Google Cloud Run Healthcare Security Configuration: Step-by-Step Guide and HIPAA Best Practices

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Google Cloud Run Healthcare Security Configuration: Step-by-Step Guide and HIPAA Best Practices

Kevin Henry

HIPAA

October 25, 2025

9 minutes read
Share this article
Google Cloud Run Healthcare Security Configuration: Step-by-Step Guide and HIPAA Best Practices

Healthcare Security Configuration on Google Cloud Run

Step 1 — Establish governance and a Business Associate Agreement

Before handling any Protected Health Information, execute a Business Associate Agreement with Google Cloud. Define data classification, access approval workflows, incident response contacts, and encryption and logging standards that all Cloud Run services must follow.

Step 2 — Prepare the project and regions

  • Create a dedicated Google Cloud project for PHI workloads and isolate non-PHI services in separate projects.
  • Enable Cloud Run, Cloud KMS, Secret Manager, Cloud Logging, Cloud Monitoring, and Security Command Center APIs.
  • Define a restricted list of regions approved for PHI and keep all dependent services (e.g., databases) in the same region.

Step 3 — Harden the container image

  • Use minimal, non-root, distroless images. Pin versions and scan artifacts in Artifact Registry before deployment.
  • Externalize secrets; never bake credentials into images or environment variables stored in source control.
  • Expose only required ports and implement health endpoints that do not reveal PHI.

Step 4 — Create runtime identities

  • Create a dedicated service account per Cloud Run service with least-privilege Google Cloud IAM Roles (for example, secretmanager.secretAccessor, cloudsql.client).
  • Disable user-managed keys for service accounts and rely on short‑lived tokens minted by the platform.

Step 5 — Deploy with locked-down ingress and identity-aware invocation

gcloud run deploy SERVICE_NAME \
  --image=IMAGE_URI \
  --region=REGION \
  --service-account=RUNTIME_SA \
  --ingress=internal-and-cloud-load-balancing \
  --no-allow-unauthenticated
  • Require authentication for all invocations. Grant only the calling identities the roles/run.invoker permission.
  • For workforce access, use identity-aware access at the edge; for service-to-service access, use OIDC identity tokens.

Step 6 — Route egress through a Virtual Private Cloud Connector

Attach a Serverless VPC Access Virtual Private Cloud Connector to force egress through your VPC for database access, partner APIs, and inspection controls.

gcloud compute networks vpc-access connectors create CONNECTOR \
  --network=VPC_NAME --region=REGION --range=10.8.0.0/28

gcloud run services update SERVICE_NAME \
  --vpc-connector=CONNECTOR --vpc-egress=all-traffic --region=REGION
  • Use Cloud NAT with reserved static IPs to control and audit outbound connections.
  • Use Private Service Connect to reach Google APIs privately and avoid public egress for PHI-related operations.

Step 7 — Terminate TLS at the edge and apply web security policies

  • Expose Cloud Run behind an HTTPS load balancer with managed certificates using Transport Layer Security 1.2+.
  • Apply WAF rules and IP/geo policies with Cloud Armor to mitigate OWASP Top 10 and abuse patterns.

Step 8 — Manage secrets and configuration

  • Store credentials and API keys in Secret Manager; grant only the runtime service account secret access.
  • Mount secrets at runtime or access them via the client libraries; avoid logging secret values.

Step 9 — Apply encryption with Customer-Managed Encryption Keys

  • Create Cloud KMS keys and attach them to Cloud Run (where supported) and dependent services such as Storage, BigQuery, Pub/Sub, Cloud SQL, Artifact Registry, and Logging buckets.
  • Grant the Cloud Run service agent and runtime service accounts the minimal cryptoKeyEncrypterDecrypter role on required keys.
gcloud kms keyrings create RING --location=LOCATION
gcloud kms keys create KEY --keyring=RING --location=LOCATION --purpose=encryption
gcloud run services update SERVICE_NAME \
  --region=REGION \
  --kms-key=projects/PROJECT/locations/LOCATION/keyRings/RING/cryptoKeys/KEY

Step 10 — Turn on logging, monitoring, and Security Command Center Integration

  • Enable Admin, Data Access, and System Event audit logs for Cloud Run and dependent services.
  • Create logs-based metrics, SLOs, and alerts (for example, spikes in 4xx/5xx, permission denials, or policy changes).
  • Enable Security Command Center Integration to surface misconfigurations, vulnerability findings, and threat detections across the project.

HIPAA Compliance Requirements

Map Cloud Run responsibilities to HIPAA safeguards

  • Administrative safeguards: formal risk analysis, vendor and partner management, access reviews, training, and incident response runbooks.
  • Technical safeguards: unique user identification, least-privilege access control, audit logging, integrity controls, and transmission security with TLS.
  • Physical safeguards: data center protections handled by the cloud provider; you remain responsible for logical and configuration controls.

Protected Health Information scope and minimization

  • Identify which requests, payloads, and logs may contain Protected Health Information and implement strict data minimization.
  • Prevent PHI from entering logs and metrics; redact at the edge and use structured logging with allowlists.

Business Associate Agreement alignment

Operate only within the services and configurations approved by your Business Associate Agreement. Document data flows, retention periods, breach notification processes, and encryption/rotation standards in your HIPAA policies.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Identity and Access Management Practices

Design for least privilege with Google Cloud IAM Roles

  • Create role-based groups (e.g., Deployer, Operator, Auditor, Service-to-Service Caller) and map them to minimal Google Cloud IAM Roles.
  • Examples: roles/run.developer for read-only service inspection, roles/run.admin for trusted deployers, roles/run.invoker for callers, secretmanager.secretAccessor for runtime access, logging.logWriter and monitoring.metricWriter for telemetry.
  • Use IAM Conditions to restrict access by resource, time, or IP; prefer group bindings over direct user bindings.

Secure service accounts

  • Create one service account per Cloud Run service; avoid key creation and rely on platform-issued tokens.
  • Restrict serviceAccountUser and serviceAccountTokenCreator to automation pipelines and break-glass workflows.

Federated and workforce access

  • Use identity federation for CI/CD systems outside Google Cloud to obtain short-lived credentials.
  • Require MFA for human accounts and enforce session lifetime and re-authentication policies.

Networking Security Measures

Ingress control

  • Set ingress to internal-and-cloud-load-balancing and require authentication for all requests.
  • Put an HTTPS load balancer with Cloud Armor in front of Cloud Run to apply WAF, rate limiting, and IP allow/deny lists.

Egress control and private access

  • Attach a Virtual Private Cloud Connector and route all-traffic through your VPC for inspection and egress policy enforcement.
  • Use Cloud NAT with static addresses and firewall rules; restrict outbound destinations and domains used by PHI workflows.
  • Access Google APIs privately with Private Service Connect; avoid public internet paths for clinical data exchanges whenever possible.

Service-to-service security

  • Authenticate calls with OIDC identity tokens and authorize with roles/run.invoker; avoid network-based trust alone.
  • Prefer client libraries that automatically handle token minting and rotation; cache tokens briefly and avoid persisting them.

Data Encryption Strategies

Encrypt in transit with Transport Layer Security

  • Terminate TLS 1.2+ at the HTTPS load balancer for external clients; use managed certificates for custom domains.
  • For internal communications, continue to use TLS plus identity-based authorization; consider mTLS for partner connections that require it.

Encrypt at rest with Customer-Managed Encryption Keys

  • Use Customer-Managed Encryption Keys for Cloud Run (where supported) and for data services such as Cloud Storage, BigQuery, Pub/Sub, Cloud SQL, Secret Manager, Artifact Registry, and Logging buckets.
  • Rotate keys on a defined cadence, enable key versioning, and restrict key IAM to the minimal set of runtime and deployment identities.

Key management operations

  • Segregate keyrings by environment (dev/test/prod) and region; enforce dual control and logging for key operations.
  • Monitor key usage logs and alert on unexpected decrypt operations or permission changes.

Audit Logging and Monitoring

Comprehensive audit logging

  • Enable Admin Activity, Data Access, and System Event audit logs for Cloud Run and all integrated services handling PHI.
  • Create dedicated logging buckets with retention that matches policy and legal requirements; use Log Router to prevent PHI from leaving controlled buckets.

Operational monitoring and alerting

  • Define SLOs for availability and latency; alert on burn rates, 4xx/5xx anomalies, and auth failures.
  • Create logs-based metrics for access denials, policy changes, and unusual traffic surges; feed alerts to on-call and compliance mailboxes.

Security Command Center Integration

  • Enable Security Command Center Integration to continuously assess misconfigurations (e.g., publicly invokable services), exposed secrets, and vulnerable images.
  • Automate triage by routing high-severity findings to incident response, and track remediation SLAs.

Best Practices for HIPAA on Cloud Run

  • Keep PHI out of logs and traces; use structured fields and explicit redaction.
  • Adopt zero-trust: authenticate and authorize every request with identity, not just network location.
  • Standardize deployment via infrastructure as code; require peer review and change tickets for all policy updates.
  • Continuously scan container images and dependencies; fail builds on critical vulnerabilities.
  • Segment environments (dev/test/prod) and projects; prohibit PHI in non-production systems.
  • Back up data stores and test restores; define RPO/RTO for clinical workflows.
  • Run regular access reviews; remove dormant accounts and unused permissions.
  • Document data flows end-to-end and validate that encryption and auth are enforced at every hop.
  • Regularly validate WAF policies, rate limits, and egress firewalls with tabletop and chaos drills.

Conclusion

By combining identity-aware access, private networking with a Virtual Private Cloud Connector, encryption in transit and at rest using Customer-Managed Encryption Keys, and rigorous audit logging with Security Command Center Integration, you create a defensible posture for Cloud Run healthcare workloads. Align these controls with your Business Associate Agreement and continuously monitor for drift to maintain HIPAA compliance and operational resilience.

FAQs

How do you configure IAM roles for HIPAA compliance on Cloud Run?

Start with role-based groups that reflect job functions. Grant deployers roles/run.admin and serviceAccountUser on a dedicated deployment service account. Grant operators read-only roles such as roles/run.developer and monitoring.viewer. Grant callers of the service roles/run.invoker on the specific Cloud Run service only, preferably through a group. The runtime service account should hold only what it needs (for example, secretmanager.secretAccessor, cloudsql.client, logging.logWriter). Use IAM Conditions to restrict access by resource and context, disable service account key creation, and review bindings quarterly.

What steps are required to encrypt PHI in transit and at rest?

Terminate client connections with Transport Layer Security 1.2+ at an HTTPS load balancer. Require authentication on Cloud Run and use OIDC identity tokens for service-to-service calls. For data at rest, enable default encryption and attach Customer-Managed Encryption Keys wherever supported: Cloud Run (where available), Cloud Storage, BigQuery, Pub/Sub, Cloud SQL, Secret Manager, Artifact Registry, and Logging buckets. Grant only the Cloud Run service agent and runtime service accounts the cryptoKeyEncrypterDecrypter role, implement periodic key rotation, and monitor key usage logs.

How is audit logging set up to monitor healthcare applications?

Enable Admin Activity, Data Access, and System Event audit logs for Cloud Run and all dependent services. Route logs to dedicated buckets with policy-aligned retention and prevent PHI from being exported. Create logs-based metrics for access denials, permission changes, and traffic anomalies; connect these to alerting policies. Feed findings from Security Command Center Integration into your incident management system and document investigation and escalation procedures.

What are the key components of a BAA with Google Cloud?

A robust BAA defines permitted and required uses/disclosures of PHI, required administrative/technical/physical safeguards, breach notification timelines and processes, subcontractor and downstream obligations, data return or destruction on termination, and audit rights. It also clarifies which services and configurations are covered, your responsibilities for access control and encryption, and Google’s responsibilities for infrastructure safeguards and availability.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles