Slack HIPAA Compliance: The Definitive Guide

Slack allows organizations of all sizes and across industries to collaborate with with ease. While healthcare organizations can benefit from the power of Slack, it is essential that any Covered Entities or organizations that are otherwise handling PHI to understand what they can and cannot do in Slack to ensure they stay compliant with HIPAA.

Read this online guide, for free, to learn about Slack requirements for Covered Entities and how to ensure PHI is not at risk of exposure in Slack. You may also download this content here.

Is Slack HIPAA compliant?

‍Slack is not HIPAA compliant out of the box. This is something that Slack's user agreement explicitly specifies. In order for Covered Entities, like healthcare providers to leverage Slack, specific standards and controls must be in place within their Slack instance to ensure the satisfaction of HIPAA requirements. Before adopting Slack, covered entities need to understand their requirements as well as their intended use case for Slack. This analysis helps organizations determine if they can maintain HIPAA compliance on Slack.

The requirements to enable and maintain HIPPA compliance on Slack can broadly be grouped into four categories: 

• Having an appropriate use case for Slack
• Following the requirements Slack outlines for maintaining HIPAA compliance
• Practicing common sense cyber hygiene within Slack to limit the likelihood of data exposure incidents
• Evaluating some HIPAA Security Rule considerations

What are examples of HIPAA compliant use cases?

Slack has a blog post listing examples of HIPAA compliant use cases. The TL;DR is Slack is meant to streamline collaboration within healthcare organizations and is not sanctioned for communications between patients and care providers.

Some examples of HIPAA compliant Slack uses cases include: 

• Conveniently triaging outpatient care with Slack
• Improving productivity around diagnostics and procedures with an integrated electronic medical records system
• Real time patient care updates for practitioners

What are Slack's requirements for maintaining HIPAA compliance?

• Your organization must be on a Slack Enterprise account
• Your organization must execute a Business Associate Agreement with Slack
• Your organization cannot use Slack for patient communications as it’s not designed to communicate with patients and families
• You must not have PHI in "prohibited fields" anywhere in your Slack Org (these include: file names, user profile data, custom profile fields, custom emojis, custom statuses, workspace and organization names, EMM)
• PHI can only be shared in private channels where only need to know members have access to it
• The Slack email ingestion tool, which converts emails to Slack messages, needs to be disabled from the admin console

Slack also details important technological processes and standards you will need to consider:

• In-field clinicians cannot connect over patient WiFi
• According to Slack: “Slack does not maintain the designated record set and should not be the system of record for your health information.”
• Your organization is responsible for using Slack APIs to implement security tools and processes for monitoring your members’ use of Slack and securing your workspace.

The last requirement can be accomplished with tools like:

• Single Sign On (SSO)
• Backup/Archival
• Data Loss Prevention

How do you maintain good cyber hygiene on Slack?

The purpose of data and cyber hygiene is to implement policies and best practices that normalize behaviors that limit oversharing sensitive information as preemptive security measure. Cloud environments, like Slack make it easy for employees to share more information than is needed to complete their tasks, in if this information is not removed it could be retained for the lifetime of your instance and constitute a breach risk.

For example, the 2020 Twitter hack entailed an external threat actor finding a password to Twitter's backend in Slack. It was presumably shared months, or maybe years ago by an engineer who was trying to work with a collaborator. Something similar happened in the case of the Uber 2022 hack, which entailed a threat actor accessing the company's Privileged Account Manager because a password to that system was left in plaintext.

With regard to Slack hygiene, you'll want to consider the following: 

Use consistent channel naming conventions that complement business objectives and security policies

Within a HIPAA compliant Slack workspace, there are private channels that are intended to be used to discuss sensitive topics involving PHI. One way to ensure that PHI is not accidentally shared outside these channels is to use a clear and consistent process for naming all channels where PHI will be shared. When developing your organization’s channel creation policies, you should make sure that channels are clearly named using Slack’s recommended naming conventions. Additionally, you should make sure that channels serve a distinct and purpose so that there is little overlap between information shared across channels. This will serve to clearly delineate content within channels, prevent the duplication of information across Slack, and reduce the likelihood of sensitive data being viewed by the wrong parties.

Use automated deletion to remove sensitive information and accounts no longer in use

Slack makes it easy to create automated policies around message retention and user account management. For example, Slack guest accounts can be set to expire after a time limit, ensuring that external collaborators or contractors meant only to have temporary access to your workspace are automatically removed once after an appropriate amount of time. Similarly, messages and files in Slack channels or entire workspaces can be automatically deleted after a specified time limit. Using this feature in a way that maps to your compliance and risk management strategies can ensure that data isn’t available on Slack long after it’s no longer needed.

Leverage engaged stakeholders to manage Slack workspaces

Within Slack Enterprise Grid the following administrative roles exist:

• Workspace Primary Owner: Single person with the highest permissions. Only this person can transfer ownership of the workspace.                                    
• Workspace Owners: Hold the same level of permissions as the Primary Workspace Owner, except they can’t transfer ownership of the workspace.
• Workspace Admins: They help manage members, channels, and other administrative tasks.
• Primary Org Owner: Only this person can transfer ownership of the org.
• Org Owners: Hold the same level of permissions as the Primary Org Owner, except they can’t transfer ownership of the org.
• Org Admins: They help manage org-level administrative tasks.

Slack goes into detail about roles here.

The purpose of admins at both the org and workspace levels is to manage workspaces by doing things like provisioning the appropriate channel access and permissions for members and guests. Admins can also close out old accounts and channels and enforce login standards. Within orgs, Org Owners delegate Org Admins to manage workspaces. Having Org Owners and Workspace Owners identify individuals with a solid understanding of basic cybersecurity principles to actively moderate Slack as either Org Admins or Workspace Admins is a good best practice that will make it easier to implement many of the other practices discussed in this post.

Watch these five areas of data exposure risk with Data Loss Prevention

Within Slack, the following areas can contribute to sensitive data exposure:

• Slack connect channels introduce users from outside your organization who may not know or follow policies.
• Slack guest accounts must be provisioned appropriately, with access to the right channels and assets being maintained across their lifetime.
• Private channels create visibility constraints for security teams.
• File attachments create complexity by expanding the number of places where data can live, as well as the types of sensitive data they must look for.
• Retention policies must be actively managed in accordance to compliance and security policies and practices.

Watch the following clip to learn more about how to manage these areas of risk within Slack:

What are important HIPAA Security Rule Considerations on Slack?

The HIPAA Security Rule provides a number of guidelines that are relevant to organizations on Slack, including:

• Identifying and protecting against reasonably anticipated threats to the security or integrity of information
• Protecting against reasonably anticipated, impermissible uses, or disclosures
• Ensuring compliance of policies by workforce
• Evaluating the likelihood and impact of potential risks to e-PHI
• Implementing appropriate security measures to address the risks identified in the risk analysis

Bottom line: In addition to following Slack’s rules for maintaining HIPAA compliance, organizations will need to ensure they have security tools like Data Loss Prevention (DLP) in their workspaces because Slack relies on third-party vendors to provide the controls necessary to satisfy HIPAA Security Rule guidelines.

What is data loss prevention in Slack?

Collaborative SaaS applications like Slack create environments where data policy and security best practices are difficult to maintain or enforce without an excessive time or resource commitment. Data loss prevention helps provides companies with a feasible alternative to address this problem. DLP is a control that ensures confidential information is kept on a need-to-know basis by:

• Scanning for content within messages and files to determine whether an unauthorized disclosure of business-critical information has occurred.
• Providing automated remediation on the basis of your established data security policies.
• Providing alerts and analytics that help organizations understand risk and employee behavior over time.

What is Nightfall DLP?

Nightfall is a platform to discover, classify and protect sensitive data across cloud SaaS & cloud infrastructure.

• Nightfall supports compliance efforts with a number of industry standards like PCI DSS, GDPR, HIPAA, CCPA, and much more.
• Nightfall works by continuously monitoring data flowing in and out of data silos and classifying that data with machine learning. Data marked as sensitive can be automatically quarantined, deleted, and redacted with workflows.
• Deploy a targeted remediation strategy with comprehensive, context-rich scan results that contain direct links to policy violations within Slack.
• Nightfall integrates with Slack via Oauth 2.0, meaning you can get started immediately. Integrate in seconds, then tell Nightfall which Channels, DMs, Slack Connect Channels, should be scanned in real-time for PHI, API keys, encryption keys, passwords, and more.

How does Nightfall differ from existing DLP platforms?

Nightfall DLP is the industry’s first cloud-native data loss prevention solution designed to discover, classify, and protect sensitive data in cloud environments.

• Leverage dozens of detectors, including Nightfall’s best-in-class core of machine-learning trained detectors, to detect a wide range of sensitive content types such as standard PII, names, ID numbers, financial information, addresses, credentials, secrets, custom regexes and word lists, and more.
• Nightfall's unique HIPAA-defined PII detector provides industry leading accuracy around finding and remediating data exposure in healthcare environments.
• Secure Slack with DLP scans for a wide range of file types — including plaintext, Office (Google Office, Open Office, msft Office), pdf, html, xml, all popular image file types (jpeg, png, etc), compressed files (zip, tar, etc).
• Additionally, Nightfall helps you satisfy the HIPAA security rule through messaging that educates users about the appropriate contexts for sharing PHI and detailed analytics of incidents that break policies.

How do I get started?

• To get started with Nightfall, schedule a call with our sales team, or contact us directly at sales@nightfall.ai with any questions.

‍

‍

‍

‍