How You Can Become a Healthcare MSP Master
Many industries have compliance rules, but few are as strict as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
While HIPAA is a set of U.S. regulations, many countries have similar rules.
When it comes to these complex rules, healthcare companies can’t always go it alone. It helps to have a trusted partner who is expert in all things HIPAA, such as an MSP with a vertical health care focus.
The good news for MSPs is that your HIPAA expertise lets you sell services at a premium – compliance is just that important.
There are many reasons why HIPAA compliance is so critical. One, a data breach exposes patients’ confidential records. This not only breaks the trust, it is a major privacy invasion. Not only that, if the breach is somehow made public, the health care provider’s reputation is damaged.
There are also serious financial consequences. In fact, both the health care provider and their MSPs could be on the hook for fines and penalties.
Here are just a few of the fines dished out in the U.S. in recent years:
- An Idaho-based hospice lost a laptop due to theft. The fine was $50,000.
- A medical practice in Phoenix sent patient data over insecure email, and was fined $100,000.
- A pediatric practice in Massachusetts lost a flash drive and settled for a $150,000 fine
- Another stolen laptop in Boston had the doctor paying $1 million.
- And the loss of a backup drive cost the Alaska State Health Department $1.7 million.
MSPs can be on the hook because HIPAA considers them ‘Business Associates.’ In fact, it is against the law for MSPs to work with health care clients if that MSP isn’t already HIPAA-compliant themselves.
Ulistic, an MSP consultancy, published a white paper on HIPAA – “What You Need To Know About HIPAA Security”.
The paper, written by solution provider Task Networking, started at the macro level, and wrote.
“To ensure compliance with HIPAA regulations, covered entities and their business associates must:
- Document policies and procedures detailing how ePHI (electronic protected health information) will be protected
- Provide these documents to their entire staff
- Require staff be trained to ensure they understand their individual roles and responsibilities in the enforcement of HIPAA policies and procedures,” the paper said.
MSPs are also responsible for training, and here there are four main areas, the paper said:
- Password management
- Log-in monitoring
- Security reminders
- Protection from malicious software
The Noose Tightens
In 2013, the final HIPAA Omnibus rule went into effect. This meant that the entire chain of custody for medical information must be secure and compliant. The owners of the data and the MSP are responsible for data safety, whether that data is on-premises, in the cloud or at a remote backup provider’s site.
Here Are Things You Can Do Now
- Document how access control is handled. This doesn’t just include complex passwords, but who has what permissions, and how access is revoked upon an employee leaving.
- Figure out how to dispose of assets. PCs have a short life span, but the data on them can last forever. Under HIPAA, MSPs must define how they will dispose of older machines, and fully cleanse them of data.
- Have Business Associate Agreements on hand. When you work with a health care company, it is critical that you have Business Associate Agreements in place that cover what you and the client are responsible for.
- Produce a Business Continuity Plan. This plan should include how disasters are handled and business continuity maintained.
- Produce a comprehensive antimalware policy. This should describe the protections in place, and remediation steps in the event of an incursion.
- Security Training. You and your staff must be trained in all relevant HIPAA rules, especially as they pertain to specific job functions.
Kaseya and HIPAA
A Kaseya blog walked through key questions an MSP should ask a health client, including::
- Are your employees aware of the penalties that will ensue from security violations?
- Are internal penalties in place for employees who violate security procedures?
- Do all your users know what to do in the event of security incidents or issues?
- Is there a process in place to document, track, and address security issues or incidents?
- Is there someone tasked with checking all security logs, reports, and records?
- Do you have a security official in charge of a password and smart security policy?
- Have you ever undertaken a risk analysis?
Access Management and Authentication
Controlling who has access to data can go a long way in being HIPAA compliant. Single Sign-On and Multi-Factor Authentication (MFA) are key tools in keeping a lid on access to confidential information,
MFA, for instance, means that an end user validates their identity multiple ways, such as a fingerprint, or a piece of information only that user would know.