Salesforce Health Cloud and Service Cloud: where do visibility gaps hide?

TL;DR: Salesforce environments in Service Cloud, Health Cloud, and Sales Cloud now concentrate PHI, PCI, customer tickets, and other regulated records across structured and unstructured data, and Cyera argues that discovery and classification at scale are required to close compliance blind spots. The real issue is not storage location but whether security teams can enforce consistent controls across the full Salesforce ecosystem.

NHIMG editorial — based on content published by Cyera: Securing Regulated Data Across Salesforce Health Cloud and Service Cloud

By the numbers:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

Questions worth separating out

Q: How should security teams govern regulated data in Salesforce environments?

A: Security teams should treat Salesforce as a multi-cloud data estate rather than a single application.

Q: Why do structured Salesforce fields and unstructured content need different controls?

A: Structured fields are easier to classify, but unstructured case notes, attachments, and chat histories often contain the most sensitive information.

Q: What do security teams get wrong about Salesforce compliance?

A: They often assume compliance can be proven by controlling a few obvious records or by reviewing access to the platform itself.

Practitioner guidance

• Expand discovery across all Salesforce object types Inventory standard objects, custom objects, and custom fields together so sensitive values are not missed because they appear in business-specific schemas.
• Classify unstructured case content as regulated data Include case notes, chats, attachments, and uploaded files in the same policy scope as structured records, with review rules for PHI, PCI, and personal data.
• Prioritise the highest-risk records first Use classification results to rank records by regulatory exposure so remediation focuses on the data most likely to affect compliance and trust.

What's in the full article

Cyera's full article covers the operational detail this post intentionally leaves for the source:

• How Cyera maps sensitive data across Salesforce objects, custom fields, and cloud-specific workflows.
• Examples of the structured and unstructured records that typically contain PHI, PCI, and other regulated data.
• The operational case for unified classification and policy enforcement across Sales Cloud, Service Cloud, and Health Cloud.
• Why fragmented tooling creates blind spots in large Salesforce estates and how teams can reduce them.

👉 Read Cyera's analysis of regulated data security across Salesforce clouds →

Salesforce Health Cloud and Service Cloud: where do visibility gaps hide?

Explore further

View Full Forum →  |  NHI Foundation Course →