We’ve written in detail about the requirements that healthcare organizations must follow in order to maintain HIPAA compliance within Slack. However, in tandem with these requirements, there’s a series of best practices that not only help in managing Slack workspaces but also make it easier to remain HIPAA compliant. Read on or watch the video below to learn the best practices that healthcare teams using Slack should readily consider adopting.
Use consistent channel naming conventions that complement business objectives and security policies
Within a HIPAA compliant Slack workspace, there are private channels that are intended to be used to discuss sensitive topics involving PHI. One way to ensure that PHI is not accidentally shared outside these channels is to use a clear and consistent process for naming all channels where PHI will be shared. When developing your organization’s channel creation policies, you should make sure that channels are clearly named using Slack’s recommended naming conventions. Additionally, you should make sure that channels serve a distinct and purpose so that there is little overlap between information shared across channels. This will serve to clearly delineate content within channels, prevent the duplication of information across Slack, and reduce the likelihood of sensitive data being viewed by the wrong parties.
Use automated deletion to remove sensitive information and accounts no longer in use
Slack makes it easy to create automated policies around message retention and user account management. For example, Slack guest accounts can be set to expire after a time limit, ensuring that external collaborators or contractors meant only to have temporary access to your workspace are automatically removed once after an appropriate amount of time. Similarly, messages and files in Slack channels or entire workspaces can be automatically deleted after a specified time limit. Using this feature in a way that maps to your compliance and risk management strategies can ensure that data isn’t available on Slack long after it’s no longer needed.
Leverage engaged stakeholders to manage Slack workspaces
Within Slack Enterprise Grid the following administrative roles exist:
- Workspace Primary Owner: Single person with the highest permissions. Only this person can transfer ownership of the workspace.
- Workspace Owners: Hold the same level of permissions as the Primary Workspace Owner, except they can’t transfer ownership of the workspace.
- Workspace Admins: They help manage members, channels, and other administrative tasks.
- Primary Org Owner: Only this person can transfer ownership of the org.
- Org Owners: Hold the same level of permissions as the Primary Org Owner, except they can’t transfer ownership of the org.
- Org Admins: They help manage org-level administrative tasks.
Slack goes into detail about roles here.
The purpose of admins at both the org and workspace levels is to manage workspaces by doing things like provisioning the appropriate channel access and permissions for members and guests. Admins can also close out old accounts and channels and enforce login standards. Within orgs, Org Owners delegate Org Admins to manage workspaces. Having Org Owners and Workspace Owners identify individuals with a solid understanding of basic cybersecurity principles to actively moderate Slack as either Org Admins or Workspace Admins is a good best practice that will make it easier to implement many of the other practices discussed in this post.
Implement an effective data loss prevention (DLP) tool
For healthcare teams using Slack, integrating DLP with your Slack instance will help ensure the satisfaction of HIPAA Security Rule Guidelines. DLP tools allow you to have data visibility on applications like Slack, giving you the ability to filter through messages and files for specific types of sensitive information. With Nightfall specifically, you can create workflows that allow you to automatically detect the sharing of sensitive information in any channel and remove it from Slack. Additionally, Nightfall provides detailed analytics about what types of PHI risk exists in your Slack channels and can send custom messages to offenders who break defined PHI policies. These features are invaluable for ensuring compliance with the HIPAA Security Rule and making sure that sensitive information is only shared with whom it is intended in a channel designated for sharing such information.
The importance of these best practices in Slack
As a cloud-based collaboration tool, Slack can be a difficult environment to enforce security best practices. This can not only affect the security posture of your organization, but make it difficult to understand how effective your policies are in ensuring data privacy and data security compliance. Watch the following clip to see the aspects of Slack that can prove challenging for organizations to manage from a compliance and security standpoint, and how Bluecore CISO Brent Lassi addresses this challenge.
If you’re interested in learning more about Nightfall DLP for Slack, take a look at our guide to HIPAA compliance on Slack. To see Nightfall in action, you can download and watch the entirety of our Slack security webinar with Bluecore CISO Brent Lassi, or schedule a demo below to start a free trial.