Five Salesforce® workflows that put you at risk

June 9, 2016

Pete Cafarchio

If you’re in a regulated industry (Healthcare, financial services, government, etc.) then regulatory compliance applies to the Salesforce workflows that you design and use.  It’s worth taking a closer look at how your data travels to make sure you’re not in violation of HIPAA/HITECH, PCI, FERPA, and the like.

The good news is that the Salesforce platform itself is HIPAA compliant, they will sign a BAA, and Shield has added some much needed monitoring, encryption, and auditing capabilities. But keep in mind that these measures are only for the data at rest.  Compliance also applies to protected data in motion that’s traveling in and out of Salesforce.  It’s an aspect of compliance that can be overlooked, but nevertheless puts you at risk of a data breach or violation penalties.

 

Consider these common workflow scenarios to see if you could be exposed to a violation.
1.A sales rep sends a contract, work order, capital call, or other document using Salesforce’s email function. Those documents often contain personally identifiable information (PII), and the email needs to be encrypted.
To its credit, Salesforce implemented Transport Layer Security (TLS) encryption for its native email function.  But TLS only works if the recipient is configured to receive it, and at least 10-15% of recipients aren’t.  So don’t be lulled into thinking that Salesforce email takes care of your workflow security needs.  It helps, but it’s not fully compliant.  You need a solution that guarantees all sensitive email will be encrypted.

2.The above scenario applies to certain dedicated workflows. But what if your employees use the native Salesforce email function for all of their email messages? They aren’t always sure whether or not the emails contain personally identifiable information (PII).  And you probably don’t want to distract your highly-paid employees by making them spend time trying to figure that out.  You want them focused on their core job duties.

That’s where a policy filtering gateway can be very powerful.  It will examine all outbound email and attachments, compare it against your compliance policy rules, and make the decision of whether to encrypt or not.

3.The messaging dialogue between your customers and CSRs who use Service Cloud or Desk.com can be a blatant compliance violation. The running history of the dialogue is included in the email thread and often contains information such as a medical diagnosis, payment information, or other PII.

When the customer initiates a support request that includes sensitive data, you’re not liable for the incoming data.  But when your CSR replies, the return message automatically includes a copy of the customer’s original text.  You’re responsible for the content of that that message, and it needs to be encrypted.

4.A growing number of mobile apps integrate a messaging component to tie in with Salesforce. The app itself may be secure, but as soon as it sends email messages, files, help desk tickets, or forms data between the app and Salesforce, you risk non-compliance of the data in motion.

Developers are typically so focused on the authentication and permissions aspects of security that they can overlook the security of the messaging component.  This is especially prevalent in the explosion of new healthcare apps, but it applies to all industries.

5.Customer engagement email marketing campaigns may contain PHI.  This often gets overlooked, but say you’re sending a broadcast marketing message (for example – healthy lifestyle tips to your known contacts who have a diabetes diagnosis). If that message also contains their name, by definition that’s Protected Health Information (PHI) and HIPAA says the email needs to be encrypted.

You’ll probably get pushback from marketing if you insist that all of their email campaigns are sent encrypted.  But there are newer solutions available that don’t make the email recipient jump through hoops to receive the message, but still provide the data privacy that’s required by HIPAA.

Of course there are countless variations on these workflows, and plenty of others that aren’t even listed here.  So if you’re unsure whether or not your workflows are in compliance, it’s best to engage an expert and implement the appropriate safeguards.

Salesforce is an awesome platform to automate your customer engagements, and it keeps getting easier to use all the time.  Just make sure you’re protecting your customers’ privacy (and your liability) as you build out your workflows.

Pete Cafarchio

Pete Cafarchio

Pete leads the business development function for DataMotion. He has served many roles over the past twenty years to successfully launch multiple companies and product lines. Before coming to DataMotion in 2008, Pete was Director of Business Development, Worldwide Channel Strategy at CA, Inc. Prior to that he helped build PestPatrol, inc. into a successful anti-spyware company. While there, he brokered key OEM partnerships with Yahoo and Dell as well as CA’s acquisition of PestPatrol. Prior to that he served in sales and product management functions at TruSecure Corporation, and established the development office for a non-profit charity.

Featured Customers and Partners