ExpertGCP PCA · Question 11 · Domain 3: Designing for Security and Compliance
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?
Answer options:
Implement Cloud Armor policies to block all external IP addresses.
Configure VPC Service Controls to create a secure perimeter around the GCP projects containing the data lake.
Use Identity-Aware Proxy (IAP) to require multi-factor authentication for all database queries.
Remove all external IP addresses from the Compute Engine instances.
How to approach this question
Full Answer
Common mistakes
Practice the full GCP Professional Cloud Architect Practice Exam 3
50 questions · hints · full answers · grading