An increasing number of MSPs are finding profitability in specialization. Some niche MSPs specialize in manufacturing clients, others with accounting firms, and others find plenty of work in education and healthcare. Of course, plenty of MSPs still carry a variety of clients in their portfolio, but for MSPs specializing in the healthcare sector, there are some distinct risks and rewards.
Topping the list of risks is protected health information (PHI), which cybercriminals find to be among the most valuable, coveted data. PHI commands the highest prices on the dark web. For MSPs, cybersecurity must be at the top of their suite of services.
Healthcare is at the forefront of cyber risk
Cyberattacks in the healthcare space have been on the rise. According to Healthcare Dive, the average cost of a healthcare data breach is nearly $11 million, up 53 percent since 2020. Other research puts the rise in healthcare attacks closer to 60 percent, and the World Economic Forum calls for a zero trust model in the space.
The increase in cyber activity in the healthcare space has also prompted the government to take notice. They have become progressively involved in healthcare cybersecurity due to criminals prizing the data.
For example, the lead paragraph of a new cybersecurity concept paper by the Department of Health and Human Services (HHS) states:
“The healthcare sector is particularly vulnerable to cybersecurity risks, and the stakes for patient care and safety are particularly high. Healthcare facilities are attractive targets for cybercriminals in light of their size, technological dependence, sensitive data, and vulnerability to disruptions.”
“The paper is worth a read, especially if you are an MSP in the healthcare space,” says Grant Frederick, a cybersecurity consultant in the healthcare space.
HHS continues to prioritize collaboration
The HHS has identified four key steps that could help foster cybersecurity resiliency in the healthcare ecosystem:
1. Voluntary cybersecurity goals. The healthcare cybersecurity landscape is a patchwork of laws, regulations, and executive orders. “It’s a moonscape in its current form, craters to fall in all over the place; a set of voluntary goals would at least give consistency across the board, although many think these should be mandatory, not voluntary. So MSPs in the healthcare space should begin making a set of goals,” Frederick recommends.
2. Provide resources to incentivize and implement cybersecurity practices. HHS will work with Congress to obtain new authority and funding to administer financial support and incentives. These will be for domestic hospitals to implement high-impact cybersecurity practices. “These incentives would, ideally, work to entice hospitals and smaller clinics into better cyber hygiene using a system of carrots and sticks to prod them into better behavior, but MSPs would be a part of this because many medical facilities use MSPs,” Frederick explains. Incentives include increased funding or grants that could be used in various ways.
3. Implement an HHS-wide strategy to support greater enforcement and accountability. In addition to voluntary guidelines and goals, HHS will pursue more enforcement and accountability of existing rules. “This is an area where MSPs will need to be alert because penalties can land not just on the healthcare provider but also on their tech teams, so MSPs need to make sure now that all proper protocols are being followed, not wait until there is enforcement,” Frederick advises. Of course, enforcement is already occurring for some rules, such as HIPAA violations. However, other more obscure cybersecurity and private regulations generally go unenforced, but HHS proposes changing that.
4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity. “I was pleased to see this one because right now someone has to visit multiple government agencies and entities for answers sometimes to the most basic healthcare cybersecurity issues; being able to streamline everything so that it is all under one roof would benefit everyone,” Frederick says.
HHS has been at the forefront of working with MSPs in healthcare. “MSPs should be following HHS guidance and availing themselves of their increasing resources,” Frederick notes, adding that such resources that HHS has teamed up with CISA to produce include the Joint Cyber Defense Collaborative and the Advisory on Protecting Cyber Threats to Managed Service Providers and their customers.
“HHS is also better than many other government agencies at promoting cybersecurity awareness; they collaborate with industry associations and organizations to raise awareness of cybersecurity threats and best practices among MSPs serving the healthcare sector,” Frederick states.
HHS enhances collaboration between MSPs and healthcare organizations on cybersecurity matters, facilitating information sharing and other joint efforts to mitigate threats. “Collaboration is key for MSPs operating in the healthcare space; knowing what is going on with others can be crucial to preventing problems,” Frederick advises.
Photo: smolaw / Shutterstock