Quick steps to develop a PHIPA – compliant Google Cloud landing zone

Personal health information is among the most sensitive of personal information. People are way too protective about sharing personal details related to their medical conditions. As a result of that, the utmost safety of the data flow must be maintained from a doctor’s office to a referral, to a specialist, to a medical lab, to a hospital, or to an insurance company for reimbursement of claims.

On November 1, 2004, the Personal Health Information Protection Act (PHIPA), Ontario’s health-specific privacy legislation came into force which governs general principles for the collection, use, and disclosure of personal health information (PHI). The legislation outlines comprehensive information practices for handling PHI including security, retention, and access. Thus, it makes it extremely important for a cloud landing zone/ research environment/ cloud data warehouse to comply with the PHIPA checklist and requirements in Canada.

SpringML has developed a PHIPA compliant Google Cloud landing zone with reference to PBMM (Protected B Medium Integrity Medium Availability) landing zone, which is also a key compliance measure. The deployed PHIPA landing zone is compliant with 12 different PHIPA sections and supports 13 different Google Cloud controls of security, and encryption.

While the landing zone was deployed, different modules were created as shown in the image below:

Google Cloud resources added after running common script on top of bootstrap
Fig. Google Cloud resources added after running common script on top of bootstrap

Each of these modules created makes the landing zone comply with the PHIPA sections and regulations. One of the modules on Audit and Security is shown in detail below:

Audit and Security Google Cloud resources added after running common script on top of bootstrap
Fig. Google Cloud resources added after running common script on top of bootstrap (Expanded View)

Here is a list of Google controls that comply with the PHIPA checklist and a description of how SpringML’s landing zone complies with these controls:

Google ControlsSpringML landing zone compliance
Section 10(1)(2) – Information practices
Organization policies and constraintsOrganization policies and constraints are enabled in the landing zone. The below things are enabled at the organization level by script.

1. Use of corporate-approved, trusted virtual machine images.
– constraints/compute.trustedImageProjects

2. Skip default network creation.
– constraints/compute.skipDefaultNetworkCreation

3. Setting data retention timeframes within Google Cloud

Cloud Identity- Aware ProxyCloud Identity- Aware Proxy is enabled in the landing zone using the firewall rules setup.
Resource Inventory ManagementResource Inventory Management is enabled in the landing zone using Guardrails. This ensures that the access policies and configurations are secure and meet the corporate standards.
Section 11 – Accuracy
Cloud LoggingCloud Logging is enabled – Admin Activity audit logs, Data Access audit logs, System Event audit logs, and Policy Denied audit logs are created. This supports monitoring changes to the resources and is able to ensure the accuracy of data.
Data Loss Prevention StrategiesCloud Data Loss Prevention is enabled, Inspection templates and De-identification templates are created using terraform script.
Section 11(2) – Accuracy in disclosure
Access TransparencyAccess Transparency Logging is enabled at the organization level. Currently, this is a manual step.
Section 12(1) – Security
Encryption at Rest and in TransitCloud Storage is used to store audit logs, build artifacts, etc. All the data stored in Cloud Storage is encrypted.
Secure VPC Networking and FirewallsSecure VPC Networking and Firewalls are enabled in the landing zone, which helps achieve the organization’s security strategy.
Below are the VPC and subnets that are created- sbsecnr-testvpc-vpc- sbsecnr-subnet01–snetFirewall rules created:
– sbsefwl-allow-egress-internet-fwr
– sbsefwl-sbsecnr-testvpc-vpc-deny-all-egress-fwr
– sbsefwl-allow-ssh-ingress-fwr
– sbsefwl-sbsecnr-testvpc-vpc-iap-bastian-ports-fwr
Cloud Identity- Aware ProxyCloud Identity- Aware Proxy is enabled in the landing zone using the firewall rules setup.
Incident Response and Cloud Security Command CenterCloud Security Command Center is enabled in the landing zone. The below services are enabled for a consolidated view.
– Cloud Security Scanner
– Cloud DLP
– Cloud Logging
Identity and Access Management Best Practices-Authorize users to take action on specific resources and manage Google Cloud resources centrally.
Below are a few best practices followed for IAM best practices
– Creation of Custom Roles
– Creation of Service Accounts
Different service accounts are created to access the below resources
– Cloud Build
– Terraform
– Billing
Below custom roles are created.
– billing_operations
– billing_viewonly
– domain_administrator
– billing_administrator
– network_administrator
– application_operators
– security_operators
– application_developers
– platform_operators_nonp
– platform_operators_prod
Section 13(1) – Handling of records
Encryption at Rest and in TransitCloud Storage is used to store audit logs, build artifacts, etc. All the data stored in Cloud Storage is encrypted.
Section 50 – Disclosure outside Ontario
Data LocationThe landing zone is created with the constraint ” constraints/Google Cloud.resourceLocations” which allows the creation of Google Cloud resources in that location only.
Section 55.2 – Electronic health records
Access TransparencyAccess Transparency Logging is enabled at the organization level. Currently, this is a manual step.
Cloud Security Command Center / Cloud Security ScannerCloud Security Command Center (standard version) is enabled at the organization level.
Section 55.3 – Requirements for electronic health records
Data Loss Prevention StrategiesCloud Data Loss Prevention is enabled, Inspection templates and De-identification templates are created using terraform script.
Secure Image and Container Development Best PracticesThis control is enabled as an organization policy, which enforces the use of authorized images only.

PHIPA-compliant landing zone implemented by SpringML can now minimize the steps of creating a PHIPA-compliant Google Cloud environment from scratch. Instead, Infrastructure with Google Cloud services, which is totally configurable can be set up automatically and additional use cases on Data Analytics, Research insights, and interpretations, healthcare use cases like analytics on genomic sequencing and cancer research can be implemented on the landing zone. Additionally, the landing zone is customizable and can also be implemented to comply with other compliance standards like GDPR, HIPAA, PIPEDA, etc. Thus, this landing zone acts as a baseline model to run workloads, store and analyze confidential data and perform further use cases.

For more information and to request a demo, kindly reach out to us at info@springml.com

Thought Leadership