Skip to main content
CH VPN

The Healthcare Network

PHI doesn’t belong on
someone else’s tunnel.

CH VPN is Conceptual Health®’s clean-room enterprise mesh tunnel. Built for 10,000 clinics. Tuned for HIPAA. Certificate-rotated every 24 hours. No third-party brand under our wire.

Protocol CH-VPN/1.01-RTT handshake100+ Mbps per peerFIPS 140-3 path
Request a deploymentRead the architecture

Topology

Three planes.
One protocol.

CH VPN deploys as a federated hub-and-spoke with mesh bridges. The unit of administration is the tenant. The unit of trust is the certificate. Each plane has its own purpose, its own scale ceiling, and its own rotation cadence.

Hub planeterminates peer sessions
Patient device 24h
Clinician laptop 24h
Clinic Hub 7d
Mesh planeinter-clinic bridges
Clinic A
Clinic B
Clinic C
policy via Authority
Corporate planeanycast egress
Clinic Hub
CH Corporate Gateway anycast
Audit · telemetry · backup

Peer Taxonomy

Six roles.
Six rotation cadences.

Every peer is one of six canonical roles. Each role has its own provisioning path, its own rotation schedule, and its own telemetry shape. The Authority enforces the difference.

RolePlatformRotationPlanePer tenant
CHPeerRole.PatientDeviceiOS · Android24hhub1,000–20,000
CHPeerRole.ProviderPhoneAndroid (Device-Owner)24hhub10–200
CHPeerRole.ClinicianLaptopmacOS · Windows24hhub5–50
CHPeerRole.ClinicHubNodeLinux (systemd)7dhub + mesh1–4 / site
CHPeerRole.CorporateGatewayLinux (HSM cluster)30dcorporate~30 global
CHPeerRole.SpecialistContractormacOS · Windows8hhub (federated)1–1,000

Cryptography

Public primitives.
Clean-room implementation.

CH VPN uses public cryptographic primitives. The handshake is an IK-pattern Noise construction. The data channel uses authenticated encryption with associated data. The selection is auditable, modern, and ready to migrate to post-quantum primitives when standards land. Every line of crypto code is ours. We ship no third-party brand.

Purpose
Default mode
FIPS 140-3 mode
Diffie-Hellman
X25519
P-384 ECDH
AEAD cipher
ChaCha20-Poly1305
AES-256-GCM
Hash
BLAKE2s-256
SHA-384
MAC
BLAKE2s-MAC
HMAC-SHA-384
KDF
BLAKE2s-HKDF-lite
HKDF-SHA-384
Handshake pattern
Noise IK
Noise IK

Scale

The numbers,
on the record.

No mystery. No marketing math. These are the design ceilings and operating envelopes documented in the protocol spec.

Clinic Scale
10,000+
Designed for the entire CH clinical fleet.
Concurrent Peers
1M+
Geographically sharded. Anycast corporate gateways.
Cert Rotation
24h
All endpoint certs expire daily. Zero long-lived secrets.
Handshake (1-RTT)
<100ms
Warm cache. Healthy LTE. Wall-clock to first byte.
Per-Peer Throughput
100+ Mbps
ChaCha20-Poly1305 on a low-power Android handset.
Emergency Revoke
<10s
Authority-pushed EmergencyRevoke fan-out.
Long-Lived Secrets
0
No static keys persisted on any end-user device.
Crypto Path
FIPS140-3
Pluggable validated module for federal deployments.

Defense in Depth

Four layers.
Every one of them ours.

The tunnel is the floor. Above it: services authenticate. Above that: the Authority decides who is who. Above that again: an audit chain that survives compromise of any single layer. Each layer is implemented by Conceptual Health. Each layer is reviewed independently.

01
Tunnel layer
Mutual authentication via Noise IK with peers identified by long-term X25519 static keys, themselves bound to a short-lived CH Certificate. ChaCha20-Poly1305 AEAD with a counter-mode nonce. 16-byte header, 16-byte MAC.
02
Service layer
Application-level authentication on top of the tunnel. Each clinical service (EHR, lab, pharmacy) presents its own auth context. The tunnel provides confidentiality; the service provides authorization.
03
Authority layer
CH Authority issues short-lived peer certificates and enforces tenant policy. Geographically sharded for failover. Compromised peers revoked centrally in under ten seconds.
04
Audit layer
Tamper-evident HMAC-SHA256 chain. Every peer enrollment, every rotation, every revocation is signed and chained. Replays are detected. Forks are detected. Forensic reconstruction is exact.

Platforms

One protocol.
Six platforms.

Each client is a clean-room implementation of the same wire format. Same crypto core. Same authority protocol. Same audit shape. Per-platform identifiers from the brand spec.

iOS
com.conceptualhealth.vpn.client
NetworkExtension provider. Swift framework: CHVPN. Per-app and full-tunnel modes.
Android
com.conceptualhealth.vpn
VpnService backend. AAR module: CHTunnelService. Device-Owner and patient-app variants.
macOS
com.conceptualhealth.vpn.mac
SystemExtension provider. Pinned to clinician laptops via MDM.
Windows
CHVPNService
WFP callout driver + user-mode agent. Auto-rotation via Windows scheduler.
Clinic node
ch-vpn-clinic.service
Linux systemd daemon. Hub-and-bridge dual mode. Designed for clinic-server hardware.
Authority
ch-vpn-authority.service
Python/FastAPI microservice. Cert issuance, policy, rotation, audit fan-out.
HIPAA §164.312(e)(1)BAA AvailableFIPS 140-3 PathZero-Trust24h Cert RotationHMAC-Chained Audit10,000-Clinic Scale

Access

Four ways
to deploy.

Bundled with the clinical software, per-clinic add-on, self-hosted authority, or federal FIPS path. Pick the shape. The protocol is the same.

Bundled
With the clinical software
  • Included with Conceptual Healthcare seats
  • Patient and clinician clients pre-provisioned
  • Tenant-isolated authority slot
  • BAA covered by parent agreement
See clinical software
Per clinic
Add-on
  • Independent clinic without CH EHR
  • Tenant-isolated authority
  • Up to 4 clinic hub nodes
  • BAA included
Talk to a clinic lead
Self-hosted
On-prem authority
  • Authority deployed inside your perimeter
  • Custom rotation policy
  • Audit chain in your storage
  • Optional air-gapped operation
Plan a deployment
Federal
FIPS 140-3 path
  • Validated FIPS crypto module
  • AES-256-GCM, P-384, SHA-384
  • FedRAMP roadmap
  • Dedicated authority cluster
Federal inquiry