Guides

How to Set use Nightfall Compliance Templates for Pain-free HIPAA Compliance

by
Michael Osakwe
,
January 19, 2023
On this page

In this latest blog post we are going to show you how to best set up Nightfall to discover and protect HIPAA data stored across your organization, maintaining patient privacy and helping avoid regulator fines. 

How does the HIPPA protection with Nightfall work?

Nightfall is a cloud-native data loss prevention platform that integrates with cloud services like Slack, Confluence, Salesforce, Google Drive, and more in order to discover, classify, and protect sensitive data. Nightfall is setup in three easy steps that you can complete in under 3 minutes:

  1. Authentication: As a cloud-native platform, Nightfall is designed from the ground up to integrate with cloud applications in just seconds. Simply grant Nightfall access to your cloud apps via API through OAuth 2.0.Then just sign in to an authorized account and authenticate.

  2. Create detection rules: Nightfall can scan for sensitive data that matches any criteria you specify, giving you flexibility and putting you in charge of how Nightfall should create alerts. For HIPAA simply add our PHI detector to scan for any PHI in text, images, code, and more than 100+ file types. See the table below for more details.

  3. Create a remediation policy: with the Nightfall platform you create a policy - which can be automated. Policies determine the “what” “where” and “how” of your remediation strategy within a given application.

    1. What type of data Nightfall should look for - your detectors. For HIPAA simply add the PHI detector to a detection rule.

    2. Where Nightfall should scan for the data within a given app. For example, in Slack you can scan within public and private channels, DMs, or Slack Connect channels depending on which tier of Nightfall you’re using. Use the PHI template below to see where you should scan for PHI.

    3. How to handle any positive findings. Nightfall can be configured to take remediation actions automatically. Because Nightfall integrates at the API level, all actions are contextually relevant and specific to each app. For example, within Slack policies, you’re allowed to automatically redact any message containing sensitive data. However, in Google Drive, you’re able to alter the permissions of any files containing sensitive data.

How can healthcare teams use Nightfall

Today, Nightfall helps both high-growth healthcare startups and established healthcare organizations maintain HIPAA compliance across their SaaS applications. Some ways that healthcare companies use Nightfall include:

  • Preventing unauthorized PHI disclosures within collaborative tools. Applications like Slack strongly encourage users to deploy tools like data loss prevention that allow organizations to have visibility into what’s being shared in their instance. Nightfall is a trusted Slack partner with many of Slack’s healthcare customers, relying on us to monitor for inappropriate sharing or disclosure of PHI. 
  • Limiting PHI to minimum necessary. Within applications that are authorized to store PHI, like Salesforce, customers need to know that they’re only storing nothing more than the minimum necessary to conduct business operations.
  • Encrypting PHI over email. Through our partnership with Virtru, healthcare companies can leverage an email encryption solution that intelligently detects the contents of an outbound message and applies encryption whenever a message contains relevant PHI.

Use the HIPAA Compliance Templates below to select the appropriate Nightfall detectors and confidence level to ensure HIPAA compliance.

HIPAA compliance templates for Nightfall DLP

For most standard scenarios, we recommend the following Detection Rule template for HIPAA use cases. 

  1. Slack HIPAA Compliance Template


    Nightfall Detector

    Confidence Level

    Detection Rule

    Detection Policy Scope

    PHI Detector

    At very likely

    If Any are Triggered

    Within your Slack policy, you’ll likely want to scan for PHI in: 

    • All Public channels: These likely have individuals not authorized to share, view, or disclose PHI.

    • Private Slack Connect channels: If you share Slack connect channels with organizations that are not business associates or have non-authorized employees, you should scan these channels



    Jira and Confluence HIPAA Compliance Template


    Nightfall Detector

    Confidence Level

    Detection Rule

    Detection Policy Scope

    PHI Detector

    At very likely

    If Any are Triggered

    Within your Jira or Confluence policy, you’ll likely want to scan for PHI in: 

    • Public Spaces/Projects: Manually select all Spaces or Projects that are public, as these likely have individuals not authorized to share or disclose PHI




    Google Drive HIPAA Compliance Template


    Nightfall Detector

    Confidence Level

    Detection Rule

    Detection Policy Scope

    PHI Detector

    At very likely

    If Any are Triggered

    Within your Google Drive Policy, you should scan all Shared and personal drives because of the risk that an employee may set inappropriate permissions on a file containing PHI


About Nightfall's PHI detector

Nightfall's HIPAA compliance capabilities are enabled through our PHI detector which is built from the ground up to identify PHI as defined by HIPAA. Using context analysis, the PHI detector only sends alerts when it discovers HIPAA-defined PII like names and addresses in the same context as ICD 9/10 codes, drug names & codes, and more. 

For HIPAA-bound entities leveraging cloud platforms, this is the most efficient way to monitor, manage, and scale HIPAA compliance in your cloud apps. Learn more through our blog post or through our datasheet.

Getting started is easy

Start protecting your data with a 5 minute agentless install.

Get a Demo