Security and Compliance in Healthcare (Cloud Next '18)



hello everyone can everybody hear me perfect I hope everybody's here to hear about health care and security and compliance and not about Twitter I will not be talking about Twitter are we talking about health care and I appreciate you making it making the trek over there was a little bit of a last minute scheduling change so before I get started I just want to introduce myself I'm Joe Corkery I lead our healthcare and life sciences product team in Google cloud and we'll be talking about security and compliance in healthcare now it's worked before it doesn't work now hello but yeah the clickers networking now let's see now works okay perfect all right so as many of you know millions of patients have been affected by data breaches in the past year and what you're seeing on the screen now is just a screenshot of the site at HHS where you have to go and report what data breaches as well as being able to go and look at various data breaches that have happened if you spent any time there you'll be surprised by the large number of data breaches that happen and most of them are relatively very small a few you know a few patients here and there sometimes a lot of it relays to someone losing a laptop that had information on it but there are a number of very large data breaches that happen as well ultimately you know this reinforces the concept that the threat is real health care organizations tend to be more than you know attacked more than twice the frequency of other organizations out there and you might ask why are health care organizations such a prime target and there are a couple of reasons for this I'm going to start off the first one is really the rich data that is health care data health care data tends to be very valuable both in terms of volume and the content that it contains and in particular when you think about you know medical identity fraud it often takes a very long time for that to be detected oftentimes you know when medical data is stolen people sit on it for years before they actually take advantage of it so there's a real high value to this data hospital systems are also at risk because they depend heavily on legacy systems and they're often slow to update that infrastructure that's often you know due to the fact that these systems are validated systems and they are working with systems that have you know have gone through very specific processes for compliance reasons for patient safety reasons so it's not a trivial matter to upgrade these systems but because of that they don't get patched regularly they have a tendency to get lost in the ecosystem and so these updates don't happen with the frequency that they should and lastly and importantly downtime affects patient safety and this is an issue with you know if you're not able to access your EHR system if you're not able to access other healthcare technology it actually puts a patient's at risk and as a result of that health care organizations are much more likely to actually pay ransoms to get access back to their system than another organization that might be willing to or able to tolerate that level of downtime as a result of this cybersecurity is becoming an increasingly important focus area in healthcare one of the things that I'm hearing more and more frequent frequently from healthcare organizations is that they're looking to cloud to help them with security instead of being afraid of security on cloud security is a real differentiator in the drive to cloud because of this the extensive time and effort that we invest in security you know in the cloud so what I'm gonna do now is I want to talk a little bit about how Google cloud is addressing security compliance in healthcare across the spectrum of Google cloud products for those of you who are not as familiar so Google cloud really encompasses multiple product areas there's Google cloud platform which is our infrastructure and platform as a service capabilities we have G suite which are their productivity and collaboration tools as well as chrome and Android which provide endpoints for which you'll be accessing this data and google cloud offers a nice end-to-end story for security where you can have secure endpoints with the devices Chrome Android you have G suite as you that operating layer in which you're interacting with your data sharing your data and then your infrastructure running on GCP so you have this nice security focused infrastructure from one end of the spectrum to the other in terms of how your data is handled and moved around I like this slide because it emphasizes sort of the traditional thinking around data security historically most people like to think that the best way to be secure is to build a very hard wall around everything and then once you're inside that wall it's assumed you're okay you're trusted you have access to everything the problem with that is once you penetrate that wall you have access to all the soft squishy stuff in the middle without having to do any other you know authentication or approach and Google takes a very different approach to this say you know leveraging this concept of zero trust computing where you have to be authenticated at every level of the platform is not just once you're inside the network perimeter you trusted your never trusted you always are having to relocate as we think about that I want to dive into a couple of different areas for the rest of the talk I'm going to start off by focusing on what we're doing in this in the world of protection so how are we building out the infrastructure how is it being designed and operated to prevent threats I'm going to spend a little bit of time talking about some of the different controls that are in place and some of the capabilities that exist on top of the infrastructure to help you manage your own security settings and then I'm going to finish up by talking a little bit about compliance and in particular healthcare compliance one of the things you know Google really operates on is this mindset that we want to do to defense and depth and it's scale and by default so we are not relying on that you know soft shell exterior to protect you everything from the hardware infrastructure to how we deploy services to how we do storage to identity management's to the Internet communicate in operational device security that all has a security focus embedded throughout it's always a top of mind and done by default so that it's easy for you to operate as part of that we purpose build pretty much our entire hardware infrastructure and we do this so that we can have provenance of our hardware from the bottom of the stack to the top to ultimately reduce the chance of a vendor in the middle attack against your environment and that what we have on the screen right now are highlighting some of the different you know pieces of the stack you know starting from the purpose-built michael microcontrollers to servers storage network and data centers at any given time Google is one of the largest server manufacturers in the world and that's solely in the purpose of building servers for ourselves not actually selling servers to other people I believe it was last year at next where we announced Titan which was as purpose-built microcontroller that is used to provide a hardware route of trust for all the machines and peripherals in our cloud infrastructure Google's networking infrastructure is also a important area in our security and I say there are lots of data centers around the world and each one of those data centers is connected to each other by a Google's own private fiber and what that means is that when you have data that is moving from data at one data center to another it is not traversing the public Internet limiting the exposure of your data outside so when you know the only time the data is traversing the public Internet is when it's going from the nearest point of presence to your local machine so very limited exposure outside of you know once you get outside encryption is on by default this is a you know one of the expectations that you see in HIPAA compliance is that you know all your data should be encrypted at rest we just do this by default any data that you bring to the cloud is encrypted at rest all the time no work required and then as we get back to it a little bit further up the stack thinking about endpoints so with chrome and Android devices you have these tools that are universally available they have tightly integrated secure services and they think about security management on device a lot of those primitives have just built-in and when you couple that with Chrome browser which you know has capabilities for auto updating safe browsing built-in there's a lot of network security built into the Chrome browser as well you get a lot of that effort you know really security protections out of the box with very little effort one of the nice features about the Chrome browser is you can actually have the security settings for your browser sync across all instances of your identity so if you have multiple devices on which you're using Chrome but you're you logged into Chrome with the same identity you have the same settings everywhere so you're not always having to worry about you know did this laptop get out of sync with my desktop or my phone I want to spend a little time talking about Chrome in healthcare because I think this is actually a really important value proposition in terms of data security when we think about you know that today's healthcare worker I mean there everybody's obviously very security conscious and aware of the implications and the dangers but people are you know most healthcare organizations are also fairly budget conscious there's a you know operating on very tight margins increasingly the workforce is much more tech enabled wanting to have access to wide variety devices in hands as they move around from patient to a patient to encounter and as part of that as the digital your scene with the digitization of healthcare they need access to all these cysts you know all their files and there are other administrative systems from any place that they are they're located and as part of that you know you have you know a need for mobile devices when you have you know caretakers going from room to room when you have visiting nurses at home people doing you know off-site you know off-site visits there's this need for mobility but that's combined with security and access to these resources chrome browser as I mentioned is one of those components in that space it has a lot of capabilities built in to protect against phishing attacks malicious sites malware with you know the capabilities of Google Safe Browsing Chrome OS it's a security focused OS and easy to manage computing platform well we have a lot of interest in this because it's you know easy to run easy to operate and you built built-in security at all these levels but one of the nice features of that is with Chrome OS it's tied to Chrome devices and with chrome devices you get those sort of that lower total cost of operating from the cheaper hardware or from the more you know cost-effective hardware but you also gives you the ability to have a broader set of use cases so you can have the you know one device in each room or on carts that anybody with the right identity you can log into and your session follows you from location to location and when you have tools like Chrome Enterprise which allows you to do large-scale enterprise management of the devices coupled with identity you have a world in which you know if you lose the device you haven't lost the data on the device because these all the debt all the data is stored in cloud you are at your your identity you know your session you know doesn't persist past your login and so one of things that we find is that like you could actually have a world where you know every day you come in and you operate on a brand new device every single day and you would have the same experience so you just you know show up they hand you a device for the day you use that it's a really powerful capability in a world where there's a lot of movement a lot of mobility and you want to reduce the risk of you know devices being lost and causing data leak because sort of laptop loss is certainly a common cause of healthcare privacy breaches this is just an example chapters Health System actually went and purchased 1.2 million commercial Chromebooks you know a lot a lot of their interest around this was how fast they were to operate how easy they were to boot up but also yeah reducing the number of times they have to log in reducing you know eliminating the need for VPN to access a lot of their systems doctor comm also deployed chrome devices in their in the practices that they were supporting to give people an easy way your way to fill in forms which were then the results of which were captured in Google sheets and they could then just you know you know move the device from patient to patient and they're cleared between instances now as I was talking about the the benefit of having Chrome devices is that you know you have these single sign-on but you also they usefully tie in with this concept of what Google is called beyond Corp the idea that as I was emphasizing before you don't want to rely on you know your network being the source of truth as to your identity so the ability to say that you know you know what how we going to do security you know decoupled from you know your networking connection so how can I access my application without having to go through a VPN and so Google has externalized these ideas as a tool called identity aware proxy and the identity aware proxy sits in front of your internal applications and allows you to authenticate users access to that application without going through a VPN so you know you stand that you stand this up in front of your applications you go to login and then it gets you using internal you know using sort of your internal security tools for your identity management and this is then also frequently coupled with strong authentication so the idea that you would have two factor authentication which allows you to have you know phishing resistant accounts and when you couple that with auditing and logging tools you have much better insight into who is accessing your tools from where and what and the capabilities so when you think about this from an implementation point of view frequently at Google the way it works is you know I've got my accounts my identity and I've got a password but I also have a security key which is uniquely assigned to me and if I want to go act as an application instead of logging into a VPN and entering my password I can go directly to the application I log in but then I am prompted to you know tap on my security key to prove that I am Who I am and this is valuable because if you know you know someone sends me an email and I'm fish tonight you know give out my password I'm you know nobody can still access the resources I had access to with just my password they also have to have that security key that I carry around with me so broadly Google is really trying to keep ahead of the new threats that we're seeing in the community we're continue our customers are continually reaching out to us with new requirements across geography as well as verticals Healthcare is really driven a lot of the thinking that I'm going to talk about lately and part of this is that Google has you know multiple applications that serve more than a billion users each and what that means is that Google is protecting the data for you know a billion plus users and we're able to take the security practices that we've developed internally to protect that data and make them available to the larger community to protect their own data we've been making significant investments in both our hardware network infrastructure you know almost 31 billion over the past three years and when you couple that with that leading team of security engineers and researchers you know that there's gonna be continuous investment and we will be at the forefront and broadly there's a significant amount of community engagement that's happening in terms of open source contributions I'll talk a little bit more about this later there's a open source program called for SETI specifically looking at security tools for Google for which their country a lot of contributions are being made as well as significant amount of research going into high impact you know vulnerability in research and one of the things I want to talk about is there's a project zero team at Google and the goal of this team is to identify security risks before they're known so looking at you know finding these you know risk factors these vulnerabilities that nobody else knows about and then being able to prepare ourselves in advance of them actually becoming threats so good you know this project zero team was the you know one of the first to discover the heartbleed Spectre meltdown and because of those discoveries Google was able to patch and adapt our systems to protect all of our customers before they were even publicly known as vulnerabilities Lidia long talked about this in the aftermath of the specter meltdown you know citing Google as the one with the clearest most comprehensive customer communications for how to respond to these vulnerabilities oh sorry there we go so now I want to train I want to transition to talking a little bit about controls broadly in most of you are probably familiar with this that cloud security requires collaboration and this is the same as true for compliance there's you know Google is responsible for securing our infrastructure you're responsible for securing your data and who has access to that data but we help by managing you know depending you know where we are in the stack including best practices templates and a wide grouping of products and solutions to help with that as well but when you think about this you know at the one end you have you know infrastructure as a service where things like compute engine and cloud storage where a lot of the security management compliance there is on your end you know Google does a fair bit of that but you there's you know the burden of the shared responsibility is a little bit more on the customer where you go to the other end with something like Gmail and Drive where Google is really owning much more of the met the IT security management so I think it's important emphasize that in the end you know security compliance it's a shared responsibility and it's just important to be aware of where that level of where you are in the amount of sharing that has that has to happen one of the tools I want to talk about I mentioned that you know we're providing products and solutions one of the tools that we've made available as a tool called the data loss prevention API and what this is is this is a this is a product which is designed to find personally identifiable information in data and then that tool can be used to redact or transform that data so this is an example here of you know you know some notes where they included a name credit card number phone number email and these were detected by the DLP API and then redacted so the cloud DLP API well really at a high level you start with raw data that can be fed into the DLP API and then that can be redacted and then that data can be made available for analytics purposes for the purposes of sharing with other people as well as for application development seeing a lot of interest in this in the healthcare space particularly thinking about how to ID risk data warehouses for instance you may have a research data warehouse that you know you're gonna let you know your physicians work with or your researchers work with or maybe medical students and they may all you know under your guidelines have appropriate permissions to see fully identified data but you don't have to let them see that and they don't need to see that data so this provides the ability to de-risk a lot of the research use cases that you see in an organization it's also useful in application development where you know if you have the application developers of the support team they don't need to actually look at the raw data in order to be able to support the application and do for future development but the application itself what it does is it provides you with a flexible classification tool to look at a wide variety of sensitive types of data so looking at you know names Social Security numbers you know various country identifiers you know location and you can actually customize which ones you want to detect and how and so it's a highly configurable tool and then it gives you the ability to de-identify that data so you can eat you can use it to both classify and D identify through tools like dynamic data masking you can do format preserving encryption so if you wanted to continue to look like a social security number but not actually be a social security number you can do that same thing with credit cards as well as a variety of other transformations coupled with this it has tools for RIA Denton risks so being able to calculate the K enemity K anonymity of the data so for instance if you have one column and that column of data you know is job title and you know the vast majority of job titles say software engineer that's great but one of those job titles is CEO of Google that's a fairly identifying you know indicator and so knowing that that only appears once in your data set is it you know is a area of concern so you can iterate through these processes you can also supply custom dictionaries so if for instance you wanted to supply a dictionary of all your physicians names to make sure that they are detected same thing with custom regular expressions and this too so the the PII classification engine that is available in the DLP API is also a powers Gmail's data loss prevention key tools which are highly configurable so the idea that you can actually set this up in Gmail to say quarantine all my emails that include a credit card number or include a social security number as a way to prevent data leakage so this is a quick demo here of an application that we you know we mocked up to you know show some of the capabilities what what might be possible looking at a you know a clinical note being you know evaluated in real time and you know going from you know so redaction so you see they changed it from you know transformations just saying these are the different identifiers or you can go to the identify where it's doing transformations so doing name substitution doing date shifting throughout the the data set and they're just a couple different example notes showing how this work and so we we've done a lot of work with the DLP API team as well as you know providing some healthcare specific enhancements for some of the model training particularly because you know there are you know the both the context of the data in the meaning you know in clinical notes may be different depending on the use case many of you probably heard about the cloud healthcare API we announced it launched alpha this week we had a announced it initially back at him surely err last year and the goal of that is to make it easy to ingest healthcare data right now with the focus around EHR data as well as imaging data into what we call a healthcare data set and we currently support a wide variety of data types hl7 v2 fire DICOM and one of the things that we're trying to leverage with the DLP API is to make it easy for you to apply those de-identification tools to these data sets so basically adding the identification as a native transformation of these data sets to give you that you know ultimately idea start with an identified data set and end up with a de-identified data set now it's important to emphasize that like you know know D identification process is perfect and so you will have to make your own you know risk evaluation before you you know share it but it's a very powerful to if you want to reduce the risk of this data and this is important because a lot of the use cases that people have for this data is they want to be able to join this with other data types but you don't want to necessarily join on the PII or you want to export it for other people to work with you know assuming you're comfortable with the level of the identification that's happened and this is important you know so if you want to have a research data warehouse where you're looking at you know you know population health and you want to allow people to ask questions without destroying a lot of the value in the data but it's also important for machine learning training because you know as people build models you don't want to be building machine learning models on fully identified datasets because you don't want to take a chance that you're encoding PII into the model itself I want to change gears a little bit to talk now about cloud security command center which is a relatively new product on the cloud that really helps you gather data and identify threats about your environment and then act on them become before they become actual sources of damage or loss you can see the cloud security command center here is part of the cloud console platform where you get visibility into your data as well as your services can generate powerful security insights and then you know it's important because it's a flexible platform so you can plug in other capabilities to it and extend it as well what you're seeing here is you know some of the visibility you get into your cloud assets with the cloud security command center this is the asset inventory where you can see you know all the different you know but you know all the different cloud resources that you have provisioned and you can go drill down into them you know what's you know how many do I have what's new what's deleted you know and you know really get you know a higher level insight one of the things that I've you know a lot of people have found with a lot of the problems with IP is that you often times you know you can have sort of these shadow IT infrastructures that nope that people don't have insight into so you know you have someone who's creating resources and you don't know those you know virtual machines exist you don't know these storage locations exist and this gives you visibility into everything in your organization there are also tools to be able to detect you know where your sensitive data is so the data loss prevention API into with this you can also use anomaly detection to look for anomalous activity or behavior around your resources and that ultimately enables you to take action against those risks that you detect cloud security command center gives you the ability to identify a number of key cloud security risks whether it's sensitive data that you need to have better controls around through the DLP integrations looking for public storage buckets there are a lot of you know security breaches that have happened over the past year or so where someone misconfigured a storage bucket and lifts it available for everyone to look at you know looking at who's modifying my resources you know are the permissions changing who's doing that why also you know being able to scan for known application vulnerabilities misconfigured access policies you know does this dataset have too broad and access permission landscape for what it should have as well as you know monitoring for external threats I also mentioned that it's a relatively flexible platform so it integrates with a number of security tools which I've already touched on cloud security scanner is another one of those tools but it also allows you to incorporate insights from a number of our partners and they're able to do that through a REST API that it provides and I'm highlighting here a number of the detectors and integrations that exist with cloud security command center right now so internally we have the DLP API we have security scanner for SETI's security which we talked about a little bit earlier with that open source collection of tools that's really focused on gzp as well as google anomaly detection but we also have many partners for whose capabilities you can integrate very directly into cloud security command center when you think about the different security program activities you know you as a you know security officer or a member of security team might be thinking about there are a large number of them I'm not gonna walk through every single one of these because we wouldn't have enough time but you know when you think about it at high level you've got Identity and Access Management application security infrastructure security security operations you know thinking about your endpoints data network governance risk compliance these are all areas of focus that you need to be thinking about that you you know they're going to be a variety of different approaches you take and at Google we've done is we've actually providing products and offerings for you in for each one of these capabilities thinking about what are the Cape you know how can we help you address all of these individual categories in your day-to-day operations across GCP G suite as well as endpoints and devices in addition to that we know that we you also probably have partners that you prefer to work with that you work closely with it that adds other capabilities that we have not built yet so we also work closely with a wide variety of partners in the security ecosystem to help you with each one of these cases as well ultimately what we're trying to do is we're trying to empower our customers to have the best security for their data and part of what we do is we're able to leverage the proven security capabilities that we have built internally to protect the billions of users that are using Google tools and make it available as cloud product offerings so you know you know uber proxying beyond Corp led to identity aware proxy hardware second factor authentication is the security key so there's a lot a lot of externalization of our internal security practices into tools that you can use yourselves and i've touched upon this a little bit before but google continues to be an innovator in the security space you know pioneering a lot of the work and zero trust computing a lot of work has been done around certificate transparency using blockchain to public ledger to protect against certificate authority compromises as well as certificate forgery continue to innovations and services security with sto security and also you know thinking about the future well what happens in a world where you have quantum computers and how does that change the our approach to cryptography so Google is really doing a lot of forward thinking in that space now I've talked about a lot of the capabilities that Google Cloud can provide talk a little bit about some of the specific you know concerns or use cases you might have particularly in the healthcare industry so phishing is one that you know is a very common concern and ninety was 91 percent of cybersecurity attacks start with a phishing email and phishing you know for if you're not as familiar what this really is this is a you know in attempts to gain information from you through a very highly targeted approach so the you know phishing researcher will spend a lot of time doing research about you or about a class of people like you and send a highly targeted email that looks like it's it's valid you know it looks very similar to something that you would see and you know tricking you into providing your credentials or tricking you into downloading malware or you know sharing sensitive data and this was actually been you know a source of a number of losses here Mattel is an example up here where you know a see their CEO is fish and led to you know a three million dollar loss and so what Google is able to do in this space so gmail has been using machine learning to find phishing emails and prevent them from every reaching the inbox so being able to identify them and just you know classify them as a danger and not deliver them directly to the inbox Chrome browser is enabled you know is aware – you know warned you before clicking on suspicious links and security keys I talked about this earlier as part of second factor authentication the idea so let's say I do get fished and I give you my password it doesn't matter because you can't access my data because that's protected by a second factor authentication as well ransomware again this is a I think probably one that's you know pretty familiar in the health care space especially when you think about the wanna cry attacks from last year where the National Health Service in the UK was basically taken offline for a number of days and what that meant is physicians went back to pen and paper for working with people in the hospital systems what happened patients were basically you know appointments were canceled people weren't told not to come in you returned to people were turned away and basically you know and a high-level said only seek medical help if you have an emergency this was a huge problem and they were actually fortunate like to get out of this by you know someone discovering you know a way to get around want to cry but and this comes back to this you know the statement that you know you know taking health care systems offline has real patient safety impact which is why these areas tend to be targets and when we think about you know what you know what can be done in this space again you know gmail is using machine learning to identify the types of emails that you know might be you know classified as you know triggers for ransomware when you think about data storage and drive the data stored is stored in the cloud so it can be protected from ransomware outbreaks particularly you know it's a little bit more difficult you can't just encrypt it locally on the disk but it also means it doesn't move from device to device in the same way that local work does and Chrome browser will you know help you you know not go to suspected site sites that are sites that are suspected of hosting ransomware I mean it's not it's not a perfect guarantee but they have a lot of insights into you know what are places that are dangerous and can warn you about that and then Chrome OS devices really limit the spread of you know ransomware you know from device to device as well data exfiltration again so that you know this is the idea that you're worried about you know you know either human error or malicious insider taking data out from your system we've touched on a lot of the capabilities already in this talk that can be useful here the data loss prevention API to help you identify what your sense that you know where your sensitive data is and who has access to it so identity and access management allows you to control who has access to those sets of data so you can say well I know that this is sensitive data so only people with this role should have access to this data set the same thing with the the V PC service controls allow you to set up secure access zones for handling sensitive data and for steady as we talked about actually enables you to set up security rules that can you know man basically so that you can ensure that they are set up and deployed correctly from the start and then make sure that you're only being changed by the right people well you could you know what you hear about is and this is again you know something you hear about a lot is like these misconfigured storage leading to a lot of these leaks so understanding you know what are the right access controls that you need being aware of who has access to all of your different storage locations is really important secure access this comes back to the topic of I want to be able to access my data from anywhere you know we're seeing in the you know especially in the healthcare community there's a great deal of mobility you know you know whether it's inside the hospital but increasingly physicians also want to be able to access this data at home you know you're on call at night you want to be able to log into the system relatively easily without having to go into the hospital it's an important capability for telehealth so that you can actually view data from home or from remote locations and you know generally you know having the ability to have secure access off-site you know you know makes it easier for people to do their jobs people are a little bit happier and Google has a wide variety of capabilities there so I talked about cloud identity so you can you know give people their identities and help people understand who has the right roles and permissions to access different resources identity aware proxy gives you the ability to put this proxy layer in front of your applications so that way you have to you know you don't have to have everyone set up a VPN on their device that basically just punches a hole into you know your outer shell because you don't have any key if that device is lost in the VPN is on there you know you've just introduced a new vector of attack into your system and Chrome OS devices device management enterprise management I've talked a lot about this already but you know when you have you know these sick you know these devices which are you know easy to manage at scale have the security capabilities built-in and you couple them with the identity aware proxy and good identity controls it gives you the ability to let people access data remotely where you have good view of who's accessing the data and what there with it security monitoring I spent a lot of time talking about how do you prevent you know security threats part of that is actually just ongoing monitoring of understanding you know all you know what threats you know you know are there active attempts on my system or more or if somehow they managed to disguise the fact that they've got into this how are you gonna do the forensics afterwards what tools do you have to look into what happens and how you can reconstruct that behavior so you can really understand what to do about that I highlighted cloud security command center is one of those tools Gee's suite also has a security center for this type of monitoring for SETI is a powerful tool as well as a number of our partners in the space including Palo Alto CloudFlare and red lock another important area of attack is you know the distributed denial-of-service where a you know a bagged actor is going to take down your website your application your capabilities by flooding you with requests and you know basically making it unable unable for you to serve your applications so you know you can imagine a world where you know perhaps you've exposed external api's to your medical record system or to your scheduling your billing system and those can be overwhelmed by external requests and people can say well I'm going to keep this up until you pay our ransom so Google actually has a number of capabilities to help people with this first you know the massive network infrastructure is able to scale up and absorb a lot of these DDoS attacks without really any intervention required on your part we also have a tool called GCP armor that can selectively protect an application level by you know blocking unwanted traffic from certain locations as well as a number of partner solutions that are available that are easy to deploy so in the last couple of minutes here I want to transition to talking about compliance because it wouldn't be a healthcare talk if I didn't spend any time talking about compliance one of the things I really want to emphasize most and I've you know it's it's it really important to clarify is the data that you put into Google cloud is your data you own that data you control how that data is used we're not scanning that data to provide advertisements we're not selling that data to third parties we're not doing data mining on that data we're not building machine learning models on that data you control that data and if you want to delete that data you can delete that data and we provide assurances for how quickly that data will be removed we're very clear about all these details in our data processing terms as part of our Terms of Service you can go see what restrictions we have on how we process it what who our third party audits and certifications are learn more about the incident notifications in the event of a data incident also learn a little bit more about our security measures and who the subprocessors are as we think about that concept of data being your data I want to one of the things that we want to do is make sure that you have transparency into that and we launched an application earlier this year called access transparency and what access transparency does is it gives you insight including an immutable audit trail of actions taken by Google engineers or support whenever they do have to interact with your data so if someone at Google has to interact with that data you'll get an audit record of that for those applications and when you combine that with cloud audit logs you have a much more comprehensive view of the administrative activity that happens in your environment here's an example of what an access transparency log looks like and really what it's telling you is you know what piece of data was accessed where it was accessed from and why it was accessed so you can see up top there so like you know the product was cloud storage this was the you know this was the resource that was accessed you know was accessed from the United States and the reason was you know customer initiated support and there's the ticket number so you get all this details so you feel confident in understanding why this access occurred this is a typical workflow you might see where you have a customer who's looking at data in one of their buckets and realizes my data looks like it's been corrupted I'm gonna call support to find out what happens the support person you know says okay I'm going to go look at your data you know is given access to you that looks at it and agrees yes your data looks corrupted and you can see right there in the log that this support engineer actually looked at your data and he says okay well I'm gonna escalate this to an engineer who has a more sophisticated debugging tool and when that engineer accesses it that also generates a log to give you that insight of when these when the data is being touched ultimately what we were trying to do is build trust through transparency and how do we do this we you know first of all if we spend a lot of time writing detailed technical white papers and providing compliance certifications so that you know that what we say we do is actually what we're doing we do publish a transparency report related to government and legal actions and we offer cloud audit logs to help you understand what your administrators are doing in terms of accessing data as well as access transparency so you have insight into what Google administrators would have to do with if they ever have to touch your data as I said before we provide a number of third-party audits and certifications you can come see these here and you know I want to spend a minute or two just talking about HIPAA you know this is healthcare you know Google cloud platform and G suite do support HIPAA compliance which means that you can build HIPAA compliance workloads on top of GCP and use G suite and HIPAA compliant fashion we publish implementation guides to help you understand how to do this as well as what your responsibilities are in terms of how you're using and operating these in a HIPAA compliant fashion and one of the things that's important is we're able to do this because of Google's internal security processes and measures and because of the high standard that we hold ourselves to wasn't actually any we didn't have to do anything special in terms of new security features or provisions to achieve HIPAA compliance what that means is that you can use these up these tools in any region you can use any of the instances so there aren't it's not like if you're using Google compute engine there aren't just specific VMs that are approved for this it's you know the whole scope of that application we already take advantage of encryption by default so you don't have to do that and we said we signing an enterprise-grade BAA which means that if your organization signs a baa with Google it covers all of your organization's projects you don't have to selectively designate that this project is a HIPAA project and this one is not and importantly there's no up charge because all of our security you know we do you know we have this level of security for ourselves all the time we don't have to Pat you know we're not passing on any costs for an added capability and this is my last slide and what actually really incited there was a lot of interest in the healthcare community over the past year really asking us to get high trust certification so we went out and we did that and was excited to announce a earlier this year you know we did receive high trust CSF certification you can read more about that on our website and with that I will thank you for your time I appreciate many of you who made the hike over from West if you were accidentally directed there I'll hang around for any you know QA over here if anybody has any questions but I got to make room for whoever's a gonna be on the stage after me so thank you very much you

Leave a Reply

Your email address will not be published. Required fields are marked *