Restrictions and limitations for Healthcare and Life Sciences Controls

This page describes the restrictions, limitations, and other configuration options when using the Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages.

Overview

The Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages enable you to run workloads that are compliant with requirements for Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST).

Each supported product meets the following requirements:

Allowing additional services

Each Healthcare and Life Sciences Controls control package includes a default configuration of supported services, which is enforced by a Restrict Service Usage (gcp.restrictServiceUsage) organization policy constraint set on your Assured Workloads folder. However, you can modify this constraint's value to include other services if your workload requires them. See Restrict resource usage for workloads for more information.

Any additional services you choose to add to the allowlist must be listed on Google Cloud's HIPAA BAA page or be listed on Google Cloud's HITRUST CSF page.

When you add additional services by modifying the gcp.restrictServiceUsage constraint, Assured Workloads monitoring will report compliance violations. To remove these violations and prevent future notifications for services added to the allowlist, you must grant an exception for each violation.

Additional considerations when adding a service to the allowlist are described in the following sections.

Customer-managed encryption keys (CMEK)

Before adding a service to the allowlist, verify that it supports CMEK by reviewing the Compatible services page in the Cloud KMS documentation. If you want to allow a service that does not support CMEK, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

If you want to enforce a stricter security posture when using CMEK, see the View key usage page in the Cloud KMS documentation.

Data residency

Before adding a service to the allowlist, verify that it's listed on the Google Cloud Services with Data Residency page. If you want to allow a service that does not support data residency, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

VPC Service Controls

Before adding a service to the allowlist, verify that it's supported by VPC Service Controls by reviewing the Supported products and limitations page in the VPC Service Controls documentation. If you want to allow a service that does not support VPC Service Controls, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

Access Transparency and Access Approval

Before adding a service to the allowlist, verify that it can write Access Transparency logs and supports Access Approval requests by reviewing the following pages:

If you want to allow a service that does not write Access Transparency logs and doesn't support Access Approval requests, it is your choice to accept the associated risks as described in Shared responsibility in Assured Workloads.

Supported products and services

The following products are supported in the Healthcare and Life Sciences Controls and Healthcare and Life Sciences Controls with US Support control packages:

Supported product Global API endpoints Restrictions or limitations
Cloud Service Mesh mesh.googleapis.com
meshca.googleapis.com
meshconfig.googleapis.com
networksecurity.googleapis.com
networkservices.googleapis.com
None
Artifact Registry artifactregistry.googleapis.com
None
BigQuery bigquery.googleapis.com
bigqueryconnection.googleapis.com
bigquerydatapolicy.googleapis.com
bigqueryreservation.googleapis.com
bigquerystorage.googleapis.com
None
BigQuery Data Transfer Service bigquerydatatransfer.googleapis.com
None
Binary Authorization binaryauthorization.googleapis.com
None
Certificate Authority Service privateca.googleapis.com
None
Bigtable bigtable.googleapis.com
bigtableadmin.googleapis.com
None
Cloud Build cloudbuild.googleapis.com
None
Cloud Composer composer.googleapis.com
None
Cloud Data Fusion datafusion.googleapis.com
None
Dataflow dataflow.googleapis.com
datapipelines.googleapis.com
None
Dataproc dataproc-control.googleapis.com
dataproc.googleapis.com
None
Cloud Data Fusion datafusion.googleapis.com
None
Identity and Access Management (IAM) iam.googleapis.com
None
Cloud Key Management Service (Cloud KMS) cloudkms.googleapis.com
None
Cloud Logging logging.googleapis.com
None
Pub/Sub pubsub.googleapis.com
None
Cloud Router networkconnectivity.googleapis.com
None
Cloud Run run.googleapis.com
None
Spanner spanner.googleapis.com
Affected features and organization policy constraints
Cloud SQL sqladmin.googleapis.com
None
Cloud Storage storage.googleapis.com
None
Cloud Tasks cloudtasks.googleapis.com
None
Cloud Vision API vision.googleapis.com
None
Cloud VPN compute.googleapis.com
None
Compute Engine compute.googleapis.com
Organization policy constraints
Contact Center AI Insights contactcenterinsights.googleapis.com
None
Eventarc eventarc.googleapis.com
None
Filestore file.googleapis.com
None
Google Kubernetes Engine container.googleapis.com
containersecurity.googleapis.com
None
Memorystore for Redis redis.googleapis.com
None
Persistent Disk compute.googleapis.com
None
Secret Manager secretmanager.googleapis.com
None
Sensitive Data Protection dlp.googleapis.com
None
Speech-to-Text speech.googleapis.com
None
Text-to-Speech texttospeech.googleapis.com
None
Virtual Private Cloud (VPC) compute.googleapis.com
None
VPC Service Controls accesscontextmanager.googleapis.com
None

Restrictions and limitations

The following sections describe Google Cloud-wide or product-specific restrictions or limitations for features, including any organization policy constraints that are set by default on Healthcare and Life Sciences Controls folders.

Google Cloud-wide organization policy constraints

The following organization policy constraints apply across any applicable Google Cloud service.

Organization policy constraint Description
gcp.resourceLocations Set to the following locations in the allowedValues list:
  • us-locations
  • us-central1
  • us-central2
  • us-west1
  • us-west2
  • us-west3
  • us-west4
  • us-east1
  • us-east4
  • us-east5
  • us-south1
This value restricts creation of any new resources to the selected value group only. When set, no resources can be created in any other regions, multi-regions, or locations outside of the selection. See the Organization policy value groups documentation for more information.
gcp.restrictServiceUsage Set to allow all supported services.

Determines which services can be enabled and used. For more information, see Restrict resource usage for workloads.
gcp.restrictTLSVersion Set to deny the following TLS versions:
  • TLS_VERSION_1
  • TLS_VERSION_1_1
See the Restrict TLS versions page for more information.

Compute Engine

Compute Engine organization policy constraints

Organization policy constraint Description
compute.disableGlobalCloudArmorPolicy Set to True.

Disables creating Google Cloud Armor security policies.

Spanner

Affected Spanner features

Feature Description
Split boundaries Spanner uses a small subset of primary keys and indexed columns to define split boundaries, which may include customer data and metadata. A split boundary in Spanner denotes the location where contiguous ranges of rows are split into smaller pieces.

These split boundaries are accessible by Google personnel for technical support and debugging purposes, and are not subject to administrative access data controls in Healthcare and Life Sciences Controls.

Spanner organization policy constraints

Organization policy constraint Description
spanner.assuredWorkloadsAdvancedServiceControls Set to True.

Applies additional data sovereignty and supportability controls to Spanner resources.
spanner.disableMultiRegionInstanceIfNoLocationSelected Set to True.

Disables the ability to create multi-region Spanner instances to enforce data residency and data sovereignty.

What's next