Restrictions and limitations for Healthcare and Life Sciences Controls
This page describes the restrictions, limitations, and other configuration options when using the Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages.
Overview
The Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages enable you to run workloads that are compliant with requirements for Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST).
Each supported product meets the following requirements:
- Listed on Google Cloud's HIPAA Business Associate Agreement (BAA) page
- Listed on Google Cloud's HITRUST Common Security Framework (CSF) page
- Supports Cloud KMS Customer-managed encryption keys (CMEK)
- Supports VPC Service Controls
- Supports Access Transparency logs
- Supports Access Approval requests
- Supports at-rest data residency restricted to US locations
Allowing additional services
Each Healthcare and Life Sciences Controls control package includes a default
configuration of supported services, which is enforced by a
Restrict Service Usage
(gcp.restrictServiceUsage
) organization policy constraint set on your
Assured Workloads folder. However, you can modify this constraint's
value to include other services if your workload requires them. See
Restrict resource usage for workloads
for more information.
Any additional services you choose to add to the allowlist must be listed on Google Cloud's HIPAA BAA page or be listed on Google Cloud's HITRUST CSF page.
When you add additional services by modifying the gcp.restrictServiceUsage
constraint, Assured Workloads monitoring will report compliance
violations. To remove these violations and prevent future notifications for
services added to the allowlist, you must
grant an exception for each
violation.
Additional considerations when adding a service to the allowlist are described in the following sections.
Customer-managed encryption keys (CMEK)
Before adding a service to the allowlist, verify that it supports CMEK by reviewing the Compatible services page in the Cloud KMS documentation. If you want to allow a service that does not support CMEK, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.
If you want to enforce a stricter security posture when using CMEK, see the View key usage page in the Cloud KMS documentation.
Data residency
Before adding a service to the allowlist, verify that it's listed on the Google Cloud Services with Data Residency page. If you want to allow a service that does not support data residency, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.
VPC Service Controls
Before adding a service to the allowlist, verify that it's supported by VPC Service Controls by reviewing the Supported products and limitations page in the VPC Service Controls documentation. If you want to allow a service that does not support VPC Service Controls, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.
Access Transparency and Access Approval
Before adding a service to the allowlist, verify that it can write Access Transparency logs and supports Access Approval requests by reviewing the following pages:
If you want to allow a service that does not write Access Transparency logs and doesn't support Access Approval requests, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.
Supported products and services
The following products are supported in the Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages:
Supported product | Global API endpoints | Restrictions or limitations |
---|---|---|
Cloud Service Mesh |
mesh.googleapis.com meshca.googleapis.com meshconfig.googleapis.com networksecurity.googleapis.com networkservices.googleapis.com |
None |
Artifact Registry |
artifactregistry.googleapis.com |
None |
BigQuery |
bigquery.googleapis.com bigqueryconnection.googleapis.com bigquerydatapolicy.googleapis.com bigqueryreservation.googleapis.com bigquerystorage.googleapis.com |
None |
BigQuery Data Transfer Service |
bigquerydatatransfer.googleapis.com |
None |
Binary Authorization |
binaryauthorization.googleapis.com |
None |
Certificate Authority Service |
privateca.googleapis.com |
None |
Bigtable |
bigtable.googleapis.com bigtableadmin.googleapis.com |
None |
Cloud Build |
cloudbuild.googleapis.com |
None |
Cloud Composer |
composer.googleapis.com |
None |
Cloud Data Fusion |
datafusion.googleapis.com |
None |
Dataflow |
dataflow.googleapis.com datapipelines.googleapis.com |
None |
Dataproc |
dataproc-control.googleapis.com dataproc.googleapis.com |
None |
Cloud Data Fusion |
datafusion.googleapis.com |
None |
Identity and Access Management (IAM) |
iam.googleapis.com |
None |
Cloud Key Management Service (Cloud KMS) |
cloudkms.googleapis.com |
None |
Cloud Logging |
logging.googleapis.com |
None |
Pub/Sub |
pubsub.googleapis.com |
None |
Cloud Router |
networkconnectivity.googleapis.com |
None |
Cloud Run |
run.googleapis.com |
None |
Spanner |
spanner.googleapis.com |
Affected features and organization policy constraints |
Cloud SQL |
sqladmin.googleapis.com |
None |
Cloud Storage |
storage.googleapis.com |
None |
Cloud Tasks |
cloudtasks.googleapis.com |
None |
Cloud Vision API |
vision.googleapis.com |
None |
Cloud VPN |
compute.googleapis.com |
None |
Compute Engine |
compute.googleapis.com |
Organization policy constraints |
Contact Center AI Insights |
contactcenterinsights.googleapis.com |
None |
Eventarc |
eventarc.googleapis.com |
None |
Filestore |
file.googleapis.com |
None |
Google Kubernetes Engine |
container.googleapis.com containersecurity.googleapis.com |
None |
Memorystore for Redis |
redis.googleapis.com |
None |
Persistent Disk |
compute.googleapis.com |
None |
Secret Manager |
secretmanager.googleapis.com |
None |
Sensitive Data Protection |
dlp.googleapis.com |
None |
Speech-to-Text |
speech.googleapis.com |
None |
Text-to-Speech |
texttospeech.googleapis.com |
None |
Virtual Private Cloud (VPC) |
compute.googleapis.com |
None |
VPC Service Controls |
accesscontextmanager.googleapis.com |
None |
Restrictions and limitations
The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Healthcare and Life Sciences Controls folders.
Google Cloud-wide organization policy constraints
The following organization policy constraints apply across any applicable Google Cloud service.
Organization policy constraint | Description |
---|---|
gcp.resourceLocations |
Set to the following locations in the allowedValues list:
|
gcp.restrictServiceUsage |
Set to allow all supported services. Determines which services can be enabled and used. For more information, see Restrict resource usage for workloads. |
gcp.restrictTLSVersion |
Set to deny the following TLS versions:
|
Compute Engine
Compute Engine organization policy constraints
Organization policy constraint | Description |
---|---|
compute.disableGlobalCloudArmorPolicy |
Set to True. Disables creating Google Cloud Armor security policies. |
Spanner
Affected Spanner features
Feature | Description |
---|---|
Split boundaries | Spanner uses a small subset of primary keys and indexed
columns to define
split boundaries,
which may include customer data and metadata. A split boundary in
Spanner denotes the location where contiguous ranges of rows
are split into smaller pieces. These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Healthcare and Life Sciences Controls. |
Spanner organization policy constraints
Organization policy constraint | Description |
---|---|
spanner.assuredWorkloadsAdvancedServiceControls |
Set to True. Applies additional data sovereignty and supportability controls to Spanner resources. |
spanner.disableMultiRegionInstanceIfNoLocationSelected |
Set to True. Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty. |
What's next
- Understand the control packages for Assured Workloads.
- Learn which products are supported for each control package.