Challenge

• Stringent HIPAA laws require that companies working with personally identifiable information (PII) and protected health information (PHI) keep that data secure.
• As a healthcare technology company, Galileo must ensure its GitHub and Slack environments are clear of PHI or any data that can cause a security leak, like secrets and credentials.

Solution

• Nightfall provides Galileo a single pane of glass for monitoring and remediating data exposure risk of sensitive information in Slack and GitHub, all in one place.

Ensuring HIPAA compliance without impacting a growing startup

In addition to navigating the rapidly-changing technology landscape, healthcare startups must contend with a myriad of regulations in order to operate. HIPAA (the Health Insurance Portability and Accountability Act of 1996) requires especially stringent safeguards for patients’ private information. Michael Supon, Galileo’s Head of Security and Compliance, was no stranger to the challenge of maintaining HIPAA compliance across an entire organization. With years of experience in healthcare technology, Supon knew that his team needed an automated solution to protect against potential data breaches.

At his previous company, Supon had discovered the perfect option for comprehensive, automated HIPAA compliance: Nightfall. Providing data loss protection (DLP) across applications including Slack, GitHub, and AWS, Nightfall proved to be an ideal solution for the Galileo team’s needs.

Enterprise Slack DLP functionality with Nightfall

Powered by machine learning, Nightfall’s Enterprise plan continuously protects all of Galileo's Slack messages and files against breaches of sensitive information. Using a three-stage approach—Discover, Classify, and Protect—Nightfall automatically scans for over 25 PII (personally identifiable information) and PHI (protected health information) detectors, without any need for fine-tuning or tagging.

Supon particularly appreciated Nightfall’s ability to customize the response to potential leaks. “The Slack options are very versatile and can be set for the level of enforcement that our policies and procedures mandate,” Supon notes. Depending on the type of information, Supon can manually quarantine the data or use automated workflows to save time.

Automated GitHub protection

Eliminating unnecessary manual activity was a top priority for Supon and his team. “We checked for credentials and data patterns during pull requests in GitHub, but nothing was automated,” Supon remarks. Not only did Supon and his team have to spend countless hours monitoring Galileo’s GitHub repositories, but they also risked leaks of sensitive information in between pull requests. Nightfall DLP for GitHub solved both of these problems with ease.

Nightfall DLP scans public and private GitHub repositories for sensitive credentials and secrets, such as API keys for AWS, Twilio, or Stripe. Unlike traditional approaches, such as regular expressions or high-entropy string detection, Nightfall DLP’s machine learning can discover a very broad set of secrets without needing to specify what types of keys or credentials to quarantine. As a result, Supon and his team have a larger umbrella of protection with more accurate, less noisy results.

Putting into place safeguards against liability

In addition to improved productivity, the Galileo team also enjoys increased protection from the financial liability of a data breach. “The cost of a breach can be substantial,” Supon notes. “While we have not had a severe alert on data, it would cost $430 per patient record if there ever was one.” Given Galileo’s ever-expanding consumer footprint, fines for a breach could easily tally into tens of millions of dollars.

 “Nightfall’s ease of setup and accuracy of identified data are both on point. Nightfall has eased our collective mind."
Michael Supon
Head of Security and Compliance

Deploying Nightfall has given the Galileo team and their customers an always-on ring of protection around one of their most valuable resources: their information.