This week on the HIPAA Vault Show we talk about Google Cloud Platform’s Cloud SQL. Join us as we unpack its advantages, not just from a technical standpoint but also its commercial impact on database management within the healthcare industry. Checkout our blog for more details.
Transcript:
Adam
Hello and welcome to the HIPAA Vault show where we discuss all things HIPAA compliance and the cloud. My name is Adam Zeineddine, and I’m joined, as always, by CTO and founder of HIPAA Vault, Gil Vidals. Hey Gil.
Gil
Hey, Adam. I’m ready to go today.
Adam
Yes, today we are going to be talking about cloud SQL. Cloud SQL, however way you want to pronounce it. Gil, how would you go about saying it both ways?
Gil
Sequential query language. Yeah, I’ve heard people say SQL or SQL. I like to say SQL for some reason, but either way works.
Adam
All right, I’m going to go with the SQL and then we got both bases covered if there’s any listeners that prefer either play it safe there. So, yeah, we’re going to talk a little bit about what cloud SQL is. So to start off, what is Cloud SQL? Cloud SQL is a fully managed relational database service that makes it easy to set up, maintain and administer databases and that is in the cloud specifically. Gil, I think a good jumping off point here is why does it matter to healthcare providers and those responsible for protecting sensitive phi and patient data?
Gil
Yeah, I think Adam, the first thing I’d like to mention is that in most cases, the sensitive information, the protected health information is in the database. So that’s a key point. I like to use analogy of the goose that laid the golden egg. Right? So if a hacker is trying to come in and do something nefarious, then the database is where they want to get in there. Which by the way is why when we architect the platform for our customers, we like to separate the database. A lot of companies love the web and database together. We separate them to give another level of security by keeping those two separate. Anyway, that’s the importance. The database is holding the critical sensitive data typically, and that’s not the only place the data is.
Gil
There are companies, of course, that may upload X ray images or PDFs and those go to the web server. So there is some sensitive data on the web server, but primarily the database server is what’s holding the bulk of the PHI.
Adam
Yeah, interesting. And I think also another point that were talking about offer was specifically for healthcare. When you’ve got that protected health information stored in the database, there’s rules that apply to retention and making sure that data is not lost and it’s recoverable. So I think disaster recovery is an important play here, right?
Gil
Yeah. The cloud SQL you can keep archived, so you can have a certain number of days and months, but that can grow. So we really recommend that our customers use the database a little differently than maybe they’re used to. So in other words, instead of deleting records, leave the records there, but just mark them as inactive. So let’s say you have a database that has a list of patients right. And instead of saying, well, that patient’s gone, I’m going to delete the record, you just would mark it as inactive. So you have a column that says, is this inactive, yes or no? That’s simple. And so obviously the application has to be modified to account for that.
Gil
But if you do that, then the good news is you can keep all your data for a long period of time because you’re not deleting any of it. Now, if you are deleting it, what that means is that you’re expecting the data to be kept at another level by somehow copying the database every day, every month, every year, and keeping these records. But that also takes up a lot of space. So you’re not really going to win, you’re not going to really win by trying to avoid using space. And that’s just an overhead you have to be willing to accept if you’re in the medical side of technology.
Adam
Right? So, yeah, there’s a soft delete option there that’s recommended. What about when it comes to safeguarding against the potential destruction of data? If it’s sitting in a data center somewhere and the data center burns down or something like that?
Gil
Yeah, well, you’re in San Diego and there hasn’t been a hurricane there in 70 years. And then just this weekend you guys had a hurricane that was coming along and people were freaking out, oh my gosh, it can be a hurricane in San Diego, fortunately, and an earthquake at the same time. Oh yeah, and there was an earthquake too. So these things we talk about all the time, people say, what if you’re hit by a bus? In our industry, we don’t say hit by a bus, we say what if a meteor hits a data center, in this case a hurricane? But you do have to think about those things. It does happen. Data centers do burn down or they have water damage and you lose everything.
Gil
So with cloud SQL, you have an option of doing what they call cross region SQL, cloud SQL, which means that the database archives of backups are saved in different regions. So if one region has a disaster, you’re able to recover from that by pulling the data from a different region. Now that costs more, a little bit more, but it’s a good option to enable.
Adam
Yeah, I’ve seen this done both ways. I’ve seen it done with cloud SQL and then I’ve seen it done the more traditional way with virtual machines, and the cloud SQL way is so much easier, right. It’s just seamless because it’s all managed and automated by Google. So there’s definitely some value there.
Gil
I want to mention too. So for the audience, that maybe not quite understanding what we’re talking about in terms of the database and the infrastructure. So a database, if you think about a server, most people, even non technical, can visualize, oh, I have a server, I have a database there, and that’s all good to have a database like that on a server, but with SQL in the Google cloud, it becomes a service. It’s not so much you’re not thinking anymore about oh, I have a server. Instead your mind shifts over to oh, I have a service. And the difference is you’re one level of extraction removed from this physical server that you used to worry about all the time. What if it’s slow? What if it’s got an issue, how do I back it up? All these things you have to think about.
Gil
But now with the service takes care of that. The service takes care of making sure it can run fast. If there’s a high load, it can make sure that there’s enough backups for it. Now, you do have to hit some switches when you enable it, but it’s like set it and forget it more of that way, which has always been yeah.
Gil
It’s a fully HIPAA compliant service that you can use. And rest assured that it is following all the HIPAA guidelines in terms of the infrastructure.
Adam
Great. That’s the implications for healthcare and how useful it can be. We might have slightly touched on these a little bit, but could we talk about the commercial implications in terms of cost versus a standard virtual machine? Both the actual costs when it comes to monthly paying for a virtual machine versus cloud SQL. And then the other point is what could potentially be the operational cost differences?
Gil
I think the Read Replica is something we can talk about that answers one of your questions there. So a Read Replica is important concept in the database world. A Read Replica is a copy of your database that is only available for reading. So why is that important? Well, if you have a real busy service, let’s say you’re very successful, which I hope my audience is very successful, and they have a lot of traffic, right? There’s a lot of going on. In that case, things start to slow down. But if you introduce a database Read Replica, then when things get very active and busy, you can send some of those transactions to the Read Replicas because they have a full copy of everything in the database. As the database changes, they get an immediate copy.
Gil
So that if you have users in the East Coast and West Coast and in the Midwest, and they’re all trying to hit your service at the same time, that would normally overwhelm the database server and it would start to slow down. So with the Read Replicas, you can send your traffic and distribute it across all of these Read Replicas. You can have many of them. And there’s usually only one right database server, only one server that is allowed to actually record any new changes. And that works, Adam, because in the world of technology, the vast majority of transactions on the database are reading, they’re not writing. A very small portion are write transactions. So that’s why this model works. So that’s part of it. And the other thing is the cloud SQL has the ability to store backups for a long time.
Gil
You can configure it so it can keep incremental snapshots for a long time, depending on the time frame you want. And I think the other thing I’d like to mention on that is that the cloud SQL is just a name given by Google for kind of a generic name. But if you want to talk about specifics, you could talk about the SQL being MySQL MariaDB or Postgres and then Microsoft SQL. So you get your flavor of that database that you want. And those are open source solutions. Most of those are open source and you say, why does that matter? Well, open source is supported very well and it’s inexpensive compared to some proprietary solution like Oracle, which can cost you a bundle of money. A bundle of money.
Gil
So the cloud skill is not only very robust and it’s HIPAA compliant, but it’s also an open source technology, which means the licensing is very inexpensive. So you kind of have the best of all worlds. But having said that, there are customers that need Oracle and I get that. So that would be a know, if you have to do Oracle, then you have to be in a different world where you’re living under the regime of Larry Ellison over there.
Adam
And just to add to what you said there, I haven’t seen too much of a difference, apple to apple between virtual machine setups and cloud SQL. Essentially from what I can see in Google cloud with cloud SQL, if you enable what’s called High Availability, which includes the good stuff that I think that you mentioned there, Gil, the costing is basically just taking into account that there’s another server in another region that is available and that’s what High Availability means.
Gil
In the end, there is some kind of a server running somewhere, but the difference is Google is managing that for you. So they put like a curtain there. So if you were to open the curtain, you see a server back there, but the curtains closed and you’re not supposed to look back there and it’s a service. In other words, they’re managing all of that. You don’t need to worry about. That’s why it’s called a service. But it’s true what you said. In the end, if you want a replica or High Availability, they are going to spin up another system for you and they’re going to copy it and make sure it’s there. So, yeah, I think it’s a very robust and comprehensive solution to use cloud SQL, and we encourage our customers to use that.
Adam
And then the other side is the operational savings, right? All of that stuff that we just mentioned in terms of setting up the read Replicas and everything. It’s so easy to do with cloud SQL that your operational costs are a lot more manageable. Was there anything else you wanted to note when it comes to cloud SQL?
Gil
I think I would like to add one more piece, and that is that in HIPAA Vault, we’re all about helping our customers architect the best solution for them. So that means we try to keep it as best we can within your budget. And we have all sorts of levels. As you heard in this discussion. You can do Replicas and you can do Backups, and you can do Archive, all sorts of stuff cross region. And all of that costs money, right? So we try to architect it within the customer’s budget that they present say, hey, of course we want this level of recovery. Something bad happens, we want to recover at this time. We got to listen to all that. And then we got to architect something that will fit within their business model.
Gil
But we have the ability to do that at all sorts of levels from the smallest customer to the multimillion dollar customer. We can do that.
Adam
I also wanted to refer to what Gil mentioned earlier. It was episode twelve where went into a little bit more detail and we had our compliance manager Henry on the call to talk about retention requirements by state for patient information. So do check out that episode as well. And if you have any questions about it, as always, please feel free to reach out to us at podcast@hipaavault.com. You can check out more resources on our blog at hipaavault.com. Sum up of cloud SQL. It’s more than a database solution. It’s a pivotal piece of your healthcare it ecosystem. And that’s all for this episode. Thanks for stopping by.