ExpertThis question is part of a case study — click to read the full scenario(Case 11)
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?
GCP PCA · Question 15 · Domain 4: Analyzing and Optimizing Technical and Business Processes
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
The DPO mandates physical separation of EU and US data. How should you design the BigQuery architecture to ensure compliance while minimizing operational overhead?
CASE STUDY: CareData Health
Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.
Current Technical Environment:
- Decentralized on-premises data centers at each hospital
- Legacy Electronic Health Record (EHR) systems
- Fragmented data silos preventing holistic patient views
Business Requirements:
- Centralize patient data into a single secure data lake
- Enable machine learning for predictive diagnostics
- Securely share anonymized data with external research partners
Executive Statements:
- CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
- CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
- DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."
Technical Requirements:
- End-to-end encryption using keys managed by CareData
- Strict access controls and comprehensive audit logging
- Ingestion of HL7 and FHIR healthcare data formats
- Physical separation of EU and US data
Constraints:
- Highly regulated environment
- Legacy systems cannot be modified, only integrated with
QUESTION:
The DPO mandates physical separation of EU and US data. How should you design the BigQuery architecture to ensure compliance while minimizing operational overhead?
Answer options:
Deploy a single BigQuery dataset in the US and use row-level security to hide US data from EU users.
Create separate BigQuery datasets in the 'EU' multi-region and the 'US' multi-region, and configure IAM permissions to restrict access.
Create two separate GCP Organizations, one for the EU and one for the US.
Use Cloud Spanner instead of BigQuery, as Spanner automatically pins data to specific regions based on the user's IP address.
How to approach this question
Full Answer
Common mistakes
Practice the full GCP Professional Cloud Architect Practice Exam 3
50 questions · hints · full answers · grading