We have successfully completed the SOC 2 Type 2 certification: Read more ⟶

Two people with stethoscope on table
Blog 3 min read

4 Best Practices for Healthcare teams using Slack

by Michael Osakwe Published May 01, 2020

We’ve written in detail about the requirements that healthcare organizations must follow in order to maintain HIPAA compliance within Slack. However, in tandem with these requirements, there’s a series of best practices that not only help in managing Slack workspaces but also make it easier to remain HIPAA compliant. Healthcare teams using Slack should readily consider adopting the following practices.

Use consistent channel naming conventions that complement business objectives and security policies

Within a HIPAA compliant Slack workspace, there are private channels that are intended to be used to discuss sensitive topics involving PHI. One way to ensure that PHI is not accidentally shared outside of these channels is to use a clear and consistent process for naming all channels where PHI will be shared. When developing your organization’s channel creation policies, you should make sure that channels are clearly named using Slack’s recommended naming conventions. Additionally, you should make sure that channels serve a distinct and purpose so that there is little overlap between information shared across channels. This will serve to clearly delineate content within channels, prevent the duplication of information across Slack, and reduce the likelihood of sensitive data being viewed by the wrong parties.

Use automated deletion to remove sensitive information and accounts no longer in use 

Slack makes it easy to create automated policies around message retention and user account management. For example, Slack guest accounts can be set to expire after a time limit, ensuring that external collaborators or contractors meant only to have temporary access to your workspace are automatically removed once after an appropriate amount of time. Similarly, messages and files in Slack channels or entire workspaces can be automatically deleted after a specified time limit. Using this feature in a way that maps to your compliance and risk management strategies can ensure that data isn’t available on Slack long after it’s no longer needed.

Leverage engaged stakeholders to manage Slack workspaces

Within Slack Enterprise Grid the following administrative roles exist:

  • Workspace Primary Owner: Single person with the highest permissions. Only this person can transfer ownership of the workspace.                                    
  • Workspace Owners: Hold the same level of permissions as the Primary Workspace Owner, except they can’t transfer ownership of the workspace.
  • Workspace Admins: They help manage members, channels, and other administrative tasks.
  • Primary Org Owner: Only this person can transfer ownership of the org.
  • Org Owners: Hold the same level of permissions as the Primary Org Owner, except they can’t transfer ownership of the org.
  • Org Admins: They help manage org-level administrative tasks.

Slack goes into detail about roles here.

The purpose of admins at both the org and workspace levels is to manage workspaces by doing things like provisioning the appropriate channel access and permissions for members and guests. Admins can also close out old accounts and channels and enforce login standards. Within orgs, Org Owners delegate Org Admins to manage workspaces. Having Org Owners and Workspace Owners identify individuals with a solid understanding of basic cybersecurity principles to actively moderate Slack as either Org Admins or Workspace Admins is a good best practice that will make it easier to implement many of the other practices discussed in this post.

Implement an effective data loss prevention (DLP) tool

For healthcare teams using Slack, integrating DLP with your Slack instance will help ensure the satisfaction of HIPAA Security Rule Guidelines. DLP tools allow you to have data visibility on applications like Slack, giving you the ability to filter through messages and files for specific types of sensitive information. With Nightfall specifically, you can create workflows that allow you to automatically detect the sharing of sensitive information in any channel and remove it from Slack. Additionally, Nightfall provides detailed analytics about what types of PHI risk exists in your Slack channels and can send custom messages to offenders who break defined PHI policies. These features are invaluable for ensuring compliance with the HIPAA Security Rule and making sure that sensitive information is only shared with whom it is intended in a channel designated for sharing such information.

If you’re interested in learning more about Nightfall DLP for Slack, take a look at our guide. To see Nightfall in action and start a free trial, schedule a demo below.

Subscribe to our newsletter

Receive our latest content and updates

Nightfall logo icon

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.


Schedule a Demo

Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at sales@nightfall.ai.

call to action

See Nightfall in action

Schedule a demo