How to make Slack HIPAA compliant in 2023?

TL;DR

• Slack is not HIPAA compliant by default but can be configured for compliance on the Enterprise Grid plan.
• Five main requirements for HIPAA compliance on Slack include Slack Enterprise Grid subscription, appropriate use, adherence to Slack's guidelines, cyber hygiene, and technical considerations.
• Technical requirements include executing a Business Associate Agreement, avoiding Protected Health Information (PHI) in prohibited fields, and using security tools like SSO and DLP.
• Monitoring five areas of data exposure risk with Data Loss Prevention (DLP) helps maintain data integrity and security.
• DLP strategies include third-party solutions, advanced technologies, automated policies, customized classifiers, integration into Slack Connect, and collaboration between legal, IT, and compliance teams.
• Strac’s HIPAA DLP solution works with all Slack plans - Pro, Business+ and Enterprise.

The rise of remote healthcare has necessitated strict adherence to HIPAA (Health Insurance Portability and Accountability Act) guidelines in communication tools. Slack, a popular messaging platform, is now a key channel for healthcare professionals to communicate and exchange information. However, ensuring the integrity of PHI shared on Slack is vital, making compliance a top priority for healthcare organizations.

In the first quarter of 2023, a total of 145 data breaches have been reported in healthcare firms, according to the U.S. Office for Civil Rights (OCR). Moreover,  since 2017, complaints about HIPAA violations have increased by 39%, along with an increase in the number of serious breaches reported.

Organizations require both efficient communication and collaboration while maintaining the strict privacy and security regulations set forth by HIPAA. This is why we'll take a closer look at how to achieve and maintain HIPAA compliance within Slack in this blog post. Let’s dive into the details.

Is Slack HIPAA Compliant?

Slack, by default, is not HIPAA compliant. However, it can be configured to support HIPAA-compliant message and file collaboration on the Slack Enterprise Grid plan. 

Make Slack HIPAA Compliant in 2023 with these 8 steps

The below steps ensure that the use of Slack aligns with HIPAA regulations, safeguarding information while facilitating efficient communication.

1. Choose the Right Slack Plan

Opt for the Slack Enterprise Grid plan. It's designed for larger organizations and has enhanced security features essential for HIPAA compliance.

2. Configure User Roles and Permissions

Covered entities need to have an appropriate use case for Slack. For example, Slack can be used for internal communication between healthcare providers as long as they are not discussing PHI. Slack should not be used for sharing PHI with patients.

3. Sign Necessary Agreements

They need to follow the requirements that Slack outlines for maintaining HIPAA compliance. Slack offers a Business Associate Agreement (BAA) for covered entities, which outlines the responsibilities of both parties in maintaining HIPAA compliance. Covered entities must agree to the BAA before using Slack.

4. Employee Training

They must practice common sense cyber hygiene within Slack. This includes limiting the likelihood of data exposure incidents by setting up appropriate access controls, regularly auditing user access, and training employees on properly handling PHI.

5. Implement Security Measures

When necessary, healthcare providers should evaluate some HIPAA Security Rule considerations, such as implementing encryption, regularly backing up data, and having a disaster recovery plan in place.

6. Manage Data Appropriately

PHI cannot be present in "prohibited fields," such as user profile data, file names, workspace and organization names, custom emojis, custom statuses, and custom profile fields. PHI can only be shared with relevant members within private channels to comply with HIPAA. 

7. Network and Connectivity Recommendations

Disable the Slack email ingestion tool, which converts emails to Slack messages, from the admin console to avoid any unauthorized sharing of PHI.

Slack also recommends that in-field clinicians not connect over patient WiFi. They assert that Slack should not be the primary storage or record-keeping system for records or other critical data.

8. Utilize Slack APIs for Enhanced Security

Organizations must use  Slack APIs to implement security tools and processes for monitoring members' use of Slack. They can achieve this using Single Sign-On (SSO), Backup/Archival, and Data Loss Prevention tools.

Considering DLP tools, Strac App works across all Slack channels. Strac's redaction experience blocks sensitive PII, PHI or PCO data within Slack channels or direct messages. 

To know more about how Strac addresses Slack DLP, read here ➡️ strac's Slack DLP.

Best Practices to Maintain Slack Cyber Hygiene

Maintaining effective cyber hygiene practices is one of the most crucial aspects of the modern workplace. This is especially true regarding cloud-based environments, like Slack, which makes it effortless for employees to share information. 

If this information remains in the system, it could become a breach risk, as seen in the Slack Security Incident of December 2022. During this incident, attackers accessed private GitHub code repositories by stealing a limited number of Slack employee tokens. 

Fortunately, no customer data or Slack's primary codebase was compromised, but this event underscored the importance of securing credentials and monitoring third-party platforms.

To prevent such incidents and PHI from being compromised, here are a few best practices to follow:

1. Implement consistent channel naming conventions

To maintain effective cyber hygiene practices on Slack, it is crucial to implement consistent channel naming conventions in all channels where PHI will be shared. However, ensure these naming conventions align with your business objectives and security policies. This helps keep your workspace organized and ensures easy navigation. To implement consistent channel naming conventions, consider the following tips:

• Keep channel names concise to ensure they are easy to read and to the point.
• Consistently name all channels to avoid confusion.
• Ensure the channel's purpose is described in descriptive keywords to avoid ambiguity.
• For better structure, you can categorize channels by departments, branch offices, or company-wide announcements.
• Create your channel naming guidelines and circulate them among team members. Then prominently feature them on your primary communication platforms to ensure uniformity and compliance.

2. Utilize Automated Deletion 

To ensure good cyber hygiene practices and protect against PHI breaches, use automated deletion to remove sensitive information and inactive accounts from your Slack workspace. Consider the following steps:

• Prevent unwanted access by deactivating member accounts that are no longer necessary.
• Comply with data privacy laws and prevent information breaches by deleting the profile information of any deactivated members.
• Ensure only necessary apps remain active and prevent unauthorized access by managing deactivated members' apps and integrations.
• Keep user privileges updated by regularly reviewing and adjusting them as needed. Make sure that team members only access necessary channels and files.
• Remove inactive accounts and sensitive information to comply with data privacy laws and avoid security breaches.

3. Monitor the Five areas of Data Exposure Risk 

Integrating Slack Data Loss Prevention (DLP) helps monitor potential data exposure risks in five areas:

• Slack Connect channels are monitored to prevent data leaks and unauthorized access.
• Guest accounts in Slack are constantly tracked and deactivated as and when required.
• Private channels are monitored for potential data exposure risks, and access is limited to prevent unauthorized usage.
• File attachments in Slack are checked for sensitive information and access to file-sharing is limited.
• Retention policies are implemented to delete messages and files after a specified period to ensure data privacy and compliance.

Stay HIPAA Compliant on Slack Plans and Enhance Security With Strac

If you want a solution to make Slack HIPAA compliant for any of your Slack Plans (Pro, Business+ or Enterprise), Strac is here to assist you. 

Strac is designed to secure sensitive Personally Identifiable Information (PII) and Protected Health Information (PHI) across various applications. Here’s how Strac enhances HIPAA compliance on Slack:

• Discovery: Strac HIPAA-compliant Slack app discovers sensitive messages & files and can be configured to find shared sensitive messages and files.
• Masking: Strac DLP redacts or removes sensitive Slack messages & files while allowing authorized users to view them in Strac UI Vault.
• Prevention: Strac prevents unauthorized file sharing on channels or Slack Connect, allowing workflows to be built around file sharing, such as requiring owner approval.
• Redaction Configuration: Businesses can configure a list of sensitive data elements (e.g., SSN, Passport, DoB, Credit Card numbers) for redaction.

Check out this video to learn more about sensitive data elements ➡️Strac's catalog of sensitive data elements. 

• Compatibility: Strac App works with Free, Pro, Business, and Enterprise Slack plans.

‍