Restrictions and limitations for Healthcare and Life Sciences Controls

This page describes the restrictions, limitations, and other configuration options when using the Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages.

Overview

The Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages enable you to run workloads that are compliant with requirements for Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST).

Each supported product meets the following requirements:

Listed on Google Cloud's HIPAA Business Associate Agreement (BAA) page
Listed on Google Cloud's HITRUST Common Security Framework (CSF) page
Supports Cloud KMS Customer-managed encryption keys (CMEK)
Supports VPC Service Controls
Supports Access Transparency logs
Supports Access Approval requests
Supports at-rest data residency restricted to US locations

Allowing additional services

Each Healthcare and Life Sciences Controls control package includes a default configuration of supported services, which is enforced by a Restrict Service Usage (gcp.restrictServiceUsage) organization policy constraint set on your Assured Workloads folder. However, you can modify this constraint's value to include other services if your workload requires them. See Restrict resource usage for workloads for more information.

Any additional services you choose to add to the allowlist must be listed on Google Cloud's HIPAA BAA page or be listed on Google Cloud's HITRUST CSF page.

When you add additional services by modifying the gcp.restrictServiceUsage constraint, Assured Workloads monitoring will report compliance violations. To remove these violations and prevent future notifications for services added to the allowlist, you must grant an exception for each violation.

Additional considerations when adding a service to the allowlist are described in the following sections.

Customer-managed encryption keys (CMEK)

Before adding a service to the allowlist, verify that it supports CMEK by reviewing the Compatible services page in the Cloud KMS documentation. If you want to allow a service that does not support CMEK, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

If you want to enforce a stricter security posture when using CMEK, see the View key usage page in the Cloud KMS documentation.

Data residency

Before adding a service to the allowlist, verify that it's listed on the Google Cloud Services with Data Residency page. If you want to allow a service that does not support data residency, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

VPC Service Controls

Before adding a service to the allowlist, verify that it's supported by VPC Service Controls by reviewing the Supported products and limitations page in the VPC Service Controls documentation. If you want to allow a service that does not support VPC Service Controls, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

Access Transparency and Access Approval

Before adding a service to the allowlist, verify that it can write Access Transparency logs and supports Access Approval requests by reviewing the following pages:

If you want to allow a service that does not write Access Transparency logs and doesn't support Access Approval requests, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

Supported products and services

The following products are supported in the Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages:

Supported product	Global API endpoints	Restrictions or limitations
Cloud Service Mesh	mesh.googleapis.com meshca.googleapis.com meshconfig.googleapis.com networksecurity.googleapis.com networkservices.googleapis.com	None
Artifact Registry	artifactregistry.googleapis.com	None
BigQuery	bigquery.googleapis.com bigqueryconnection.googleapis.com bigquerydatapolicy.googleapis.com bigqueryreservation.googleapis.com bigquerystorage.googleapis.com	None
BigQuery Data Transfer Service	bigquerydatatransfer.googleapis.com	None
Binary Authorization	binaryauthorization.googleapis.com	None
Certificate Authority Service	privateca.googleapis.com	None
Bigtable	bigtable.googleapis.com bigtableadmin.googleapis.com	None
Cloud Build	cloudbuild.googleapis.com	None
Cloud Composer	composer.googleapis.com	None
Cloud Data Fusion	datafusion.googleapis.com	None
Dataflow	dataflow.googleapis.com datapipelines.googleapis.com	None
Dataproc	dataproc-control.googleapis.com dataproc.googleapis.com	None
Cloud Data Fusion	datafusion.googleapis.com	None
Identity and Access Management (IAM)	iam.googleapis.com	None
Cloud Key Management Service (Cloud KMS)	cloudkms.googleapis.com	None
Cloud Logging	logging.googleapis.com	None
Pub/Sub	pubsub.googleapis.com	None
Cloud Router	networkconnectivity.googleapis.com	None
Cloud Run	run.googleapis.com	None
Spanner	spanner.googleapis.com	Affected features and organization policy constraints
Cloud SQL	sqladmin.googleapis.com	None
Cloud Storage	storage.googleapis.com	None
Cloud Tasks	cloudtasks.googleapis.com	None
Cloud Vision API	vision.googleapis.com	None
Cloud VPN	compute.googleapis.com	None
Compute Engine	compute.googleapis.com	Organization policy constraints
Conversational Insights	contactcenterinsights.googleapis.com	None
Eventarc	eventarc.googleapis.com	None
Filestore	file.googleapis.com	None
Google Kubernetes Engine	container.googleapis.com containersecurity.googleapis.com	None
Memorystore for Redis	redis.googleapis.com	None
Persistent Disk	compute.googleapis.com	None
Secret Manager	secretmanager.googleapis.com	None
Sensitive Data Protection	dlp.googleapis.com	None
Speech-to-Text	speech.googleapis.com	None
Text-to-Speech	texttospeech.googleapis.com	None
Virtual Private Cloud (VPC)	compute.googleapis.com	None
VPC Service Controls	accesscontextmanager.googleapis.com	None

Restrictions and limitations

The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Healthcare and Life Sciences Controls folders.

Google Cloud-wide organization policy constraints

The following organization policy constraints apply across any applicable Google Cloud service.

Organization policy constraint	Description
`gcp.resourceLocations`	Set to the following locations in the `allowedValues` list: us-locations us-central1 us-central2 us-west1 us-west2 us-west3 us-west4 us-east1 us-east4 us-east5 us-south1 This value restricts creation of any new resources to the selected value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See the Organization policy value groups documentation for more information.
`gcp.restrictServiceUsage`	Set to allow all supported services. Determines which services can be enabled and used. For more information, see Restrict resource usage for workloads.
`gcp.restrictTLSVersion`	Set to deny the following TLS versions: TLS_VERSION_1 TLS_VERSION_1_1 See the Restrict TLS versions page for more information.

Compute Engine

Compute Engine organization policy constraints

Organization policy constraint	Description
`compute.disableGlobalCloudArmorPolicy`	Set to True. Disables creating Google Cloud Armor security policies.

Spanner

Affected Spanner features

Feature	Description
Split boundaries	Spanner uses a small subset of primary keys and indexed columns to define split boundaries, which may include customer data and metadata. A split boundary in Spanner denotes the location where contiguous ranges of rows are split into smaller pieces. These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Healthcare and Life Sciences Controls.

Feature

Description

Split boundaries

Spanner uses a small subset of primary keys and indexed columns to define split boundaries, which may include customer data and metadata. A split boundary in Spanner denotes the location where contiguous ranges of rows are split into smaller pieces.

These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Healthcare and Life Sciences Controls.

Spanner organization policy constraints

Organization policy constraint	Description
`spanner.assuredWorkloadsAdvancedServiceControls`	Set to True. Applies additional data sovereignty and supportability controls to Spanner resources.
`spanner.disableMultiRegionInstanceIfNoLocationSelected`	Set to True. Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty.

What's next

Understand the control packages for Assured Workloads.
Learn which products are supported for each control package.