Thinking about moving some services to the cloud? Let’s look at whether Google Cloud Platform is HIPAA-compliant.
We recently helped a medical company evaluate Google Cloud Platform (GCP) as a disaster recovery site.
Here’s what we found about Google Cloud Platform and HIPAA compliance.
Any company that handles PHI is what’s called a HIPAA Business Associate.
Business Associates must sign a contract that says they will protect a patient’s confidential information.
Google will sign a HIPAA Business Associate agreement. You can’t find the form online -- you’ll need to work with a salesperson to execute an agreement. Expect it to take a week or two.
Google spells out exactly which services can be used to hold PHI on their HIPAA compliance page. As of this writing, this includes:
Our healthcare client needed virtual servers (Google Compute Engine) and large amounts of cold storage for backup (Google Cloud Storage).
There are key items that we look for to make sure that clients will be able to use a cloud environment in a HIPAA-compliant way. Here are the key ones we reviewed:
Google Cloud Platform provides a secure VPN for connecting into their environment. Anything sent between GCP and your business is sent over this encrypted, secure tunnel.
Google Cloud Platform provides a robust set of roles and permissions in their Identity and Access Management Console.
After you create a project to hold your servers, you can set what users can and can’t do.
Google Cloud Platform is tied to your Google account. You get the same two-factor authentication experience you get when you log in to any Google service.
By default, Google Cloud Platform will log every human and system interaction with the GCP environment. This is critical for HIPAA compliance to prove what did or didn’t happen in case of an incident.
Logging can also record what happens in each virtual machine.
If you set it up the right way, logging data is also stored on Google Cloud Platform’s “ColdLine” storage service. This lets you retain logs for 10 years, as required by HIPAA, at a very low cost.
Many companies never change their encryption keys.
Google Cloud Platform offers a robust key management service to store and rotate encryption keys used to connect to servers.
Google Cloud Platform encrypts all data at rest, by default, “with no additional action required from you.”
This is an excellent default position.
They also offer an an attractive feature for HIPAA-compliant companies. You can also encrypt your data using your own keys, stored in the aforementioned Key Management Service.
This gives you extra comfort, if you choose to implement it, that nobody at Google can access your sensitive data.
Google Cloud Platform has a solid process for controlling when their administrators can log in to your systems.
Here it is: https://cloud.google.com/security/whitepaper#data_access_and_restrictions
This process is also thoroughly audited by third party auditors.
Google offers an automated security scanning service that looks for common vulnerabilities in web-based systems that you choose to deploy at Google.
Customers also get access to the same intrusion detection technology and services that Google uses to protect its core business.
Based on all of the measures described above, Google Cloud Platform can definitely be used in a way that is HIPAA compliant.
However, there is a fair bit of complexity. You need to make sure you are configuring the environment the right way, setting up logging the right way, and ensuring you don’t expose your PHI to data breaches.
Get some free help! Talk to an Adelia Risk cybersecurity consultant.
Have questions or feedback? Please share them in the comments below.
Like this article? Share it!
[…] that it’s much easier to set up accurate roles and permissions in both Amazon Web Services and Google Cloud Platform. Part of good IT security is good usability, and we prefer AWS and GCP in this […]