Managing Sensitive Data on Help Scout

Help Scout is a customer support and help desk platform used by organizations across industries to manage customer interactions and support tickets. Healthcare organizations that handle sensitive data, including protected health information, need to be sure that the platforms they use meet the data privacy and security standards set out by HIPAA.

As a help desk tool, Help Scout utilizes email, live chat and instant messaging features. Although they offer convenience, these types of features present challenges when it comes to maintaining HIPAA compliance. The primary challenge is that customers frequently include sensitive details in their Help Scout messages, which can lead to security vulnerabilities and regulatory issues.

Can You Store Patient Data or PHI in Help Scout?

Storing patient data and PHI in Help Scout carries significant compliance risks. Help Scout conversations and attachments that contain sensitive or protected data must be protected against unauthorized access.

HIPAA compliance therefore depends on how you configure your Help Scout environment. Without features for managing user access to and redacting PHI within Help Scout, organizations are at risk of data leaks and non-compliance with HIPAA.

‍

Is Help Scout HIPAA Compliant?

Yes, Help Scout can be configured to be used in a way that is HIPAA compliant. Furthermore, Help Scout are willing to sign a Business Associate Agreement (BAA) upon request. This means Help Scout are able to implement security features that bring the platform into compliance with HIPAA standards.

For example, Help Scout supports user identification and access controls such as two-factor authentication (2FA) and SSO through Google Apps; IP restrictions that limit access to a predefined list of IP addresses; 256-bit SSL encryption on internal communications; and limited content controls via the ability to edit, delete, or hide the contents of certain message threads.

Will Help Scout Sign a Business Associate Agreement?

For a cloud service provider to be considered HIPAA compliant, it must sign a Business Associate Agreement (BAA) with any healthcare organizations that intend to use its products to handle and/or process PHI.

Help Scout will sign a BAA upon request. Covered entities can review Help Scout’s BAA online.

Can PHI and Patient Data Be Leaked from Help Scout?

Despite Help Scout’s security measures, it is a cloud-based platform hosted on AWS. Like other cloud-based platforms, Help Scout is not invulnerable to security threats. There will always be a potential risk of security failures and data leaks.

Although Help Scout can be configured to handle PHI in compliance with HIPAA standards, there are certain risks that are inherent to the way Help Scout functions. For example, Help Scout conversations use email protocol to send messages. With this type of system, there’s no guarantee that sensitive PHI will remain 100% secure and private —messages sent over email have a number of vulnerabilities. The collaborative nature of help desk platforms also presents a significant risk of unintentional data leaks and insider threats.

These risks highlight the need for robust data leak prevention (DLP) strategies, especially for healthcare organizations that need to safeguard sensitive PHI.

How Can Strac Protect Companies from Data Leaks?

Help Scout will sign a BAA agreement and are able to implement security features for the safeguarding of sensitive data, in line with HIPAA standards.

‍

‎However, Help Scout’s use of email lacks comprehensive Data Loss Prevention functionality meaning there are vulnerabilities, especially around the use of email protocol for conversations with customers.

Strac’s Help Scout DLP is designed for detecting & redacting sensitive data in Help Scout conversations.

Strac's Help Scout DLP comes with two primary modes:

• Detection —the software automatically identifies sensitive messages and attachments in Help Scout conversations. Security and Customer support teams can then review these findings within the Strac UI Vault and receive alerts.
• Redact —once Help Scout DLP is configured* it masks or redacts sensitive information, with privileged users able to review these redacted messages in Strac's UI Vault.

The Strac Help Scout DLP can be tailored to the unique needs of your organization, by configuring a custom list of sensitive data types, such as SSN, DoB, DL, Passport, Credit & Debit card #, API Keys, that are to be automatically redacted.

Your security and compliance officers are then able to receive and review audit reports of who accessed data and when, ensuring that the risk of data leaks is mitigated and bringing your handling of PHI within Help Scout into full compliance with HIPAA standards.

Explore Strac's catalog of redactable data elements within Help Scout and learn more about how our Help Scout DLP ensures HIPAA compliance.

Browse our complete range of Strac DLP integrations, check out our developer documentation and book a free 30-minute demo to learn more.

‍