Security, privacy, and compliance resources for Healthcare and Life Sciences customers

In response to the global health crisis caused by COVID-19, the healthcare and life sciences (HCLS) industry has entered a cycle of rapid transformation and innovation. Healthcare providers are  working overtime to provide the best and most efficient care possible, protect employees, and streamline business operations. Google Cloud has partnered with many of our healthcare and life sciences customers to provide support, including telehealth and remote productivity solutions, access to public datasets, and research credits. 

While they’re dealing with these challenges, healthcare and life sciences organizations are still compelled to uphold their security, privacy, and regulatory compliance obligations. To help these organizations manage their applications appropriately and confidently, today we’re highlighting several recently published solution guides, whitepapers, and other assets.

• Protecting Healthcare Data on Google Cloud: Healthcare organizations new to Google Cloud can start learning about our “defense in depth” strategy that encompasses access control, encryption, continuous monitoring, and other safeguards. Written as a set of FAQs, this document provides a summary of Google Cloud’s contractual commitments, trust principles, and industry-leading security and privacy capabilities for managing healthcare data and applications. Existing customers can also use this whitepaper as a refresher on Google Cloud’s capabilities and strategies for upholding the shared responsibility model.

• Healthcare Data Protection Toolkit: This Google-developed open-source toolkit can help you quickly and easily deploy and monitor a Google Cloud project. It integrates popular industry tools like Terraform and Forseti Security with other custom capabilities to make setting up Google Cloud Platform (GCP) environments easy, verifiable, and reproducible. This degree of automation better enables and accelerates the deployment of security, privacy, and compliance-sensitive workloads. The built-in deployment validation and monitoring rules help ensure appropriate configuration from the start, detect policy violations, and reduce drift over time. Google has published several sample deployment templates aligned to common healthcare and life sciences solution architectures to streamline GCP project setup and onboarding for security, privacy, and compliance-sensitive workloads.

• HIPAA solution architecture and HIPAA technical solution guide: Learn how to design and deploy a HIPAA-aligned reference environment on Google Cloud. This includes recommended onboarding best practices and security configurations, for example access control, data storage lifecycle, and detailed audit logs. You can also take advantage of the sample deployment templates and starter code enabled by the Data Protection Toolkit to provision and modify this reference architecture in your own GCP project.

• “Good Practice” (GxP) whitepaper: GxP is an abbreviation for the various “good practice” regulations and guidelines that apply to products in the life sciences, pharmaceutical, and medical device industries. This whitepaper provides an overview of GxP criteria that can be found in government agency regulations, such as from the US Food and Drug Administration, and how Google Cloud’s administrative, physical, and technical controls help our customers meet their quality, documentation, and security objectives.

• “Good Practice” (GxP) technical solution guide: Understand the process for deploying a GxP-aligned reference environment on Google Cloud Platform for life sciences, including recommended security configurations (like access control, audit logging, and data retention), validation, and post-deployment verification. You can also take advantage of sample Data Protection Toolkit deployment templates and other sample code to deploy and modify this reference architecture in your own GCP project.

• Personal Health Information Protection Act (PHIPA) whitepaper: Learn more about how Google Cloud can help support the information security considerations in PHIPA, a provincial regulation in Ontario, Canada that establishes general principles for the collection, use, and disclosure of personal health information.

• ISO 27701 certification: ISO/IEC 27701 is a global privacy standard that focuses on the collection and processing of personally identifiable information (PII) and was developed to help organizations comply with international privacy frameworks and laws. Google Cloud Platform has received an accredited ISO/IEC 27701 certification as a PII processor after undergoing an audit by an independent third party.

We aim to continue publishing helpful security, privacy, and compliance resources for HCLS customers, such as whitepapers, solution guides, and sample code for deploying reference environments aligned to other regulatory compliance frameworks.

For a comprehensive overview of these topics, and more, tune into the Security, Privacy, and Compliance Solutions for Healthcare session during Google Cloud Next ‘20: OnAir the week of August 3. You can also find more information about Google Cloud’s security and privacy capabilities and regulatory and industry compliance alignment in our documentation.