HIPAA for Google Datastore and GAE standard?

[Þórir Gunnarsson]

Hi

Does anyone know of plans, short term or long term to include Google Datastore and AppEngine standard environment in the HIPAA Cloud Platform BAA.

These are not in the list of covered products as seen on: https://cloud.google.com/security/compliance.

"

Google Cloud Platform will also support HIPAA covered customers by entering into a Business Associates Agreement. The Cloud Platform BAA currently covers Compute Engine, Cloud Storage, Cloud SQL, Cloud Dataproc, Genomics, BigQuery, Container Engine, Container Registry, Cloud Dataflow, and Cloud Bigtable.

"

[Karolína Netolická]

Hi, we are aware of this limitation and are working towards getting this certification. I don't have a timeline I can share at this point. 

[Þórir Gunnarsson]

Thanks for taking the time to respond.

As we are moving towards HIPAA in the immediate future we will start planning the migration of our system to the covered products.

As far as I can tell this is what we need to do (a very rough outline):

- AppEngine Standard environment for java -> move the code to work on Compute Engine or Container Engine. Flexible environment doesn't seem to be covered.

- Datastore (using Objectify) -> move to Cloud SQL

- Memcache -> operate our own instance of Memcache or Redis in Compute Engine

We are also using:

- Task Queue -> use the java client library (It seems to be available now, haven't tried it) and make sure no protected data is passed through it

- Pub/Sub -> should work pretty much the same way as before, just make sure no protected data is passed through it

- Cloud messaging -> should work pretty much the same way as before, just make sure no protected data is passed through it

What do you think, does this sound like a plan? I only have about 40 different entities in Datastore so this will probably keep me busy for a few days :-)

[Robert Erdt]

Hi!

I am not sure there is a clear understanding of HIPAA at Google. 

Google says Cloud SQL is covered, but not GAE.

So you can only conclude that PHI stored in Google Cloud SQL is covered by the BAA.

The problem is connecting to the Cloud SQL from a web application. In my case, the ID and password is stored in the POM file, which can be seen in clear text. 

However, the only way to see the clear text is to log on from my account or a Google employee looking at my code. Then brings the next concerns, if someone logs on from my account changes the password of the MySQL database, they get access.

The question is - 

Can any one else access the GAE? With the exception, those assigned and given access to the GAE?

Does anyone have this answer? 

If the GAE is secured from others, then it is HIPAA compliant.