Redundancy Re-considered: GCP, HIPAA Compliance, and Why We’re a Google Cloud Partner
By Gil Vidals, , HIPAA Blog, Resources, Security, Uncategorized

“Never give up, never surrender.”

– Cmdr. Peter Quincy Taggart, Galaxy Quest

Yes, that is how we feel about cybersecurity.

Yet it’s true: redundancy can often feel superfluous, like making predictions about the future, or deja vu all over again.    

But when it comes to your client’s healthcare data, redundant protections are anything but unnecessary. 

Case in point: a recent study revealed that nearly a third of all healthcare databases are dangerously exposed to the internet. (Shields up, anyone?) 

Such a scenario leaves your data sitting right on the edge of cyberspace for any hacker to exploit or steal.  

That’s just one reason why at HIPAA Vault, we insist on multiple layers of security – aka redundant protections. It’s also why we’ve chosen to partner with the Google Cloud Platform.

Still, many want to know if Google infrastructure meets the tests for HIPAA compliance – in other words, will it ensure the confidentiality, integrity, and high data availability required by “zero trust” and the HIPAA Security Rule?

Here’s what we tell them:

Trust Google’s World-Class Infrastructure Security 

Our innovative health technology partners rely on high data availability and integrity to help facilitate their excellent care.

Google’s “redundancy of everything” approach is designed-in; it ensures that the failure of a single server, data center, network connection, or even a maintenance window will not result in downtime or loss of data.

In addition, few cloud providers have been tested like Google, with billions of users accessing their various cloud services every day. 

Consider how such an expansive, on-demand infrastructure receives untold numbers of attack vectors every minute. This would surely overwhelm their system unless sophisticated security automation was built-in. 

Further, each attack is assessed by over 600 world-class security specialists; privacy and compliance teams provide continual oversight, and outside experts are regularly consulted to perform security assessments. 

This is a level of security that simply can’t be matched by most on-site data centers and IT staff. 

Encryption by Default

Sensitive medical data needs strong privacy protections. Encryption is the minimum standard of care, part of all our secure cloud solutions – from hosting, to HIPAA WordPress, to secure Email and Drive.

Still, cybercriminals seek to exploit these protections to their advantage, seeking to bypass encryption by attempting to access keys or crack encryption algorithms. 

The Google Cloud Platform (GCP) uses a NIST standard, FIPS 140-2 validated encryption module, by default. This ensures the encryption of your data in transit (meaning, outside Google’s physical boundaries to you, the customer, and the wide-area network (WAN) between data centers), and also “at rest” on their servers.

A cloud-hosted key management service (KMS) also allows you to manage cryptographic keys in the same way as you would for a typical on-premises environment. 

World-Class Data Centers

Google’s world-class data center compliance relies on the ISO 27001 certification, an internationally accepted and independently verified security standard composed of 114 controls, including information security policies, asset management, cryptography, and physical and environmental security.

HIPAA Vault relies on these distributed, compliant data centers to provide “geo-redundancy” by replicating your data across regions (see Backups, below). This minimizes the impact of a natural disaster or a local power outage, so your sensitive data will always remain available.

Physically, Google boasts a minimum of 6 layers of state-of-the-art security for their data centers, and it’s impressive. Think of concentric circles, each with a different type of security inherent in the layer:

  • The physical property boundaries of the secure data center, surrounded by smart fences, thermal cameras, and posted with signage.
  • The secure perimeter, including a security guard at the gate, roving security guards in cars, vehicle crash barriers that can stop a truck, and more.
  • The personnel ID check, with iris scan and single person door entry. 
  • The Security Operation Center (SOC), with 24/7/365 monitoring. The “brain of the data center,” staff monitors all camera activity and all data center operations. 
  • The data center floor, where access is granted, as-needed, to authorized technicians/ engineers only. All at-rest data is encrypted, with customers maintaining their own encryption keys. Even the technicians cannot “see” the data, and less than 1% of Google personnel will ever see this area in person.
  • The disk disposal/hard-drive destruction area, with special access granted to the machines that physically destroy drives that are no longer needed.

Backups 

As mentioned, high availability for your HIPAA data requires high redundancy. This is why Backups are a standard part of our fully-managed services.

With Google, your data is systematically replicated multiple times across active servers and distributed geographically. 

This means your data is always available within a secondary system, should one system fail. 

Service continuity is therefore ensured by a highly redundant system, one where even a possible disaster (earthquake, fire, flood) at one data center will not result in downtime or loss of data.

BAA Provided

HIPAA data handlers who use, transmit, receive, or exchange electronically protected health information (ePHI) are required to sign a Business Associates Agreement (BAA).

A BAA is a HIPAA-mandated, legal contract to confirm that patient data will be kept confidential while in storage on all servers, as well as in transit. As a trusted HIPAA partner, Google provides HIPAA Vault a Business Associate agreement, so you’re covered.

Identity and Access Controls 

A HIPAA-compliant environment will always be governed by admin controls that authenticate user access.

HIPAA Vault works with you regarding the appropriate access and permissions for your team, setting unique user IDs (kept private by each user) through Google’s Identity and Access Management Console.

In addition, Two-factor authentication, or 2-step verification, adds another layer of redundancy by avoiding a single point of failure in sign-ons. This means that in addition to the standard username/password combination, a unique verification code is generated and sent to users each time they seek to log in to their server.

Access/Activity (Audit) Logs

HIPAA regulations require that detailed audit logs be kept, recording who has accessed ePHI on your server(s) and why they’ve accessed it – both failed and successful log-in attempts.

System and network access information, including any security event or malicious software, attempted breach, or even attempts to delete or modify the logs themselves, must be kept for a minimum of six years (HIPAA Vault keeps them for seven). 

Google will also keep all admin activity, data access, and system event logs for varying lengths of time, which can then be exported so you can retain them for as long as needed. 

Fully-Managed by HIPAA Vault

As you can see, state-of-the-art security for medical data and HIPAA compliance is a primary reason HIPAA Vault became a Google Cloud Partner. Clearly, the Google Cloud Platform (GCP) meets the tests for a HIPAA-compliant infrastructure.

Yet we often emphasize how the real test of compliance always comes down to the day-to-day practices of HIPAA for your organization.

While you do your part to instill the requirements of HIPAA compliance and strong security practices within your staff, HIPAA Vault’s fully managed security works hand-in-hand with GCP to help keep your data safe. We provide 24/7 system monitoring, managed anti-virus, and malware prevention, continual security patching and logging, and much more.

In other words, HIPAA Vault handles all the day-to-day management of your infrastructure’s functions and security as a strategic method for improving and securing your operations and cutting expenses, so you can run “full speed ahead” with what you do best: caring for patients! 

If you have any questions on GCP or HIPAA Vault’s fully managed services, please contact us! 760-394-6920.