Compliance & Assurance
HIPAA-bound.
Federal-ready.
CH VPN was designed for the regulated healthcare network from day one. Encryption in transit. Tamper-evident audit. Zero long-lived secrets. Every assurance posture is a design decision, not a compliance retrofit.
HIPAA
§164.312(e)(1)
encryption in transit.
The HIPAA Security Rule transmission-security standard requires technical safeguards that protect electronic PHI in transit. CH VPN is designed end-to-end against §164.312(e)(1) and the addressable specifications under it. A standard BAA is available at engagement.
FIPS 140-3
Validated path.
The crypto module is pluggable. The default ChaCha20-based suite ships everywhere. The FIPS 140-3 module is selectable at deployment time and uses validated AES-256-GCM, P-384 ECDH, SHA-384, and HKDF-SHA-384. Required for FedRAMP and DoD evaluation.
Zero-Trust
By design.
No static long-lived secrets. Every endpoint holds a short-lived CH Authority-issued certificate, rotated every 24 hours for patient devices, every 7 days for clinic hub nodes, every 30 days for corporate gateways (HSM-backed). Compromise of any single credential is bounded by its rotation window.
Audit
HMAC-SHA256 chain.
Every peer enrollment, every rotation, every revocation is signed and chained. The chain is tamper-evident: any insertion, deletion, or reordering breaks the HMAC. Forensic reconstruction is exact. Audit can be exported to customer-owned storage or retained in CH corporate.
Certifications
Where we stand.
We publish the truth, not the aspiration.
FDA
Non-device.
CH VPN is networking infrastructure. It carries PHI; it does not interpret it, alter it, or make clinical decisions about it. It is out of scope for FDA medical-device regulation.