Managed Security Services in the Healthcare Industry

Be Different. Deliver Excellence.

Oct 15, 2019

Navigating and Understanding HIPAA for MSPs

You’re a Managed Service Provider (MSP) who has always helped secure networks for commercial organizations. You're getting an itch to expand your market.

As you research more about the healthcare field, you see there's an immediate opportunity to offer your managed security services and it’s one of the most vulnerable industries for cybersecurity attacks.

You also find there’s a ton of different regulations you’ll need to follow. The largest and strictest of these regulations is the Health Insurance Portability and Accountability Act (HIPAA). HIPAA exists to protect patient confidentiality by mandating healthcare entities to put in place specific administrative, technical, and physical safeguards. This means when you’re doing business with a healthcare organization as an MSP, there are certain nuances you need to understand and comply. If you don’t know how to navigate HIPAA as an MSP, you could face serious consequences. Some of which may even put your entire business at risk.

HIPAA Penalties Can Be Real and Serious for MSPs

MSPs who provide cybersecurity services to any healthcare entity is required to be HIPAA compliant. The moment you get your first healthcare client, you need to operate under its requirements including HIPAA.

If you don’t take your new responsibilities seriously serving a customer in the healthcare industry, you could face massive fines that would put your entire company at stake.

That may seem like a bold statement, but the Department of Health and Human Services (HHS) may fine you up to $1.5 million per year, enough for some MSPs to have to close doors to their business.

HHS places HIPAA penalties tiers (Via Fierce Healthcare):

  • No Knowledge of Violation (Tier 1): $100 - $50,000 per violation with a cap of $25,000 per year
  • Reasonable Cause (Tier 2): $1,000 - $50,000 per violation with a cap of $100,000 per year
  • Willful Neglect, Corrected (Tier 3): $10,000 - $50,000 per violation with a cap of $250,000 per year
  • Willful Neglect, Not Corrected (Tier 4): $50,000 per violation with a cap of $1.5 million per year

Let’s say you’re a big enough MSP to handle the first three tiers. What those tiers don’t factor in are other associated costs and reputational damages. First, from an associated cost perspective, the average expense of forming an incident response team is $360,000. That’s not even including the costs of solving the security event that led to the fine in the first place. Second, a HIPAA violation also puts your organization’s reputation on the line. Of all industries, consumers trust healthcare organizations the most to secure sensitive information.

A study published by Centrify found that 80% of consumers trust their healthcare providers to protect their information.

That much trust places pressure on MSPs working with healthcare organizations to perform at their best. When a healthcare company accepts your services, they’re trusting you will help them keep their patient’s data secure. If you receive a fine because you weren’t following HIPAA and it goes public, you may lose up to 31% percent of your customers (Ponemon).

You’re Responsible and You’ll Have to Agree to it

When you’re in the process of landing your first healthcare client, you’ll have to sign a Business Associate Agreement (BAA). This kind of agreement is a requirement under the HIPAA Privacy Rule. BAA’s ensures you understand that you’re equally responsible for patient data security. Larger entities such as hospitals or rehabs are more likely to have an IT budget for purchasing compliance technology. This makes them the safer option to go with since there's less risk involved. However, there are fewer of them and they’ll more than likely partner with the larger MSP firms.

Smaller one-to-two doctor practices won't have or know how to divide funds toward their IT efforts. They offer a larger opportunity for you as an MSP since there are more of them and they need help.

But there’s a higher risk associated with having smaller practices as your clients. HIPAA compliance reaches all healthcare organizations, regardless of their size. When you sign the BAA for your new, smaller healthcare practice. You’ll need to ensure they’re compliant and understand HIPAA as their trusted IT advisor.

For Data That Transmits or Sits, You Must Encrypt

Healthcare companies and Business Associates need to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI) that's created, maintained or transmitted.

Whatever happens to that data, whether it’s in transmission or stagnant, is your responsibility. The HHS requires the Business Associates document all protective measures put in place for ePHI. Nowhere within HIPAA does it explicitly state encrypting sensitive data as a requirement. Instead, the Security Rule mentions that organizations place “reasonably appropriate” measures to protect all different formats of PHI. Although the HHS uses vague terminology in what’s required to protect data, encryption is the most effective way to secure it. If an unencrypted device containing PHI gets lost, stolen or hacked, both you and your client could face a HIPAA fine.

You’re High Tech but are you HITECH?

Although navigating HIPAA is the centerpiece for this blog, there are other regulations you'll need to understand as a managed service provider partner. The Obama administration wrote and passed the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2013. In a nutshell, the act gives healthcare companies money for switching to digital records. HITECH helps compensate for the technologically neutral language within HIPAA. Getting money for switching to an Electronic Health Record (EHR) system should motivate everyone to switch, right? Well, thousands of doctors are still resisting this change. Around 20% of doctors still don’t have an EHR system and are sticking with paper records.

Other big changes the HITECH act enforced…

  • Report any breach involving 500 or more patient records to the HHS
  • Reporting small breaches to the HHS must happen within 60 days by the end of the calendar year
  • Business associates for HIPAA covered entities must sign a BAA
  • The HHS must investigate breaches to determine if there are willful violations of HIPAA rules
  • The HHS cannot issue financial penalties for violations corrected within 30 days as long as it’s not willful neglect

The HITECH act impacts HIPAA covered entities, proving that laws change. As an MSP doing business with a healthcare entity, you’ll have to stay on top of any changes within the law or you could find yourself in deep trouble.

The Budget Decreases While IT Security Need Increases

As a whole, the compliance industry is in an interesting spot in its lifecycle. The industry is facing quantitative budget cuts of nearly 64 percent. This decrease comes two years after the industry saw significant budget increases across the board.

Companies are realizing that acquiring talent who possess the skills needed to help them stay compliant is expensive. That’s good news for MSPs. The decrease in funding is accelerating the industry’s strategy towards being technology-centric.
Rather than growing their team, companies want to make targeted technology investments. Finding the right compliance technology helps their team be more proactive. They can spend less time managing everything and focus on delivering risk insights.

If MSPs Master Cybersecurity, Healthcare Organizations Will Come

As a whole, the healthcare industry offers a massive opportunity for experienced MSPs. Half of all breaches tie back to a healthcare organization but it’s the most trusted industry to protect personal information. Hospitals are the biggest targets for cybercriminals and there's plenty of evidence to back that up...

The list of malicious attacks above contains healthcare entities of all sizes. It doesn’t matter how many patients, beds, or files these organizations handle. If a company works within the medical space, either directly or indirectly, they have a target on their backs. Vice President and General Manager at Collabrance, Corey Kerns, stated in an interview with Etactics:

“As you look at cyberattacks, everyone’s realizing and trying to shift their focus to not only trying to prevent them but also recovering from them. You hear phrases in the industry like, ‘It’s not if but when.’”

Conclusion

Any company who goes into business or works with HIPAA covered entities is accepting a huge responsibility. Some MSPs believe there’s too much risk involved with partnering with healthcare companies. They can't see the opportunity because of the accepted liabilities and potential for huge fines.

But the MSPs who understand how to navigate HIPAA play a vital role for their healthcare clients. They provide services that help reduce the risk to the most targeted industry in the world and help protect extremely sensitive patient health information.

If you’re an MSP on the fence determining whether you want to venture into the healthcare space or not consider this question. What would you do to make sure your health information isn’t exposed? If you’d like more information on how to better navigate HIPAA, view this recent Etactics’ webinar:


11 HIPPA Requirements You’re Not Meeting

Register for Etactics Webinar



Category: Technology

About The Author

Etactics Inc.

Etactics is a compliance and revenue cycle management organization committed to providing innovative, web-based solutions that improve our clients’ cash management and customer relationships. Our products and services assist our clients across various business sectors to improve business processes, boost staff productivity, reduce expenses and accelerate payment.