Nightfall’s New PHI Detector Improves Security Automation for Healthcare Orgs

Michael Osakwe
January 19, 2023
Nightfall’s New PHI Detector Improves Security Automation for Healthcare OrgsNightfall’s New PHI Detector Improves Security Automation for Healthcare Orgs
Michael Osakwe
January 19, 2023
On this page

Intelligently identify HIPAA compliance violations

With Nightfall’s enhanced PHI detection capabilities, which are based on an advanced combination of logic and context, it is very easy to identify specific instances of PHI unique to organizations. What’s even better is that all of this can be automated and tie seamlessly into existing customer workflows. The result is that users can quickly find and fix the most sensitive patient data exposures across their SaaS and cloud apps, while proactively achieving compliance with industry regulations.

New PHI detectors ensure compliance and prevent risks to the business

Historically, we’ve relied on individual machine learning detectors, each uniquely tuned to identify one data type, such as a patient name, a social security number, a diagnosis, etc. While this is useful for preliminary analysis, such as evaluating how often employees share specific types of PII in the course of their work, it can be difficult to quantify precise numbers of HIPAA violations taking place within your organization. That’s because PHI exposure consists of some combination of health information and HIPAA Defined PII (these are 18 identifiers listed in 45 CFR § 164.514(b)(2), in Requirements for the de-identification of protected health information).

The threshold for identifying PHI exposure with high confidence requires looking at specific combinations of tokens together in tandem with the broader context of a finding. To illustrate this, consider the difference between a Slack message containing a name and medical record number versus one containing a medical record number, date of service, and an ICD 10 code. While you may want to monitor any sharing of patient PII, only the latter is considered inappropriate exposure of PHI under HIPAA. The rationale is that it contains both HIPAA PII identifiers and health information potentially tied to the individual to the PII belongs to.

Detection Rules


Type 1 


Type 2


Type 3


Health Indicator











  • Phone Number

  • Email

  • SSN

  • Healthcare Keywords

  • VIN

  • Device Identifiers

  • MBI

  • Person Name

  • Date of Birth

  • Person Name

  • Street Address

  • Flexible ICD9 Code

  • Flexible ICD9 Description

  • Flexible ICD10 Code

  • Flexible ICD10 Description

  • ICD 11 Code & Description

  • NPI

  • FDA Drug Name

  • FDA Drug Code

Detection Rule Combo

Rule Description

PHI Very Likely

If HIPAA PII 1, 2, or 3 plus Health Indicator, all @ Very Likely

PHI Likely

If HIPAA PII 1, 2, or 3 plus Health Indicator, some or all @ Likely

HIPAA PII Very Likely

If HIPAA PII 1, 2, or 3 @ Very Likely


If HIPAA PII 1, 2, or 3 @ Likely

Until now, healthcare customers could create Nightfall policies combining multiple detectors using any or all operators to determine how specific identifiers would influence a finding. However, we were dissatisfied with this approach, as this relied on individual detectors that weren't trained together. We knew that detecting PHI would require training a single detector, from the ground up, to understand the full context surrounding PHI, as opposed to chaining individually trained detectors together. So, that’s exactly what we did. We built a healthcare-specific detector that understands the underlying logic of the combinations of health information and PII that correspond to a true PHI finding. We are proud to announce that we are the first and only solution that has built out detectors of this nature.

How does it work?

The Nightfall PHI detector works exactly in the same manner as all our other detectors.

1. Create a detection rule, including the HIPAA PII and/or PHI detector(s), and add it to any Nightfall policy you wish.


2. You can change the confidence level on the detector from somewhat likely, likely, to very likely. This allows teams to optimize their workflow and focus on the most productive alerts for their organization.

3. Teams can then decide to auto-redact, quarantine, or delete sensitive findings across cloud applications, saving time and money by reducing the amount of manual work required to identify potential compliance violations at scale.

The result

Higher confidence findings that will enable quick and painless security audits. Our ultimate goal is for healthcare organizations to feel comfortable enough to turn on automated policies across the Nightfall platform.

How can I see this detector in action?

This detector is officially going live on January 26, and we’ll host a webinar: Learn how Nightfall enabled HIPAA compliance across Rightway's tech stack. We’ll demonstrate how the detector works and have live Q&A with Karim Beldjilali, a former Nightfall customer from Rightway, a healthcare benefits organization. We’ve also written up a blog post on how Nightfall works for healthcare organizations, complete with a template you can use to try out the Nightfall platform.

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get a demo