Ghost Pipe — Healthcare Brief
Patient data transfer has an architectural flaw. Ghost Pipe fixes it.
Patient data transferred between healthcare providers passes through servers that store it — even briefly. Each storage point is a breach surface. Every vendor who touches the data in transit is a processor relationship requiring DPA coverage. Ghost Pipe eliminates the storage layer: the relay is a conduit, not a server. Nothing remains after delivery.Chipsoft, April 2026: Patient portal traffic potentially exposed because data was routed through vendor servers. This is not an implementation error — it is an architectural one. The standard model for healthcare data exchange requires storage. Ghost Pipe does not.
The PACS scan, the referral letter, the lab result — encrypted on the sender's device, delivered to the recipient, destroyed on arrival. Nothing remains on the relay. Not the filename. Not the patient ID. Not the key. Not the file.
The relay is RAM-only. A full compromise of the relay server yields zero patient data.
Because the relay holds no plaintext and no decryptable content, the processor relationship under GDPR Article 28 is minimal. For self-hosted deployments, the healthcare organisation is both controller and processor — no third-party DPA required.
Standard DPA available at paramant.app/dpa for managed relay use.
Architecture & DICOM Workflow
Sender gets a one-time link. Forwards link to specialist. Specialist downloads once — file burns.
Receiver daemon auto-forwards decrypted DICOM to local PACS. No manual download step.
Every transfer produces a cryptographic receipt. Verifiable by the sender, the receiver, and independent auditors without accessing the content.
DICOM (.dcm), HL7 FHIR bundles, PDF reports, any file format. The relay is format-agnostic — it handles ciphertext only.
For patient-facing document delivery (lab results, discharge letters): sender uploads via paramant.app/send — no account required. Patient receives a one-time link by email or message. Clicks once, file downloads and burns. Compliant with GDPR Article 6(c) (legal obligation) and Article 9(2)(h) (medical treatment).
NEN 7510 Compliance Matrix
The table below maps NEN 7510:2017+A1:2020 security controls to Ghost Pipe protocol properties. Full documentation at paramant.app/compliance/nen7510.
| Control | Title | Ghost Pipe implementation | Status |
|---|---|---|---|
| §10.1 | Cryptographic controls | ML-KEM-768 client-side encryption. Relay never holds decryption key. Post-quantum: retroactive decryption of captured traffic is computationally infeasible. | ✓ |
| §8.2 | Information classification | No patient data stored on relay. Only cryptographic hashes (SHA-256 of ciphertext) in CT log. Classification risk eliminated at architecture level — no storage policy required for relay. | ✓ |
| §12.4 | Logging and monitoring | Every transfer produces a Merkle CT log entry. Tamper-evident, publicly verifiable at paramant.app/ct. Exportable for SIEM integration and AP/NZa audit requirements (JSON + CSV). | ✓ |
| §13.2 / NEN 7512 | Secure health data exchange | DICOM transport documented and tested. ML-DSA-65 relay authentication (post-quantum signatures). TOFU fingerprint verification for sender-receiver identity binding. No TTP required. | ✓ |
| §18.1 / GDPR | Legal compliance | Hetzner DE: German law, no US CLOUD Act, no data outside EEA. GDPR Art. 28 DPA available on request. Self-hosted: no processor relationship — healthcare org is sole controller. | ✓ |
| §9.4 | Access control | Per-device API keys, per-key revocation. Device identity registry via /v2/did/register. Audit trail per key. No shared credentials. |
✓ |
| §14.1 | Security in development | BUSL-1.1 source available. Independent security audit (RAPTOR, April 2026), all findings resolved. Public CT log enables external verification of relay behaviour. | ✓ |
TLS 1.3, strong cipher suites. Ghost Pipe does not provide DigiD authentication — this remains with the existing EPD/portal layer. DigiD coupling for patient identity requires separate assessment by the Logius/BRP integration layer.
Compliance documentation maps Ghost Pipe capabilities to NEN 7510 controls. It is not a third-party certification. Organisations seeking formal NEN 7510 certification should engage an accredited auditor. Paramant can provide documentation input and technical clarification.
Pricing, DPA & Contact
GDPR Article 28 DPA available at paramant.app/dpa. Covers: processing purposes, security measures, sub-processor list (Hetzner DE only), retention (zero — RAM-only), deletion procedures.
Can be signed online. Negotiated DPA available for Enterprise.
If your organisation runs its own relay server, you are both controller and processor. No DPA with Paramant is required. The BUSL-1.1 license is the only applicable agreement.
This eliminates the third-party processor risk entirely.
Independent RAPTOR security audit completed April 2026. All critical and high findings resolved. Full report available to qualified healthcare prospects on NDA. Source code: github.com/Apolloccrypt/paramant-relay — every line auditable.
Community self-hosted (BUSL-1.1): free forever, up to 5 users. Your server, your data, no third-party processor relationship.
Managed relay trial: paramant.app/request-key
(name + email + use case → trial key by email in <60 seconds)
Self-hosted: docker pull mtty001/relay:latest
Full guide: paramant.app/docs#self-hosting
DICOM integration guide: paramant.app/dicom
NEN 7510 documentation: paramant.app/compliance/nen7510
DPA: paramant.app/dpa
Enterprise / custom DPA: privacy@paramant.app