1.) Understand what features Salesforce Health Cloud comes with out-of-the-box
At baseline, Salesforce comes with a number of security features. Some of them need to be turned on, while others will need to have boundaries or parameters set for them:
- Require secure connections (HTTP or HTTPS). This is for Salesforce and for API access. This is standard with Salesforce.
- Limit/segment user access to PHI as much as possible.
- Disable caching and password autocomplete on logon page.
- Logout “idle” users. Some organizations may choose to do this after 10-15 minutes, others 2 hours or more. It really depends on the sensitivity or nature of the work people are doing and how those using the software will typically interact with it.
- Limit access to appropriate IP ranges. This ensures employees are only accessing delicate healthcare information within range of the office. In addition, this can be tied in with a VPN as an additional level of security.
- Keep PHI out of your sandbox/test orgs. It can be a little tricky to do this, but you don’t want to pollute your test environment and expose any information.
- Single Sign-On/Two-Factor Authentication. This may or may not be the right designation for your organization, but it should be considered.
2.) Remember to Implement Other Security-Enhancing Salesforce Practices
Both within Salesforce Health Cloud and elsewhere in Salesforce, there are certain best practices to follow to ensure security. They must not be forgotten just because Salesforce Health Cloud is a new installation or feature. These include:
- Develop breach plans; establish accountability.
- Document all safeguards and decisions; make sure these are up to date and accurate at all times. This is crucial, because this is one of the first things you will be asked for in the event of an HHS investigation.
- Train your staff regarding HIPAA.
- Backup audit/access logs “off platform.” Consider storing copies of these offline. Note that HIPAA requires maintaining audit logs for 6 years as a minimum. Periodically review gaps or weaknesses in your systems and processes. Evaluate new systems and approaches as solutions. For example, Salesforce.com releases may include new features that may help enhance your system’s security.
3.) Utilize Salesforce.com’s new “Shield” components
Salesforce Shield allows for two major enhancements relating to HIPAA: much-improved logging and far more comprehensive encryption of data at rest. Of all of the Salesforce security features, we get the most questions about Salesforce platform encryption at Summa. Some customers have regulations in place that require some data to be encrypted. Whether you’re working with personally identifiable information (PII), protected health information (PHI), or other sensitive corporate data, platform encryption provides a way to get robust native functionality to create not only field-level encryption, but encryption of individuals’ healthcare data, as well.
At rest, Salesforce can provide a native capability for encryption for not only native fields but also files and attachments. This alone is very powerful.
Platform encryption includes the following:
- Encryption Services
- Standards-based encryption built natively into the App Cloud Platform
- AES encryption using 256-bit keys
- Layers seamlessly with other App Cloud security features
- Key Management
- Customer-driven key lifecycle management
- Uses secure keys that are never persisted in App Cloud
- Hardware Security Module-based key management infrastructure
- FIPS 140-2 compliant
- Policy Management
- Customer control over policy configuration
- Select fields, files and attachments to be encrypted
- Encryption is controlled with metadata to take complexity out of deployments
- App Cloud Integration
- Preserve important functionality like search and business rules
- Built-in features to iteratively add additional feature support
4.) Understand HIPAA Compliance by Workshopping with an Expert Team
HIPAA compliance will never be solved by a single piece of technology. It is an aggregation of technology, processes, user training, auditing and culture.
Regardless of technology, each healthcare service is responsible for its own compliance and will have additional work to ensure it. Providers should have serious questions about data security, data storage in the cloud, data encryption, key management and handshakes between different application systems. The answers for each provider boil down to their trust in the solution, their priorities and appetite for joining the wave of change that is taking place in healthcare industry.
While the complexities innate in PHI and HIPAA requirements can be hard to digest, a Salesforce partner like Summa can deliver expert-driven Salesforce Workshops for your team to help boil it all down and make it easier to understand and consume. We can help you assess your organization’s collective risk tolerance and interpretation of HIPAA, (including any BAAs to which you're contractually bound), learn about the Salesforce.com features that will help you protect your PHI, and develop an appropriate Salesforce.com-based solution that meets your needs and relevant legal and system constraints.
When deciding if a Salesforce Workshop is right for you and your organization, consider who is responsible for healthcare integration within your organization and whether they have experience with APIs or integrated web services. A preferred implementation partner, such as Summa, can be an essential part of configuring Salesforce Health Cloud to create smarter and more connected healthcare management. In 2015, we won the Salesforce.com Partner Innovation Award for Non-Profit Success for our work innovating new fundraising, donor and volunteer management solutions for The United Way of Southwestern PA. Plus, Salesforce.com is one of Summa's fastest-growing practice areas. As Gold Partners, we're excited to do more, excel more and produce more transformative solutions for our clients.
