Healthcare Compliance Solutions on the World’s #1 Cloud Platform

Blaze new paths to healthcare compliance with Salesforce

If you’re a Salesforce developer for a healthcare company, you’ve probably heard of some compliance regulations (for example, GDPR and HIPAA) that help your company guard against threats to patients’ personal information. What you might not know is who is responsible for ensuring that your company meets compliance requirements for patients, regardless of the country they live in. Developers like you? The admins managing your company’s Salesforce org? Maybe even Salesforce itself?

The answer: all of the above. For Salesforce customers, security and compliance are shared responsibilities, where:

• Salesforce secures customer data hosted on the platform and provides physical, technical, and administrative safeguards.
• Admins and developers in the Salesforce ecosystem work together to configure the privacy and security of their orgs and apps running on the Salesforce Platform.

Although the configuration work doesn’t necessarily require deep development or coding — most security controls are Salesforce native — technical expertise can be beneficial when a company wants to extend out-of-box functionality or set up event monitoring and audit trails using developer tools. This blog post will outline some of the Salesforce tools and features to keep in mind when doing any development work that might have an impact on your company’s security and compliance.

It’s About Trust

Salesforce helps our customers meet compliance and security standards in some of the most highly regulated sectors, such as financial services, government, and of course, healthcare and life sciences. Here’s a small sampling of healthcare related compliance criteria for HIPAA, HITRUST, and GDPR and how that criteria maps to Salesforce solutions.

Salesforce security features — such as Einstein Artificial Intelligence (AI), platform encryption, role permissions and hierarchies — are available in a layered architecture of products and services, where trust is baked into each layer from the ground up.

Security with Einstein

Salesforce collects a lot of operational and security data daily. Human beings aren’t capable of examining this huge volume of data — but Salesforce can, thanks to the Einstein Artificial Intelligence solution.

Einstein AI is powered by advanced machine learning, predictive analytics, and smart data discovery. It learns, self-tunes, and gets smarter with every interaction and additional piece of data. Einstein AI tracks all incoming data: the number of failed and successful login attempts over time, the source, and whether a social attack might compromise a company’s data. From that tracked data, it creates a risk profile. When a security risk is identified, a rule is created based on the information and added to the machine-learning model. With time, the gathered information makes the model even smarter.

Einstein AI solves the scale problem by seeking the more-complex behavior patterns that rules-based approaches can’t handle. Here’s an example of why rules aren’t enough. Say that you set up a rule that monitors for five successive unsuccessful user login attempts. But what if the hacker stopped trying to log in after four attempts, waited a bit, and then tried four more times? Rules alone cannot address every attack variation.

Permissions, Roles, and Hierarchy Tools

To help you manage your Salesforce implementation securely, Salesforce offers tools for permissions, roles, and role hierarchies that are available right out of the box. As with all tools, though, using them for their intended purpose means using them in a certain way and according to certain best practices. When assigning permissions and roles in your org based on your org’s access requirements, follow the “principle of least privilege.” Couple this with two-factor authentication (2FA), and you have a powerful way to protect your data.

This blog post, Why Is Data Security Important to Me?, outlines the basic tenets of data security and what you can do to improve the security of your Salesforce data.

Personal Data Delete and Export and the GDPR

Salesforce can also help you address these GDPR requirements:

• Delete all personal and patient data in the system. Check out the Trailblazer community for white papers that walk you through all the different places that personal data exists and how you can delete it.
• Extract or move a customer’s personal or patient data using APIs, or create reports with a data loader tool.

Salesforce Shield: Defense in Depth

For additional advanced security and data protection — such as platform encryption, event monitoring with transaction security, and audit trails, Salesforce offers a “defense in depth” approach: Salesforce Shield, an optional add-on product.

Summary

For Salesforce healthcare customers, protecting patient data is a shared responsibility. Salesforce secures customer data hosted on its platform, and developers and admins configure the platform to meet their company’s and customers’ needs.

Learn More

To see how the University of California at San Francisco (UCSF) puts its trust in Salesforce to protect patients’ electronic protected health information (ePHI), watch the recording of the Health Provider Solutions on the World’s Most Trusted Enterprise Cloud session from Dreamforce 2018.

To learn more about what my fellow Content & Communications Experience writers deliver, see @salesforcedocs.