- ScaleSec was recently selected to advise a stealth healthcare startup in need of verification and validation of essential security and compliance for Google Cloud Platform. Schedules were tight and they needed immediate assistance to connect to a national healthcare services provider and begin their trial period.
ScaleSec first met with the founders as they were fast approaching a deadline to launch a proof of concept of their service with a national health care provider. Their immediate need (within the next week) was to establish secure connectivity from the hospital to the machine learning and data science service running on Google Cloud Platform.
Cloud VPN was selected to provide an IPSec virtual private network between the hospital and the cloud, providing a HIPAA-compliant solution without the need to manage additional infrastructure. Connecting older networks to new to meet security and performance requirements can sometimes be a bit tricky. Configuring such hybrid architectures are a common way to address the challenge of connecting established infrastructure meets the new, API-driven world of cloud computing. The team collaborated via a number of video working sessions to get the connection established within the necessary timeframes.
Once connected, the ScaleSec team reviewed many key security controls, including Identity and Access Management policies, service accounts and key management, data encryption practices, logging and auditing considerations (for HIPAA and other compliance requirements), as well as general networking and data management controls. ScaleSec used Cloud Deployment Manager to automate the configurations through templates that were incorporated into the customer’s code base to leverage their current processes and tools. The company will reuse these templates for testing and disaster recovery.
Partner Solutions / Products used
Network and application performance were critical requirements, so the joint team held consultative architectural discussion to discuss design recommendations, and to help the team identify and remediate potential threat vectors.
Results / Impact / Highlights
Working this project with healthcare data scientists who were highly qualified in their field but less experienced in securing GCP allowed for some great exchanges where security requirements were derived from business strategy and compliance mandates. Together, ScaleSec and the scientists were able to address data classification, tagging, collection, storage, and retention. The team began to look ahead as well, to anticipate updates from EU regulations and to establish practices to demonstrate for both security and audit purposes full compliance when clients came online from outside the US.
As common with many startups, a plan for security logging and monitoring was nascent, so ScaleSec worked with members of the startup to draft policies, procedures, and automate common work streams to facilitate essential security operations. Over the course of six weeks, ScaleSec was able to jumpstart the company to a place where they are far more comfortable with their security posture. Both teams are pleased with the results and look forward to iterating as the healthcare service grows to ensure the anticipated growth of this innovative company will have equally exceptional security to keep their clients, business partners and the company itself prosperous for days to come.