Challenge
- Adopting cloud apps like Slack requires proper oversight of sensitive data like PHI.
- As a digital health provider, Capital Rx needed to invest in tools that would simplify this process without compromising accuracy.
Solution
- Nightfall DLP, a Slack Partner, dramatically enhances data visibility for teams using SaaS platforms.
- Through features like sensitive character redaction in Slack messages, Nightfall has allowed Capital Rx to prevent the sharing of PHI without disrupting employee's workflows.
HIPAA compliance requires oversight of SaaS platforms
Capital Rx processes pharmacy benefits claims and provides clinical oversight to employers, unions, municipalities, and health plans. Like other companies in the healthcare industry, Capital Rx must maintain compliance when handling data in the cloud. Their concern is protecting the confidentiality of electronic protected health information (e-PHI) to maintain SOC 2 compliance and URAC accreditation for their technology systems.
With hundreds of users on Slack, the Capital Rx technology team needed a way to ensure that sensitive customer e-PHI would never be at risk of improper exposure within messages and files sent over the app. Nightfall’s API-driven data loss prevention (DLP) provides the coverage Capital Rx needs to satisfy compliance audit requirements and identify which customer data does not belong in Slack.
Ryan Kelly is Capital Rx’s CTO and co-founder. His team had to overcome a major security challenge for the company: gaining complete oversight of their Slack instance to protect e-PHI. Capital Rx relies on the cloud for their entire service delivery model, so they needed a cloud-native data security platform that fit seamlessly into their tech ecosystem.
Nightfall provides the Capital Rx technology team with visibility into how information is shared within Slack. DLP was an easy choice for Ryan and his team, as a low-friction way to implement automated scans and alerts that help support their security and compliance goals. “Implementing a DLP platform allows us to step up our security to another level, with our ability to monitor and audit our Slack communications,” says Ryan. “Nightfall DLP gives us the oversight we need to achieve our legally mandated data confidentiality requirements.”
API-driven DLP equals compliance efficiency
Capital Rx operates in a highly regulated industry and handles large volumes of sensitive data every day. The demands of managing this high degree of data risk can drain resources and bandwidth from a team trying to do it all without automated support. Nightfall quickly proved to be the right solution for Capital Rx’s compliance and security needs in Slack, with Nightfall’s detection engine identifying problematic data usage and sharing before it ballooned into a security incident.
“In several instances, Nightfall has prevented users from sharing PHI in a public Slack channel and protected that sensitive information from being more widely shared, retrieved, or seen,” says Ryan.
When Capital Rx added Nightfall to their security technology lineup, they saw benefits beyond simply removing sensitive patient data in Slack. In some cases, internal teams need to be able to share data, and the concern is not to block them from doing so but rather to keep data sharing limited to appropriate channels. Nightfall offers flexibility in how DLP policies are applied based on metadata like channel type. By allowing internal Slack users to share e-PHI and other sensitive data in a secure and sanctioned way, Ryan’s team also got a boost in productivity and organizational efficiency.
Data risk is one less thing to worry about with Nightfall
Contemporary security problems require forward-thinking approaches. Capital Rx relies on modern SaaS-based systems for collaboration and productivity so they can build and produce new ideas, solutions, and products for customers and internal stakeholders. Working in the cloud enables teams to move faster, but the ease of sharing information also introduces new security and compliance challenges. Nightfall helps Capital Rx take advantage of Slack’s collaborative capabilities while reducing risk.
“We’re able to get ahead of very expensive data exposure incidents that could violate HIPAA requirements, which can run easily to thousands of dollars per member record affected,” says Ryan.
Nightfall’s fast integration into Slack and ease of use helps Capital Rx focus on the bigger picture for their growth as a company. Automated DLP protects e-PHI in Slack without Ryan and his team needing to monitor and intervene every time a possible incident occurs. “Being able to use cloud-native technologies like Nightfall enables us to stay focused on delivering valuable services and solutions to our customers,” says Ryan.
“We’re able to get ahead of very expensive data exposure incidents that could violate HIPAA requirements, which can run easily to thousands of dollars per member record affected.”
Ryan Kelly
CTO & Co-founder
Nightfall has become a key component of Capital Rx’s overall security strategy by allowing them to secure e-PHI in Slack, preventing exposure incidents before they happen, and unlocking higher productivity for the technology team. The confidence and peace of mind that comes with Nightfall DLP is a big win for Capital Rx’s internal security outcomes.