# Whisper for Health — device identity on the wire for connected medical devices. This is health.whisper.online. The marketing story here is told for the healthcare security team; the /docs library, the console, and the whole system behind it are identical to whisper.online. Read it in full — written so both an agent and a person can act on it. ## The problem it solves Third parties reverse-engineer a health system's connected-device and FHIR APIs, authenticate with a phished credential or a bearer token portable to any IP, and scrape whole patient-population data contract-free — indistinguishable from the real client because it is the client's protocol. The root cause is broken authentication (OWASP API BOLA): the token authenticates a claim, never the machine. Undetectable at the network layer, because the attacker rotates egress across clouds and residential proxies. ## The cure — make it an identity problem Give every medical device a routable IPv6 /128 (from 2a04:2a01::/32, AS219419) DETERMINISTICALLY derived from the hardware key it already holds (secure element / TPM / IEEE 802.1AR IDevID), with the FHIR Endpoint.identifier or device serial as the domain separator. DNSSEC-anchored, DANE-EE pinned, RDAP-registered, verifiable trustlessly with `whisper verify --trustless`. The backend then authorizes on the device's pinned identity, not a stealable token: one IP to thousands of devices becomes impossible, IP rotation is irrelevant, stolen sessions fail, and one revoke kills a compromised device worldwide. Additive to the X.509/mTLS and the SIEM the HDO already runs; complements IEC 62443 / IEC 81001-5-1 / FDA premarket cybersecurity and 802.1AR IDevID, never replaces. ## Pages - / Home — the problem, the cure, and the two structural gaps - /device-api-abuse The device-API-abuse cure, end to end - /platform The three planes + where they fit the stack you already run - /for-hdos For HDO security: SOC/SIEM + clinical-engineering fit, HIPAA / FDA 524B / IEC 81001-5-1 / Health-ISAC - /compare Honest comparison — additive, not a replacement - /pricing Flat, predictable pricing - /docs The full technical documentation (identical to whisper.online/docs) ## Verify it yourself (keyless) whisper verify --trustless dig -x # forward-confirmed reverse DNS curl https://whisper.online/verify-identity/ ## Provision (with a Whisper API key) Control plane: POST https://graph.whisper.security/api/query X-API-Key: whisper_live_xxx CALL whisper.agents({op:'connect', args:{tier:'wireguard', identity_public_key:'', # only the PUBLIC key is sent device_id:''}}) # your native identifier as the domain separator # Derives the device's routable /128 deterministically from its own public key; the # private key never leaves the device. A first-class typed --fhir-id arg is on the roadmap. Console: https://console.whisper.security ## The operator Operator: Whisper Security (viaGraph B.V.), Amsterdam, NL. Network: AS219419, IPv6-only, RPKI-signed, MANRS-compliant. AS219419 announces 2a04:2a01::/32.