This week on the HIPAA Vault Show we talk about Google Cloud Platform’s Cloud Run. We explore how it is reshaping the landscape of healthcare websites, from ensuring HIPAA compliance to providing scalable, cost-effective solutions. Learn more on Cloud Run here.

Transcript:


Adam
Hello and welcome to the HIPAA Vault Show, where we discuss all things HIPAA compliance in the cloud. My name is Adam Zeineddine, and I’m joined, as always, by CTO and founder of HIPAA Vault Gil Vidals. Hi Gil. 


Gil
Hey Adam. Ready to go today? 


Adam
Yeah, I’m ready to go too. So last week we talked about our free HIPAA Gauge WordPress plugin. This week we’re going to talk a little bit about Google Cloud services and in particular a service called Cloud Run. So a little bit of an introduction to Cloud Run. Google Cloud’s. Cloud Run is revolutionizing healthcare applications. And as healthcare entities, small and large move more and more into the digital space, the importance of secure and scalable platforms and services can’t be overstated. So that’s where Cloud Run comes into play as Google Cloud’s platform service offering. Gil, a little bit about Cloud Run, if you don’t mind first that maybe we should talk a little bit about what services are in terms of being serverless versus traditional. 


Gil
Sure, sure, that’s a good place to get started. So what is Cloud Run? Cloud Run is a serverless environment that allows you to work with stateless containers. So for our audience that isn’t technical, I’ll explain that a little bit more. So in a typical virtual machine, a full server can do anything and everything you want it to do, so you have full control over the server. And the problem with the server though, is that it takes a certain amount of overhead. It takes work to maintain it, to keep all the applications up to date, to add security. It takes energy and work. You have to pay labor hours and technology and so on. So serverless has an advantage in that overhead is minimized. You don’t need to have sysadmins with security guys taking care of it and updating and patching it and all of that. 


Gil
And that’s because the server has been eliminated from the front end. And that means that you can deploy your container and you can run it, and if something goes wrong, you can just redeploy it. So Cloud Run is sort of a lightweight solution and it’s very scalable as well. So it performs very well. And it has another advantage that’s really worth mentioning, Adam, and that is that you only pay for what you use. So the compute time is only being charged as you use it, which can be a big advantage as well. 


Adam
Fantastic. And you mentioned there serverless for the front end. I think that’s an important note. There are servers backing it, right? It’s just for all intents and purposes for the developers and the users of the application that they don’t need to get involved in that. It’s all managed and automated and taken care great. And also for our viewers and listeners, what I’ll do is I’ll include a link of a really cool breakdown into Cloud Run in the description below. It’s written by Priyanka Vergadier at Google Cloud one of the staff developer advocates there. It really does a nice deep dive and it’s got also a nice overview diagram of what Cloud Run is and what the particular use cases are when we are talking about HIPAA compliance and Cloud Run. Gila I know that it is included under Google Cloud’s Baa and what do we typically look in when our enterprise clients are looking to get this set up when it comes to security and HIPAA? 


Gil
Well, for the enterprise world and in terms of HIPAA, they’re concerned about audit logs. They want to be able to trace who’s accessing what. They want to also have identity management. So identity access management and that is included with Cloud Run. And also Cloud Run is part of the security ecosystem that Google has, including the Security Command Center. So you’re able to use the security Command Center and all the features it has to monitor and watch out for security events. So it does meet, as you said, the HIPAA checkbox. It is HIPAA compliant. But as anything that’s HIPAA compliant in Google, that means you do have to pay attention to it and you do need to configure certain things so that it produces a report. And someone has to look at the reports once in a while to make sure if there is an issue of vulnerability, you want to be aware of that. 


Gil
So even though it’s all automated and if everything works well, you still need eyes on the systems in terms of the reporting so you can react to events. 


Adam
Okay, yeah. So we need to make sure there and the nice thing with that is, because it is a Google Cloud service, it fits in really well with other cloud services. I’m thinking particular SEC gil security command center. So if you were developing the application and before it goes to production, you could get we can help with this, like SEC to run reports and say, OK, there’s some vulnerabilities here, let’s get these looked into before it actually goes in and starts serving patients information. Right, okay. So scalability and Portability is, I think, something that’s important to note here as well. So Cloud Run is pay for what you use. Essentially, it allows you to scale up, scale down to zero, which is really useful, especially in the early stages of an application where maybe you don’t have a budget in place and then also you’re not quite sure how well received the application is going to be. 


Adam
So you can pay literally cents and dollars and then it will scale up and accommodate how popular the application is, which is really cool. And then Portability and Gil. I think this might come into the final section on potential challenges and solutions a little bit, if you could touch on but portability wise, because it’s a container based approach, literally, if you at any point want to decide to move the application elsewhere in terms of from Google cloud to on premise or another cloud. That process is really easy, but I think it does pose a challenge in terms of the application being containerized. Could you touch on that a little bit? 


Gil
Sure. I did want to mention before I go into the challenges of Cloud Run, I did want to mention that it does support many different languages, including Go, Node, JS, Python, Ruby. So a lot of those are the more popular languages. So it can’t support that. In terms of a challenge for Cloud Run, it is what they call stateless. So what does that mean? That’s a tech word. Stateless means there’s no memory. So there is no memory. You can’t have the applications. Remember when we say, what do you mean by memory? Well, if somebody visits the site yesterday and then they come back today, you have no knowledge that they were there yesterday. You can’t change your application based on that. So that kind of a situation requires thinking ahead. When you architect using Cloud Run, if you do require some kind of memory with cookies or recording some event that happened on the site, you’re going to have to architect that. 


Gil
And there are ways to do that with Cloud Run to have storage that is dedicated to Cloud Run so that you can have certain files there that can hold events as they happen and unfold. And that’s kind of beyond the purpose of this video. But it is something if you do decide to use Cloud Run, keep that in mind. So you’ll have to think about that. 


Adam
Fantastic. And stateless, in my understanding, correct me here if I’ve got it quite slightly off, but the way I remember it is it’s almost like not necessarily having a save option on your game. Would that be right? I’m in the game I’m playing and I want to shut the game console off. There’s no save game necessarily. 


Gil
Yeah, that’s an approximation. And I think just the idea of cookies, I think the audience is familiar with what cookies are used for. If you want to save someone’s birthday, if you have them, like in a form type in their name or birthday when they enter the site, just as an example, then you usually save that to the user’s desktop machine in the form of what’s called the cookie that actually has that data. So if they ever come back to visit your site, say, a year later, you can wish them happy birthday because you know it’s their birthday based on that cookie information. So there are reasons you want to save information and stateless has its place, but also having memory there is important. So it’s just something to keep in mind if you’re going to use Cloud Run. 


Adam
Fantastic. And as Cloud Run and other services like it become more and more popular, where do you view HIPAA Vault’s role in the healthcare application and Cloud Run setup? How can we help? 


Gil
Yeah, the way we help our constituents is that they will come to us, typically with an application that they have to either design and they want to deploy it in a HIPAA environment. And so they would come to us and we can help architect that. We know their objective, their business objectives, how much uptime do they want and how do they want to do the CI CD, continuous integration, continuous development. So we listen to the goals, business goals and tech goals, and we help them architect. And Cloud Run is a tool that we could use if it’s appropriate, and we can help them architect that so that it can run and scale. Like you mentioned earlier in this podcast, it has auto scaling as a feature. So that’s a really powerful feature, especially for apps that have to be running at all times. 


Adam
Definitely. Well, Gil, was there anything else that we might have missed on that you’d like to include? 


Gil
Well, I would just like to say that although Cloud Run is very powerful and it fits a lot of different scenarios, there are times where it may not be the best fit. So there are other solutions like Kubernetes, and other solutions that we could provide as well. 


Adam
Okay, great. Yeah. And listeners and viewers, if you’ve had any experience with Google Cloud Services Cloud Run, we’d like to hear from you about them. And what are your favorite things about Cloud Run? And if not, and you’re interested in implementing such a service for your health application or website, feel free to reach out to us. You can post any questions in the comments or email us at podcast@hipaavault.com. You can also send us a message on X at @hipaahosting. Make sure to subscribe and leave us a review if you enjoyed the episode. And until next time, thanks for stopping by.