GCP Solution Security & Compliance Audit for Leading Health Care System in Denver, CO

Leading health care system out of Denver. The customer was looking for a comprehensive security guidance for the genomics research project designed for Google Cloud Platform (GCP), with the main goal of securing PHI data from misuse and unauthorized access. Prior to this, the customer already assessed Google’s physical network and platform level security with positive results and was focused on a GCP-based solution to have PHI Data Isolation, ensuring HIPAA compliance.

Biarca – a San Jose, California-based professional engineering services and a Google technology partner company. After evaluating the proposed architecture for a GCP Solution, Biarca prepared a detailed security guide for the customer so that overall Security & HIPAA Compliance Audit requirements were met. Preparation of the Security Guide involved design, implementation and validation of the actual data flows on GCP, while having a clear understanding of user access policies & controls, alert configuring and monitoring, among other tasks.

With this solution, while being secure and HIPAA Compliant, the customer obtained both CapEx savings, due to GCP’s low system resource costs, and OpEx savings because of GCP’s automation of several resource management tasks.

The Challenge

HIPAA regulations, as it applies to computing environment, cover areas related to information privacy, information security and monitoring & alerting for breaches involving unauthorized access.


In computing parlance this translates to the following actionable areas:

  • Security Apparatus
  • Data in Motion
  • Data at Rest
  • Monitoring, Logging & Audits
  • User Authorization & Access Controls

The first step was to build a relationship between Cloud Infrastructure providers and the Institutional Administrative effort needed to make Cloud Infrastructure both secure and comprehensive to support the genomic data research. A famous research school out of USA came up with the model as show below:

Reference: Practical Guidelines for Secure Cloud Computing for Genomic Data

This was an excellent recommendation to start with – both simple and sensible to adopt, and institutionalize in the best possible manner.

GCP offers integrated computing, network, storage and monitoring infrastructure to meet the security consideration, surrounding the following aspects:

  • Data in Motion
  • Data at Rest
  • Monitoring, Logging & Audits
  • User Authorization & Access Controls

The availability of a comprehensive infrastructure, combined with its security model and tools set that have been audited to be HIPAA compliant, makes the platform most attractive for health organizations to conduct advanced genomic research and provide insightful patient analytics.

With this background, the challenge was using GCP to simulate customer data flow, setup user access & controls, configure alerts & monitoring and then come up with a detailed step-by-step document for all applicable info. The final step was to test & validate before going through an acceptance criteria – involving Security and HIPAA Compliance Audit – on customer’s dedicated GCP.

Customized Security Guideline from Biarca

The proposed architecture on GCP consumed all three service components of a cloud computing solution: IaaS, PaaS and SaaS. For IaaS, the solution makes use of Google Cloud Storage (GCS) buckets, BigQuery (BQ), Google Genomics, Google Compute Engine (GCE) and Google Virtual Networking. For PaaS, the architecture comprises of a rich feature set of SDK, Identity and Access Management (Cloud IAM), API Manager (Cloud Endpoints), Security management, Logging, and Monitoring & Alerting services (Stackdriver). Google Apps provide rich enterprise calibre software applications that are preconfigured to run and administered from cloud.

Biarca’s security guidelines proposed the necessary recommendation through precise screenshots, wherever applicable, after comprehensively exploring all the applicable security options, settings and controls offered by GCP, for data at rest, data in motion, compute & network security, identity & access control management, logging, monitoring & alerting controls. The security configuration has been explored through a combination of platform and admin console dashboards and invoking sub-system API endpoint in Python coding. To improve security coverage, specific recommendations were done for the following subsystems:

  1. Google Apps Admin console settings
  2. Google Cloud Platform Console settings
    1. API Manager (Cloud Endpoints)
    2. IAM & Admin (Cloud IAM)
    3. Cloud Storage (GCS)
    4. Genomics
    5. BigQuery
    6. Compute Engine (GCE), Networking
    7. Logging, Monitoring & Alert (Stackdriver)

Biarca created a blueprint of the project, ran trials and documented all the best practices to deliver a HIPAA security allied cloud solution that meets the criteria of a 16-member committee of Security Officers, Compliance Officers, Lawyers and HIPAA Privacy Officers in order to prevent patient data breach and regulation violation.

Customer Value Proposition

The project done by Biarca for the Customer, helped maintain Security and HIPAA Compliance while continuing the get the other benefits of GCP:

  • CapEx savings due to GCP’s low system resource costs
  • OpEx savings because of GCP’s automation of several resource management tasks
  • Security Alerts & Monitoring
  • Network Analysis
“Biarca provided an essential service in bringing their expertise to our initial foray into HIPAA compliance on Google Cloud Platform.”
testimonialMichael Ames | Director of Technology Innovation, Colorado Center For Personalized Medicine, University of Colorado Denver

Related Webinar @ Top 10 Considerations for building a Cohesive Cloud Platform for Health Analytics

If you are looking for any additional information related to this case study, contact us.