Home / Technology / Your Patients’ X-Rays Are on WhatsApp. Here’s a Secure Alternative Clinics Can Run Themselves.

Your Patients’ X-Rays Are on WhatsApp. Here’s a Secure Alternative Clinics Can Run Themselves.

Spread the love

Clinical communication quietly migrated onto consumer messengers. A self-hosted, end-to-end encrypted messaging framework offers a third option between a six-figure enterprise contract and nothing — where the server provably cannot read a consultation, and no administrator can open a doctor-patient thread. An honest look at what it does, and the four things it doesn’t.

Secure messaging for doctor-patient and doctor-doctor communication, on infrastructure the practice controls.

Ask a doctor how they sent a colleague that X-ray last week and you’ll usually get a sheepish answer: WhatsApp. Ask how the patient sent the photo of their healing wound, and it’s the same. Clinical communication has quietly migrated onto consumer messengers — because they’re free, everyone has one, and they work.

They’re also a confidentiality problem hiding in plain sight. Patient images and clinical discussions end up on a third party’s servers, in another jurisdiction, on personal phones, in the same app as family group chats. The clinic doesn’t control where the data lives, how long it’s kept, or who could be compelled to hand it over. Most practices know this. They keep doing it anyway, because the compliant alternative was a six-figure enterprise contract or nothing at all.

There’s a third option worth knowing about: a self-hosted, end-to-end encrypted messaging framework you run yourself. VBWD‘s messaging plugins — meinchat and meinchat-plus — are open, source-available components designed for exactly this shape of problem. Here’s an honest look at what they do, and just as importantly, what they don’t.

What “end-to-end” actually means here

The claim that matters, stated plainly in the project’s own documentation: the server holds no keys and never encrypts or decrypts. Clients encrypt. The server checks that the sealed envelope is a legal shape and size, stores it, passes it on, and tracks delivery. That’s its entire role.

Read that again from a clinic’s perspective. It means your own server administrator cannot read a consultation. Neither can your hosting provider. Neither can anyone who obtains a copy of the database. The confidentiality doesn’t rest on a promise or a policy — it rests on the server not possessing the keys.

The encryption is a Signal-style double ratchet, the same broad design used by the messaging apps with the strongest privacy reputations. Around it sit the details that separate a real implementation from a demo: signed and one-time prekeys, so you can send a message to a colleague who’s offline and it decrypts correctly when they open their phone; padding of messages to fixed blocks, so an observer watching the traffic learns a message’s length only to within a block rather than exactly; a downgrade defence, so a client that demanded encryption refuses an answer that arrives unencrypted; and support for a second device, with biometric pairing on iOS.

One point of precision, because in security an imprecise claim is a false one: base meinchat is not end-to-end encrypted. It encrypts the message cache stored on the device, but the messages themselves pass through the server readable. End-to-end encryption comes from enabling meinchat-plus, a separate plugin that layers on top. For clinical use, that plugin isn’t optional — it’s the point.

Privacy that’s built in rather than promised

Three design decisions stand out for anyone handling patient information.

There is no way for an administrator to read conversations. The admin panel lets you manage nicknames, ban abusive accounts, and audit transfers. There is no screen anywhere that opens a doctor-patient thread. That’s not a permission you switch off — the feature doesn’t exist. A practice manager cannot read a consultation even if they want to.

Retention is short by default and yours to set. Server-side messages default to a two-day window, with a nightly job that hard-deletes them — no tombstones, no soft-delete graveyard quietly retaining what you thought was gone. Set it to zero and the server becomes effectively amnesic. That’s data minimisation as a default rather than an afterthought.

It runs on your infrastructure. Self-hosting means the data sits in a jurisdiction you chose, on hardware you control, with no third-party processor in the middle. For European practices weighing data-residency obligations, that’s a structurally different position from “a US vendor promises to store it in Frankfurt.”

What it fits: the conversation, not the consultation

Being clear-eyed about the shape of the tool matters more than listing features. meinchat has no video and no voice. It is text and images. It is not a video-visit platform, and if live consultations are what you need, this is the wrong tool and you should look elsewhere.

What it is good at is the enormous volume of clinical communication that isn’t a video visit:

  • Doctor-to-patient follow-up — post-op check-ins, “does this look infected?”, medication questions, triage before a visit is booked. Photos travel as client-encrypted attachments.
  • Doctor-to-doctor consults — the eConsult: a GP asking a dermatologist to glance at an image, a specialist second opinion, the informal question that currently happens over a consumer messenger.
  • Multidisciplinary team discussion — group rooms for case conversations across a care team.
  • Intake from someone who isn’t a patient yet — a public widget where a guest can start a conversation without an account.

Clinicians use web, iOS, or Android against the same backend, so the phone in a doctor’s pocket and the browser at reception are the same system, with one set of rules.

The bots — for admin, not diagnosis

The platform ships a bot framework that plugs into the messenger, and it’s worth understanding what’s appropriate here. A bot can answer questions grounded in your own documents — opening hours, preparation instructions, insurance and billing questions, what to bring — using full-text search over a corpus you supply. Notably, retrieval runs inside your own database: your document corpus isn’t shipped to an external search service.

There’s a hard safety boundary to state out loud. A retrieval bot answering “when should I stop eating before my procedure” is an administrative tool. It is not a diagnostic one, and it must never be presented to a patient as clinical advice. Triage and symptom assessment are regulated clinical activities with real consequences when they go wrong. Use the bot to take load off reception, not off the clinician.

One architectural detail deserves credit. The bot’s search can read your catalogue of services — and the platform’s core registry hard-blocks user records and invoices from ever being searchable, by refusing the registration outright. A bot cannot be misconfigured into searching your patient list or their billing, because there is no code path that would allow it.

The honest limits — read this part

Anyone selling you software for healthcare should tell you where it stops. So:

This is not a compliance product, and no software is. End-to-end encryption and self-hosting are strong technical foundations, but HIPAA, GDPR, or MDR compliance is an organisational achievement, not a feature you install. You’d still need your data protection impact assessment, your processor agreements, your access policies, staff training, and an audit trail. The software is a building block. Your practice remains the data controller and carries the responsibility.

This is not a certified medical device, and nothing here is validated for clinical decision-making.

The messenger must not be your medical record. This one is easy to get wrong and important to get right. Medical record-keeping laws require retaining records for years; this messenger defaults to deleting messages after days, deliberately, for privacy. Those two facts only coexist if you’re clear about roles: the record of truth is your EMR, and anything clinically significant gets documented there. The messenger is the conversation channel, not the chart. Treating a disappearing chat as a clinical record is how practices get into trouble.

Real encryption cuts both ways. If the server can’t read messages, the server also can’t recover them. A clinician who loses their device loses that history. That’s the honest cost of the guarantee, and any vendor offering both perfect confidentiality and full admin recovery is not offering the first one.

Self-hosting is real work. Someone patches the server, takes the backups, and holds the keys to the infrastructure. A practice without IT capability may genuinely be better served by a managed vendor with a signed agreement — and that’s a legitimate answer, not a failure.

Why it’s interesting anyway

The reason this matters isn’t that it’s free — it’s that the trade-off clinics have been living with was always false. The choice was never “consumer messenger or nothing.” It was that the alternatives were priced and packaged for hospital systems, so smaller practices used WhatsApp and hoped.

A source-available framework where the server provably cannot read your patients’ messages, where retention is yours to set, where no administrator can open a consultation, and where the data never leaves your jurisdiction is a different starting point. It doesn’t make you compliant, and it doesn’t do video. But for the everyday traffic of modern care — the photo, the follow-up question, the quick word with a colleague — it is a considerably better foundation than the app your patients also use to send memes.

The messaging plugins are source-available under the platform’s licence and free for commercial use below a defined revenue threshold. Technical details are in the developer documentation and the architecture overview; the source is on GitHub.

General information for practice and technology decision-makers, not legal, regulatory, or medical advice. Compliance obligations vary by country and speciality — consult your data protection officer and legal counsel before deploying any system that handles patient information.

Tagged:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.