ExpertThis question is part of a case study — click to read the full scenario(Case 11)
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?
GCP PCA · Question 12 · Domain 3: Designing for Security and Compliance
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To satisfy the technical requirement for encryption using keys managed by CareData, how should you configure encryption for the Cloud Storage buckets and BigQuery datasets?
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To satisfy the technical requirement for encryption using keys managed by CareData, how should you configure encryption for the Cloud Storage buckets and BigQuery datasets?
Answer options:
Rely on Google's default encryption at rest.
Implement Customer-Managed Encryption Keys (CMEK) using Cloud Key Management Service (KMS).
Implement Customer-Supplied Encryption Keys (CSEK) by storing the keys on an on-premises HSM.
Encrypt the data within the application layer before sending it to GCP.
How to approach this question
Full Answer
Common mistakes
Practice the full GCP Professional Cloud Architect Practice Exam 3
50 questions · hints · full answers · grading