Storage Scope

Data encryption at rest applies to:

• Patient health records stored in structured FHIR format
• CCDA and PDF documents stored as Binary resources
• Diagnostic results and orders
• System logs and audit records
• Backup volumes and replication targets

Encryption Implementation

• All storage volumes are encrypted using AES-256 with strong, rotated keys
• Keys are managed using secure, access-controlled systems
• Disk encryption is enforced across all production environments and tenant-specific partitions

Tenant Isolation

Encrypted storage is logically segmented by tenant to prevent unauthorized cross-tenant access. Each tenant’s data is stored with isolated metadata and access policies.

Compliance and Monitoring

Encryption at rest aligns with HIPAA, SOC 2, and NIST 800-53 standards. Encryption status and key management activities are continuously monitored and reviewed by Health Gorilla’s security team.