In this episode of the HIPAA Vault Show, we explore the relationship between Google Cloud Services and HIPAA compliance, highlighting that while Google offers HIPAA-compliant cloud services like Compute Engine, Cloud Storage, and BigQuery, the onus of maintaining compliance also falls on healthcare organizations. They must ensure proper use of these services, including implementing robust access controls, encrypting data, and regular audits. The episode advises caution with beta and test services and emphasizes a holistic approach to data security, involving staff training and constant vigilance against threats. In conclusion, we acknowledge the significant benefits of using Google Cloud in healthcare, stressing the importance of responsible usage and ongoing compliance with HIPAA regulations.
Social Media: Facebook, X, Linkedin
Do you have any remaining questions, requests, or just want to chat with us? Email us at podcast@hipaavault.com!
Transcript:
Adam
Hello and welcome to the HIPAA Vault show, where we discuss all things HIPAA and cloud technology. My name is Adam Zeineddine and I’m joined by the CTO and founder of HIPAA Vault, Gil Vidals. Hey Gil, how are you doing today?
Gil
Hey, Adam. I guess we’re at the end of January, so I can’t say welcome to the new year anymore. I have to think of something else.
Adam
Welcome to the end of January.
Gil
Yeah, end of January, yeah.
Adam
So, well, thanks for joining us on this one. What we’re going to talk about today, this is episode 40, by the way. So it’s flown by since we started this podcast just around a year ago. And I want to encourage the listeners and viewers to download, subscribe, like all that good stuff. And a subscribe in particular really will help out because we’re approaching 100 subscribers, Gil. So great that we’re getting to and. Yeah, so if you’re viewing this on YouTube, hit subscribe and help us spread the good word about HIPAA compliance and cloud technology. So diving into it, we’re going to be talking today about Google Cloud platform GCP and HIPAA compliance. We’re going to give you some tips and tricks to help you navigate Google Cloud safely.
Adam
So in terms of Google Cloud services and HIPAA compliance, there’s good news, and that is that most of Google Cloud services are HIPAA compliant. And this includes popular services like a compute engine, cloud storage and bigquery, amongst others. These services are designed with robust security protocols and measures in place, meeting the stringent standards that HIPAA sets. But Gil, obviously it’s not just about services being compliant, although we will discuss that. What’s critical is how the services are used. Right. So could you talk a little bit about, in general, Google Cloud and what way to approach looking to see whether a service is compliant or not?
Gil
Yeah, so that’s a good topic. The public clouds have very good security in general, and they have a lot of different compliance levels. So there’s HIPAA compliance, there’s other types of compliance like PCI compliance or NIST 800 and FeDramp, and there’s lots of different compliance levels. So when we’re talking about HIPAA, it’s one of those compliance levels for healthcare in particular. So what you want to look for is there’s a Google Document that lists what services are actually compliant. And I think in the show notes we’ll put that. So you just click on it and you can see, hey, if I’m using cloud run or pub sub or cloud SQL, there’s thousands of services.
Gil
So you can look in that list and then if you see the service that you want to use for your healthcare application, and if it’s on the list, then you know it’s meeting the standards of HIPAA. Yeah, I think that’s the main point of that, is to make sure that the service is listed.
Adam
Yeah. And I’m just sharing the screen here with that link that we will provide in the description below that details. It’s a security document and it also keeps the updated list of which services Google Cloud offers that are HIPAA compliant. I’m sharing it here. And the great thing about it, you can just do a control f and then search for, let’s say, compute engine. So if you’re a developer in the middle of looking to use something, you can just go compute and then you’ll find it there. Compute engine is listed. Yeah. And then in terms of not being compliant and test, Gil, would you agree, like generally the Phi data, that ingestion should be used with the main Google cloud services and not testing services, generally speaking.
Gil
But as you know, in life, there’s always exceptions. Like for example, if you remember, Gmail was part of the beta program for Google for like, I don’t know, twelve years. At some point, everybody knew it was working great. So Google has a tendency to keep the beta program going quite a long time. So I guess if you really needed a service that was beta, but you’ve seen it’s been around for years, then you’d have to evaluate that and determine if you think it’s okay to go ahead and use that.
Adam
Yeah. And in terms of the testing services, again, if you come across a service, you would just come and look at this document and see if it’s included in there. If it is, then that’s great. If it’s not, then approach it with caution, I think is generally the advice. Gil, what else goes into it other than just making sure that it’s listed under the Google cloud? Baa.
Gil
Yeah, I think there’s something important to mention here, and that is it’s easy to get trapped. Maybe it’s a good word to use, trapped into the notion that if you select something that’s HIPAA compliant on the tech side, that you’re done. Everything’s great. We all have a lot to do, so just move on to the next thing. A little checkmark got HIPAA compliance. But in reality, life isn’t that simple. And what I’m talking about is regardless of the service that you’re using, that’s HIPAA compliant. You have to make sure that you as a company are HIPAA compliant. So you say, well, what do you mean by that? Well, your employees, for example, are your employees being trained? Do you have a log that shows when they were trained?
Gil
If you’re audited for HIPAA, they’re going to ask you, show us your logs of all your employees and when they were trained. When did they pass the last HIPAA module? And you might be saying right now, oh my gosh, I’ve never done that before. Well, you’re not HIPAA compliant then, even though maybe you chose a platform technology wise that is HIPAA compliant. Another thing that may not be obvious to you, but let’s say one of your employees is looking at some HIPAA data and the HIPAA data is on their monitor. Maybe some patient information, live patient information, and they walk away to go to lunch and they leave the screen and everything unlocked. Well, that is a failure in terms of HIPAA compliance. Somebody could walk by and take a screenshot of that or a picture of it.
Gil
So there are many other things that go into being HIPAA compliant other than just the green checkbox showing that you selected a HIPAA compliant platform. So that I just want to remind everybody, because it’s too easy just to think that one company like Google or the other public clouds, could take care of it all for you. They can only do their part. And then the other thing is the team effort, Adam, it’s all a team effort, right? Your whole team has to be aware that you’re handling sensitive and patient information. Everybody needs to contribute if they notice something that might be wrong. Maybe your application has an area that they feel could be improved. For example, one of your employees may say, hey, I logged into the application.
Gil
I noticed that two factor authentication was disabled, and maybe you disabled it for testing purposes and then somebody forgot to turn it back on. So everybody needs to be observant, they need to be paying attention, and they need to let the management team know, the leadership team know if they notice something that they suspect might be a weakness. We’ve talked a little bit about the healthcare services, in particular with Google, and there are a myriad of services that you can choose. And I really think that the model that Google has selected is really secure for managing your healthcare app. I would encourage you to explore it and find out what’s the best service that you could use at Google to bolster and host your healthcare application. For example, give you a specific.
Gil
There are a lot of APIs now that are very common to be used. Your apps communicating with another app, those are called application programming interfaces, and you want to make sure that you use one that’s HIPAA compliant. So Google has something called Apigee, API gee apogee API. You should look at those. Those are HIPAA compliant. And you can look at the Apigee services to make sure that your API calls that you use are HIPAA compliant. So I would encourage that’s something that’s commonly used these days. But in conclusion, we do think that the cloud services that are offered by Google are HIPAA compliant. They are confirmed to be. So again, you could use that document we shared with you. It’ll be in the show notes that you could look at and just be cautious.
Gil
If it’s a beta program, a beta service that Google has, think about that a little bit and ensure that you follow all of the HIPAA standards and best security practices and make sure that your staff is trained and that you review your application from time to time. I really recommend doing a third party scan on your application to find all the holes or vulnerabilities and weaknesses that your location might have. And you can contact us at HIPAA Vault. We can help you with that if you want to get a scan of your application and your infrastructure to let you know if it’s compliant.
Adam
Fantastic. Well, that’s it for this episode of the HIPAA Vault show. As always, if you have any questions, please reach out to us at podcast@hipaavault.com do like the video and subscribe. And until next time, thanks for stopping by.