In this latest blog post we are going to show you how to best set up Nightfall to discover and protect HIPAA data stored across your organization, maintaining patient privacy and helping avoid regulator fines.
How does the HIPPA protection with Nightfall work?
Nightfall is a cloud-native data loss prevention platform that integrates with cloud services like Slack, Confluence, Salesforce, Google Drive, and more in order to discover, classify, and protect sensitive data. Nightfall is setup in three easy steps that you can complete in under 3 minutes:
-
Authentication: As a cloud-native platform, Nightfall is designed from the ground up to integrate with cloud applications in just seconds. Simply grant Nightfall access to your cloud apps via API through OAuth 2.0.Then just sign in to an authorized account and authenticate.
-
Create detection rules: Nightfall can scan for sensitive data that matches any criteria you specify, giving you flexibility and putting you in charge of how Nightfall should create alerts. For HIPAA simply add our PHI detector to scan for any PHI in text, images, code, and more than 100+ file types. See the table below for more details.
-
Create a remediation policy: with the Nightfall platform you create a policy - which can be automated. Policies determine the “what” “where” and “how” of your remediation strategy within a given application.
-
What type of data Nightfall should look for - your detectors. For HIPAA simply add the PHI detector to a detection rule.
-
Where Nightfall should scan for the data within a given app. For example, in Slack you can scan within public and private channels, DMs, or Slack Connect channels depending on which tier of Nightfall you’re using. Use the PHI template below to see where you should scan for PHI.
-
How to handle any positive findings. Nightfall can be configured to take remediation actions automatically. Because Nightfall integrates at the API level, all actions are contextually relevant and specific to each app. For example, within Slack policies, you’re allowed to automatically redact any message containing sensitive data. However, in Google Drive, you’re able to alter the permissions of any files containing sensitive data.
How can healthcare teams use Nightfall
Today, Nightfall helps both high-growth healthcare startups and established healthcare organizations maintain HIPAA compliance across their SaaS applications. Some ways that healthcare companies use Nightfall include:
- Preventing unauthorized PHI disclosures within collaborative tools. Applications like Slack strongly encourage users to deploy tools like data loss prevention that allow organizations to have visibility into what’s being shared in their instance. Nightfall is a trusted Slack partner with many of Slack’s healthcare customers, relying on us to monitor for inappropriate sharing or disclosure of PHI.
- Limiting PHI to minimum necessary. Within applications that are authorized to store PHI, like Salesforce, customers need to know that they’re only storing nothing more than the minimum necessary to conduct business operations.
- Encrypting PHI over email. Through our partnership with Virtru, healthcare companies can leverage an email encryption solution that intelligently detects the contents of an outbound message and applies encryption whenever a message contains relevant PHI.
Use the HIPAA Compliance Templates below to select the appropriate Nightfall detectors and confidence level to ensure HIPAA compliance.
HIPAA compliance templates for Nightfall DLP
For most standard scenarios, we recommend the following Detection Rule template for HIPAA use cases.
-
Slack HIPAA Compliance Template
|
Nightfall Detector
|
Confidence Level
|
Detection Rule
|
Detection Policy Scope
|
|
PHI Detector
|
At very likely
|
If Any are Triggered
|
Within your Slack policy, you’ll likely want to scan for PHI in:
-
All Public channels: These likely have individuals not authorized to share, view, or disclose PHI.
-
Private Slack Connect channels: If you share Slack connect channels with organizations that are not business associates or have non-authorized employees, you should scan these channels
|
Jira and Confluence HIPAA Compliance Template
|
Nightfall Detector
|
Confidence Level
|
Detection Rule
|
Detection Policy Scope
|
|
PHI Detector
|
At very likely
|
If Any are Triggered
|
Within your Jira or Confluence policy, you’ll likely want to scan for PHI in:
|
Google Drive HIPAA Compliance Template
|
Nightfall Detector
|
Confidence Level
|
Detection Rule
|
Detection Policy Scope
|
|
PHI Detector
|
At very likely
|
If Any are Triggered
|
Within your Google Drive Policy, you should scan all Shared and personal drives because of the risk that an employee may set inappropriate permissions on a file containing PHI
|
About Nightfall's PHI detector
Nightfall's HIPAA compliance capabilities are enabled through our PHI detector which is built from the ground up to identify PHI as defined by HIPAA. Using context analysis, the PHI detector only sends alerts when it discovers HIPAA-defined PII like names and addresses in the same context as ICD 9/10 codes, drug names & codes, and more.
For HIPAA-bound entities leveraging cloud platforms, this is the most efficient way to monitor, manage, and scale HIPAA compliance in your cloud apps. Learn more through our blog post or through our datasheet.
.svg)
.jpeg)
.svg)
.svg)
.svg)
.svg)
.svg){kind=small}
.svg){kind=small}
