Hi!

I am not sure there is a clear understanding of HIPAA at Google. 

Google says Cloud SQL is covered, but not GAE.

So you can only conclude that PHI stored in Google Cloud SQL is covered by 
the BAA.

The problem is connecting to the Cloud SQL from a web application. In my 
case, the ID and password is stored in the POM file, which can be seen in 
clear text. 

However, the only way to see the clear text is to log on from my account or 
a Google employee looking at my code. Then brings the next concerns, if 
someone logs on from my account changes the password of the MySQL database, 
they get access.

The question is - 
Can any one else access the GAE? With the exception, those assigned and 
given access to the GAE?

Does anyone have this answer? 

If the GAE is secured from others, then it is HIPAA compliant.

On Wednesday, January 4, 2017 at 4:42:02 AM UTC-5, Þórir Gunnarsson wrote:
>
> Thanks for taking the time to respond.
>
> As we are moving towards HIPAA in the immediate future we will start 
> planning the migration of our system to the covered products.
>
> As far as I can tell this is what we need to do (a very rough outline):
> - AppEngine Standard environment for java -> move the code to work on 
> Compute Engine or Container Engine. Flexible environment doesn't seem to be 
> covered.
> - Datastore (using Objectify) -> move to Cloud SQL
> - Memcache -> operate our own instance of Memcache or Redis in Compute 
> Engine
>
> We are also using:
> - Task Queue -> use the java client library (It seems to be available now, 
> haven't tried it) and make sure no protected data is passed through it
> - Pub/Sub -> should work pretty much the same way as before, just make 
> sure no protected data is passed through it
> - Cloud messaging -> should work pretty much the same way as before, just 
> make sure no protected data is passed through it
>
> What do you think, does this sound like a plan? I only have about 40 
> different entities in Datastore so this will probably keep me busy for a 
> few days :-)
>
>
> On Tuesday, January 3, 2017 at 4:52:08 PM UTC, Þórir Gunnarsson wrote:
>>
>> Hi
>>
>> Does anyone know of plans, short term or long term to include Google 
>> Datastore and AppEngine standard environment in the HIPAA Cloud Platform 
>> BAA.
>>
>> These are not in the list of covered products as seen on: 
>> https://cloud.google.com/security/compliance.
>>
>> "
>> Google Cloud Platform will also support HIPAA covered customers by 
>> entering into a Business Associates Agreement. The Cloud Platform BAA 
>> currently covers Compute Engine, Cloud Storage, Cloud SQL, Cloud Dataproc, 
>> Genomics, BigQuery, Container Engine, Container Registry, Cloud Dataflow, 
>> and Cloud Bigtable.
>> "
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-appengine+unsubscr...@googlegroups.com.
To post to this group, send email to google-appengine@googlegroups.com.
Visit this group at https://groups.google.com/group/google-appengine.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/google-appengine/3fa3ab77-82de-4ee9-a31c-1785f21d5931%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to