Transport Security
Health Gorilla requires all API traffic to use secure transport protocols to protect personal health information (PHI) during transmission. This includes enforcing HTTPS, supporting TLS 1.2 or higher, and validating the integrity of endpoint certificates. You must configure your system to use encrypted channels, block insecure transport, and avoid exposing sensitive data in unsecured request formats.
These controls help prevent unauthorized access, ensure end-to-end encryption, and maintain compliance with HIPAA and SOC 2 requirements.
Required Security Settings
To ensure secure transmission of protected health information (PHI) and enforce endpoint integrity, configure your system with the following settings:
- Use HTTPS for all token requests and API calls
- Support TLS 1.2 or higher
- Validate server certificates on each connection
- Block HTTP and other insecure transport methods
- Avoid sending PHI or credentials in query strings
- Monitor certificate expiration and renew certificates before expiry
- Use endpoint security scanners to detect misconfiguration or vulnerabilities
These settings apply to all environments and must be in place before production access is granted.