Confidential Health Tech Company

Challenge

• Stringent HIPAA laws require that companies working with personally identifiable information (PII) and protected health information (PHI) keep that data secure.
• As a healthcare technology company, this company must ensure its GitHub and Slack environments are clear of PHI or any data that can cause a security leak, like secrets and credentials.

Solution

• Nightfall provides this company with a single pane of glass for monitoring and remediating data exposure risk of sensitive information in Slack and GitHub.

Ensuring HIPAA compliance without impacting a growing startup

In addition to navigating the rapidly-changing technology landscape, healthcare startups must contend with a myriad of regulations in order to operate. HIPAA (the Health Insurance Portability and Accountability Act of 1996) requires especially stringent safeguards for patients’ private information. This company's Head of Security and Compliance was no stranger to the challenge of maintaining HIPAA compliance across an entire organization. With years of experience in healthcare technology, the company's Head of Security knew that his team needed an automated solution to protect against potential data breaches.

At his previous company, he had discovered the perfect option for comprehensive, automated HIPAA compliance: Nightfall. Providing data loss protection (DLP) across applications including Slack, GitHub, and AWS, Nightfall proved to be an ideal solution for his team’s needs.

Enterprise Slack DLP functionality with Nightfall

Powered by machine learning, Nightfall’s Enterprise plan continuously protects all the company's Slack messages and files against breaches of sensitive information. Using a three-stage approach—Discover, Classify, and Protect—Nightfall automatically scans for over 25 PII (personally identifiable information) and PHI (protected health information) detectors, without any need for fine-tuning or tagging.

The Head of Security particularly appreciated Nightfall’s ability to customize the response to potential leaks. “The Slack options are very versatile and can be set for the level of enforcement that our policies and procedures mandate,” he notes. Depending on the type of information, he can manually quarantine the data or use automated workflows to save time.

Automated GitHub protection

Eliminating unnecessary manual activity was a top priority for the Head of Security and his team. “We checked for credentials and data patterns during pull requests in GitHub, but nothing was automated,” he remarks. Not only did he and his team have to spend countless hours monitoring the company's GitHub repositories, but they also risked leaks of sensitive information in between pull requests. Nightfall DLP for GitHub solved both of these problems with ease.

Nightfall DLP scans public and private GitHub repositories for sensitive credentials and secrets, such as API keys for AWS, Twilio, or Stripe. Unlike traditional approaches, such as regular expressions or high-entropy string detection, Nightfall DLP’s machine learning can discover a very broad set of secrets without needing to specify what types of keys or credentials to quarantine. As a result, the Head of Security and his team have a larger umbrella of protection with more accurate, less noisy results.

Putting into place safeguards against liability

In addition to improved productivity, the confidential health tech company's security team also enjoys increased protection from the financial liability of a data breach. “The cost of a breach can be substantial,” their Head of Security notes. “While we have not had a severe alert on data, it would cost $430 per patient record if there ever was one.” Given [our] ever-expanding consumer footprint, fines for a breach could easily tally into tens of millions of dollars.

 “Nightfall’s ease of setup and accuracy of identified data are both on point. Nightfall has eased our collective mind." Head of Security and Compliance

Deploying Nightfall has given the confidential health tech's security team and their customers an always-on ring of protection around one of their most valuable resources: their information.