Slack Security: FERPA and HIPAA Compliance

During the pandemic, healthcare and education providers scrambled to adapt to providing services remotely, using tools like Slack, Google Drive, and Zoom to continue connecting with patients and students. McKinsey tracked a spike in the use of telehealth solutions in April 2020 that was 78 times higher than in February 2020. And, by some estimates, more than 1.2 billion children worldwide were impacted by school closures due to the pandemic — some of whom were able to learn remotely. 

Early data suggests the shift to remote learning and telehealth may be permanent. The use of telehealth communication tools and platforms has stabilized at levels 38 times higher than before the pandemic. And, according to a study by the RAND Corporation, roughly 20% of district administrators said their school system had “already started an online school, was planning to start one or was considering doing so as a post-pandemic offering.”

As schools and healthcare organizations start to plan for the future, they will need to account for student and patient privacy on Slack and other communication tools. Here’s what these organizations need to know about the data security and privacy risks of Slack — and how to overcome them. 

[Read more: Understand How User Privacy Can Improve Cybersecurity]

Background: FERPA and HIPAA regulations

The Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act of 1996 (HIPAA) are two federal regulations that govern how education and health providers collect, store, and use client data safely. 

FERPA applies to all schools that receive funds from the U.S. Department of Education. The goal of FERPA is to protect the privacy of student “education records”— a broad term that encompasses things like grades and transcripts, student schedules, exams and papers, student email, advising records, and any personally identifiable information (PII). Educational records do not include law enforcement records, employment records, medical records, or post-attendance records. 

HIPAA is enforced by the Department of Health and Human Services (HHS) and protects Protected Health Information (PHI). HIPAA sets standards to protect sensitive patient information from being disclosed without consent. There are 18 PHI identifiers that make medical information “identifiable” and traceable back to a specific individual. You can read more about PHI that HIPAA protects in this guide: PHI Compliance: What It Is and How To Achieve It.

Protecting client information on Slack 

Slack has quickly become integral to companies that work remotely, and even to those who have returned to the office. Many employees have stated that they prefer to use this communication tool long after the pandemic is over. For health and education organizations, this preference requires implementing new measures to protect patient and student data.

Currently, Slack can be configured to comply with both HIPAA and FERPA. We’ll review how to ensure your Slack is set up to ensure patient and student data is kept safe, starting with what HIPAA organizations need to know.

HIPAA compliance for Slack

The standard versions of Slack (Free, Standard, Plus) are not HIPAA compliant. You must have a Slack Enterprise Grid plan in order to configure Slack to meet HIPAA regulations.

Once you have enrolled in the Slack Enterprise Grid plan, you must execute a Business Associate Agreement. In addition, health organizations must agree to the following limitations when using Slack:

• You may not use Slack to communicate with patients, plan members, or their families or employers.
• Members of your organization may not include PHI when using Slack features, excluding messages and files.
• You are responsible for using Slack APIs to implement tools and processes for monitoring your members’ use of Slack. 
• You may need to use Slack’s Discovery APIs, and Slack recommends setting up an external Data Loss Prevention (DLP) provider to enforce message and file restrictions and exports. (Note that you may be asked to sign a business associate agreement with a third-party application provider like Nightfall that provides DLP.)

While these configurations help you reach HIPAA compliance, there’s a fair amount of monitoring that your organization must undertake to maintain full compliance. For instance, Slack says sharing PHI using features other than messaging and file uploads will put you at risk of violating HIPAA. Furthermore, any channels where PHI is shared must be set as private.

[Read more: How to Make Slack HIPAA Compliant]

FERPA compliance for Slack

Like HIPAA, Slack can be configured to help education providers achieve compliance with FERPA. Slack recommends that education providers enroll in the Slack Enterprise Grid plan, which includes features such as the approved use of third-party DLP providers, Enterprise Key Management (EKM), and advanced global message and file retention policies, among others.

If you do not choose to upgrade your plan, there are a number of other features that Slack provides that can help with FERPA. Slack offers regular vulnerability scans and application-level pen tests, as well as secure cipher suites and protocols to encrypt data in transit and at rest. “Customer Data is removed from production servers nightly following deletion by the end user or upon expiration of message retention based on customer administrator configuration, and is then permanently deleted from backup within 14 days in line with the practices described in Slack’s Security Practices Page,” notes the platform.

Slack also has physical safeguards in place. The platform uses Amazon Web Services (AWS) as its third-party hosting provider. Slack is transparent about their security practices, privacy policy, and current subprocessors (third-party data processors that support the delivery of Slack).

Using Slack as an education provider still requires a fair amount of proactive monitoring and policing to ensure no student records are shared improperly. For some institutions, like UPenn, the use of Slack is approved on a case-by-case basis to control user access and cut down on risk. This process, however, can be time-consuming; this is where a tool like Nightfall can help.

Implement DLP for Slack

Data loss prevention tools are the ultimate safeguard for ensuring patient and student data isn’t shared in violation of federal regulations. And, an automated tool like Nightfall takes the burden of monitoring Slack off IT security teams. Nightfall allows organizations to monitor Slack and put controls to prohibit the sharing of PHI over inappropriate channels. Admins can implement messaging that educates users about the appropriate contexts for sharing PHI or education records.

Nightfall is the industry’s first cloud-native DLP platform that integrates directly via API – meaning that customers are typically up and running within a few minutes. For SaaS apps like Slack, there’s no additional configuration or setup required beyond installation.

By leveraging Nightfall, education and healthcare providers can discover, classify, and protect forms of protected information: email addresses, phone numbers, social security numbers, and many other classes of sensitive data. In this way, you can immediately detect & remove forms of personal data that may appear in Slack, so you do not violate FERPA, HIPAA, or risk a data breach.

Watch the video below to learn how Capital Rx, a leader in pharmaceutical benefits management, leverages Nightfall's Data Loss Prevention to ensure HIPAA Compliance in Slack, or read their case study. You can also learn more about the value of Nightfall by setting up a demo at the link below and exploring our ROI Calculator.

Capital Rx CTO & Co-founder Ryan Kelly uses Nightfall DLP to mitigate PHI exposure in Slack before it can escalate in severity