GCP PCA · Question 11 · Domain 3: Designing for Security and Compliance

CASE STUDY: CareData Health

Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.

Current Technical Environment:

• Decentralized on-premises data centers at each hospital
• Legacy Electronic Health Record (EHR) systems
• Fragmented data silos preventing holistic patient views

Business Requirements:

• Centralize patient data into a single secure data lake
• Enable machine learning for predictive diagnostics
• Securely share anonymized data with external research partners

Executive Statements:

• CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
• CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
• DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."

Technical Requirements:

• End-to-end encryption using keys managed by CareData
• Strict access controls and comprehensive audit logging
• Ingestion of HL7 and FHIR healthcare data formats
• Physical separation of EU and US data

Constraints:

• Highly regulated environment
• Legacy systems cannot be modified, only integrated with

QUESTION:
To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?