pap:// solution: With pap://, the patient (or the practice acting on their behalf) issues a mandate — a cryptographically signed permission slip. It uses Selective Disclosure JWTs (SD-JWT) to ensure the scheduling agent receives exactly what it needs: a name, an appointment time, and an insurance ID.
The agent never sees the patient's medical history. It never sees their full social security number. If the scheduling platform is breached, the blast radius is contained to those specific, isolated fields. Furthermore, every interaction generates a cryptographic receipt. The practice can prove exactly what data was accessed and when, without storing the data itself in the receipt.
The Clinic: Enforcing Boundaries in Multi-Agent Workflows
Clinics operate in a more complex environment. They have triage nurses, specialists, billing departments, and external labs. They increasingly use AI agents to automate these workflows.
The problem: An AI agent handling medical billing needs to cross-reference a diagnosis code with an insurance policy. In current systems, this agent is often granted read access to the entire Electronic Health Record (EHR) database. This is a massive HIPAA violation waiting to happen. It violates the principle of minimum necessary access, but legacy systems lack the granularity to enforce it dynamically.
The pap:// solution: pap:// introduces the concept of the Request Boundary. A billing agent operates under a specific mandate: [Scope: billing.process]. When it queries the EHR, the protocol structurally prevents it from seeing clinical notes or psychiatric evaluations.
If a rogue script or a compromised sub-agent attempts to escalate its privileges, the protocol rejects the request. A child's request can never exceed its parent's scope. The clinic maintains strict, cryptographically enforced boundaries between departments and external vendors.
The Hospital: Securing the Enterprise Architecture
Hospitals are sprawling digital cities. They integrate hundreds of vendors, connected medical devices, and automated systems. The attack surface is enormous.
The problem: Hospitals are prime targets for ransomware. Attackers exploit weak integration points between systems. When a hospital shares data with an external analytics firm to improve patient outcomes, they typically export massive datasets. Once the data leaves the hospital's servers, control is lost.
The pap:// solution: Baur Software's suite — pap://, Papillon, and Chrysalis — seals the entire stack.
When the hospital needs to share data with an external analysis agent, it uses Papillon, our sandboxed agent workspace. The analysis agent executes in an OS-level isolated environment. Enforced capability constraints (seccomp, pledge) prevent the agent from accessing the hospital's broader network or filesystem.
The hospital issues a continuity token with a strict Time-To-Live (TTL). The external agent can read specific, anonymized fields (e.g., diagnosis_code, treatment_outcome) via SD-JWT. If the hospital revokes access, they delete the token. The revocation is instant and cryptographic. There are no stale API keys left on a vendor's server. The hospital retains absolute control over its data boundaries.
The Consortium: Trustless Interoperability
Healthcare consortia and Health Information Exchanges (HIEs) exist to share data across different hospital networks. Interoperability is the goal, but security is the bottleneck.
The problem: How do two competing hospital networks share patient data securely without exposing their entire databases to each other? Current solutions rely on complex, fragile VPNs and heavy legal frameworks.
The pap:// solution: Transactions in pap:// are handshakes between two mandate chains, not two databases.
When Hospital A needs a patient's history from Hospital B, Hospital A's orchestrator agent sends a request. Hospital B's system verifies the mandate. If approved, Hospital B discloses only the relevant records for that specific patient and encounter.
Because pap:// uses ephemeral session DIDs (Decentralized Identifiers), sessions are not linked to persistent platform identities. The data exchange is secure and precise, and it leaves a co-signed cryptographic receipt that proves the transaction occurred — satisfying audit requirements without creating a centralized honeypot of patient records.
State and Federal: Medicare, Medicaid, and CMS Compliance
At the state and federal levels, the scale of data is staggering. Agencies like the Centers for Medicare & Medicaid Services (CMS) handle the records of millions of Americans.
The problem: Government agencies mandate interoperability (like the CMS-9115-F rule) to liberate patient data. But liberating data across shared agency databases under assumed identities creates significant FedRAMP and CMMC compliance risks. A single compromised credential can expose millions of records.
The pap:// solution: Chrysalis, our federated agent registry, provides the infrastructure for government-scale security. It is a self-hostable, multi-tenant, zero-trust architecture.
Agents registering with Chrysalis use verifiable DIDs and Ed25519-signed advertisements. Every mandate is verified before execution. For Medicare and Medicaid systems, this means autonomous agents processing claims or verifying eligibility operate under immutable, cryptographically signed audit trails.
It is FedRAMP and CMMC-ready by architecture. If a federal agency needs to operate in an air-gapped environment, Chrysalis supports full on-premises deployment. It provides the scale required for national healthcare programs while enforcing the strict, cryptographic boundaries necessary to protect national security and citizen privacy.
Stop Surrendering Data
The healthcare industry cannot afford to treat privacy as an implementation detail or an aspirational policy. The stakes are too high.
Compliance platforms will tell you that you had a policy in place after a breach occurs. Baur Software ensures that a breach cannot occur at the protocol level. We do not hand you a spec sheet; we build the architecture with you, integrating seamlessly with legacy stacks without operational downtime.
Contact Baur Software today to map your three highest-risk agent permission boundaries and see how pap:// can secure your healthcare infrastructure.