View
154
Download
0
Category
Preview:
Citation preview
HIPAA Workloads on GCP
Ran Rothschild, Managing Director, CloudZone
Agenda1. HIPAA in general
2. Achieving HIPAA compliance on GCP
3. G Suite and HIPAA
Self Proclaimed
There is no certification recognized by the US HHS for HIPAA compliance
HIPAA Rules1. The Security Rule - administrative, technical and physical
safeguardshttps://www.hhs.gov/hipaa/for-professionals/security/index.html?language=es
2. The HIPAA Privacy Rule - focuses on the right of an individualhttps://www.hhs.gov/hipaa/for-professionals/privacy/index.html?language=es
3. Breach Notification Rule - notification following a breachhttps://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?language=es
What is PHIHIPAA regulations list eighteen different personal identifiers which, when linked together, are classed as Protected Health Information
Who has responsibility to protect PHI?︎Covered Entities︎, ︎Business Associates ︎ and ︎sub contractors
The 3 Pillars of HIPAA
Internal Procedures and Processes
Internal Procedures
and Processes
IT Environments
Internal Procedures
and Processes
IT Environments
Constant up2date
Achieving HIPAA Compliance on GCP
GCP Compliance• SSAE16 / ISAE 3402 Type II (including SOC2 & 3)
• ISO27001, 27017, 27018
• FedRamp
• PCI-DSS
• HIPAAGoogle Cloud Platform supports HIPAA compliance (within the scope of a Business Associate Agreement) but ultimately customers are responsible for evaluating their own HIPAA compliance
Shared Responsibility
GCP & HIPAA1. Sign a BAA
2. Covered services: Google Genomics, Container Registry, Container engine, compute engine, Cloud SQL, Storage, Dataproc, Dataflow, Bigtable, BigQuery.https://cloud.google.com/security/compliance
3. IAM best practices - least privileges, user group, change management
4. Encryption at rest - by default on GCPhttps://cloud.google.com/security/encryption-at-rest/default-encryption/
GCP & HIPAA5. Audit Logs: long term archive and analytics.
5.1. Cloud Storage - GCS Object Versioning (GSUTIL)
5.2. Admin activity log
5.3. Data access logs
5.4. Best practices for Audit Logs
5.4.1. Export destinations BigQuery for analytical / forensic needs
5.4.2. Configure access control
5.4.3. Regularly review audit logs in Stackdriver, BigQuery, or external
1 Cloud!
G Suite
(68% of Healthcare Organizations Have Compromised Email Accounts)
G Suite1. Same compliance and audits of GCP 2. HIPAA compliance & data protection with G Suite
https://static.googleusercontent.com/media/gsuite.google.com/en//terms/2015/1/hipaa_implementation_guide.pdf
3. BAA 4. Permitted services - core services
Gmail, calendar, Drive, Hangouts*, Vaults, etc 5. Monitoring account activity 6. Separation of user access 7. Security best practices
Internal training
Thank You
Recommended