As a consultant, I’ve worked with numerous clients with questions about Salesforce cloud security. Chief among these are healthcare organizations — providers, plans and suppliers alike — who worry about storing Protected Health Information (PHI) in the cloud. The Health Insurance Portability and Accountability Act (HIPAA) and its later amendments influence every aspect of their daily work, and they rightly wonder how to ensure compliance of their Salesforce org.
Well, due to HIPAA’s vague requirements, no hard and fast rules on achieving compliance exist. When using Salesforce or any other data platform, responsibility ultimately rests with your organization to implement the proper solution to safeguard your PHI. Salesforce does, however, provide numerous tools that help you eliminate risks. Through out-of-the-box features, native platform security customizations and paid add-ons, you can build an org that adequately addresses your Salesforce HIPAA compliance needs.
Default Salesforce HIPAA compliance features:
When thinking about storing PHI in your org, it helps to know that out-of-the-box Salesforce already provides compliance advantages over some common alternatives:
- Cloud-based data storage by default offers numerous security benefits over on-premise servers. Cloud data can’t be compromised by a lost laptop or stolen internal server, after all.
- Salesforce is itself a Business Associate under HIPAA, as a provider to clients that host PHI on its servers. As such, Salesforce meets all of its obligations as a Business Associate to help its clients maintain compliance.
- Salesforce enforces TLS 1.1 as its minimum standard security protocol and by default requires HTTPS connections for standard org access.
Customizable Salesforce HIPAA compliance features:
On top of these baseline security features, the platform offers numerous ways of customizing your org security to lessen the risk of a PHI data breach. This downloadable checklist covers 13 Salesforce security best practices that any organization should implement to safeguard their data. It includes all security basics from session settings to mobile security, so it’s a must-read before moving to more advanced topics.
Once you’ve taken care of those steps, consider these other security measures that are particularly helpful to organizations handling PHI:
- Tightening your timeout sessions to log out idle users automatically.
- Disabling caching and password autocomplete on Salesforce login pages to prevent access from a stolen device.
- Keeping PHI out of sandbox and test environments, which eliminates the risk of accidental breaches in these orgs.
Salesforce add-ons that support HIPAA compliance:
Customizing all of the standard Salesforce settings on this blog and the attached checklist will go a long way toward complying with HIPAA regulations, but your org may still be at risk without additional functionality. Luckily, Salesforce provides many add-on features that enhance the security of its platform. While they don’t come with Salesforce out of the box, they are well worth the investment to healthcare organizations.
Shield Platform Encryption — While standard Salesforce allows you to encrypt specific types of fields, Shield Platform Encryption extends this functionality far beyond the native variety.
- It allows you to encrypt both standard and custom fields, not only custom text fields.
- It can also apply to other kinds of data at rest on your Salesforce org: Documents, Chatter posts, spreadsheets and databases.
- It features a stronger 256-bit Advanced Encryption Standard key, instead of the 128-bit key used by Salesforce Classic encryption.
- It includes Salesforce Event Monitoring, which tracks user activity (such as data exports), access to PHI records and application usage. It provides not only clear advantages in combating security threats but also aids compliance with HIPAA audit requirements.
- Speaking of HIPAA audits, Shield also comes with Field Audit Trail. While standard Salesforce allows limited data history tracking, this add-on monitors three times the fields and can archive up to 10 years of history.
In these ways, Shield Encryption not only lets you protect PHI in any form in the Salesforce platform — ensuring that you’re meeting that addressable aspect of HIPAA — but also provides a comprehensive history of your org’s data and user access.
Data backup solutions — As mentioned above, native Salesforce and its add-ons provide various means of tracking history. But without a true backup solution, you may still leave some compliance risks unaddressed. Specifically, Event Monitoring only retains history for 30 days. So backing up this data onto a secure outside server represents a critical means of complying with HIPAA concerns.
HIPAA compliance is a broad and messy subject. For that reason, Salesforce can’t guarantee you a particular HIPAA compliancy standard but instead provides the tools you need to obtain it. Similarly, I’m a Salesforce consultant offering platform best practices that can help you reach your particular security requirements — not a lawyer providing legal advice.
Salesforce and this blog can lead you to HIPAA compliance but can’t make you drink the proverbial water. The rest is up to you.
Have additional questions about Salesforce HIPAA compliance? Let us know.