The document outlines HIPAA regulations and compliance requirements for Google Cloud Platform (GCP), emphasizing the shared responsibility between Google and its customers. It details key HIPAA rules, responsibilities for protecting personal health information, and compliance frameworks applicable to GCP, including necessary agreements like the business associate agreement (BAA). Additionally, it discusses best practices for using GCP and G Suite to ensure HIPAA compliance and protect sensitive healthcare data.

1. HIPAA Workloads on GCP
Ran Rothschild, Managing Director, CloudZone

2. Agenda
1. HIPAA in general
2. Achieving HIPAA compliance on GCP
3. G Suite and HIPAA

3. Self Proclaimed
There is no certification recognized by the US HHS for HIPAA compliance

4. HIPAA Rules
1. The Security Rule - administrative, technical and physical
safeguards
https://www.hhs.gov/hipaa/for-professionals/security/index.html?
language=es
2. The HIPAA Privacy Rule - focuses on the right of an individual
https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?
language=es
3. Breach Notification Rule - notification following a breach
https://www.hhs.gov/hipaa/for-professionals/breach-notification/
index.html?language=es

5. What is PHI
HIPAA regulations list eighteen different personal identifiers
which, when linked together, are classed as Protected Health
Information
Who has responsibility to protect PHI?
︎Covered Entities︎, ︎Business Associates︎ and ︎sub contractors

6. The 3 Pillars of HIPAA

7. Internal Procedures
and Processes

8. Internal
Procedures
and
Processes
IT
Environments

9. Internal
Procedures
and
Processes
IT
Environments
Constant
up2date

10. Achieving HIPAA Compliance
on GCP

13. GCP Compliance
• SSAE16 / ISAE 3402 Type II (including SOC2 & 3)
• ISO27001, 27017, 27018
• FedRamp
• PCI-DSS
• HIPAA
Google Cloud Platform supports HIPAA compliance (within the scope of a
Business Associate Agreement) but ultimately customers are responsible
for evaluating their own HIPAA compliance

14. Shared Responsibility

15. GCP & HIPAA
1. Sign a BAA
2. Covered services: Google Genomics, Container Registry, Container
engine, compute engine, Cloud SQL, Storage, Dataproc, Dataflow,
Bigtable, BigQuery.
https://cloud.google.com/security/compliance
3. IAM best practices - least privileges, user group, change
management
4. Encryption at rest - by default on GCP
https://cloud.google.com/security/encryption-at-rest/default-encryption/

16. GCP & HIPAA
5. Audit Logs: long term archive and analytics.
5.1. Cloud Storage - GCS Object Versioning (GSUTIL)
5.2. Admin activity log
5.3. Data access logs
5.4. Best practices for Audit Logs
5.4.1. Export destinations BigQuery for analytical / forensic needs
5.4.2. Configure access control
5.4.3. Regularly review audit logs in Stackdriver, BigQuery, or external

17. 1 Cloud!

18. G Suite
(68% of Healthcare Organizations Have Compromised Email
Accounts)

19. G Suite
1. Same compliance and audits of GCP
2. HIPAA compliance & data protection with G Suite
https://static.googleusercontent.com/media/
gsuite.google.com/en//terms/2015/1/
hipaa_implementation_guide.pdf
3. BAA
4. Permitted services - core services
Gmail, calendar, Drive, Hangouts*, Vaults, etc
5. Monitoring account activity
6. Separation of user access
7. Security best practices

20. Internal training

21. Thank You