With one sentence, “Cyber safety is patient safety,” the federal government last week teed up MSPs for a massive opportunity to sell cybersecurity to healthcare organizations.
The U.S. Department of Health and Human Services’ (HHS) new voluntary healthcare-specific cybersecurity performance goals, released January 24, stress that “cyber safety is patient safety,” which opens the door wide for MSPs to pick up the phone this week and schedule an ad hoc technology business review (TBR) with healthcare clients and prospects, according to Jon DePerro, chief compliance officer at Vector Choice, an MSP headquartered in Atlanta, and VisibilityMSP, a white glove cybersecurity and compliance service for MSPs.
Why? Because that sentence “should scare the hell out of everybody in the healthcare industry,” says DePerro, who has over two decades in security and risk management, including in the U.S. Army where he served as a counterintelligence special agent.
“Show that to a doctor. Show that to his malpractice insurance company. Show that to his attorney. They’re going to have a very visceral response to that statement,” he says.
HHS Signals A Shift
The new HHS goals signal a shift, he explains. “Health and Human Services is telling these doctors, ‘This is the minimum, this is the preferred … This is a new industry best practice.’”
That makes it an opportune time to revisit the cybersecurity conversation with reluctant spenders. “What do we look for when we’re selling cybersecurity to people who have not been buying it?” asks DePerro. “I look for a change. A change in their business, a change in the threat, a change in the landscape. This is a change.”
Notifying clients and prospects about this change is an MSP’s job, he stresses, especially if you’re selling to small practices. “What kind of business partner are you if you are not proactively reaching out to your client saying, ‘This is what Health and Human Services is saying. You don’t do it.’”
Two Tiers Of Cybersecurity
HHS categorizes the healthcare and public health sector-specific cybersecurity performance goals into Essential and Enhanced, both of which are in an MSP’s wheelhouse, DePerro says.
The Essential Goals provide a base level of safeguards to better protect healthcare organizations from cyberattacks, improve response times when security incidents occur, and minimize residual risk. They include: mitigate known vulnerabilities, email security, multifactor authentication, basic cybersecurity training, strong encryption, credential revocation for departing workforce members (including contractors), basic incident planning and preparedness, unique credentials, separate user and privileged accounts, and vendor/supplier cybersecurity requirements.
The Enhanced Goals are designed to help healthcare organizations mature their cybersecurity capabilities and reach the next level of defense. These include: asset inventory, third-party vulnerability disclosure, third-party incident reporting, cybersecurity testing, cybersecurity mitigation, detect and respond to relevant threats and tactics, techniques, and procedures (TTPs), network segmentation, centralized log collection, centralized incident planning and preparedness, and configuration management.
MSPs, courtesy of the federal government, now have the opportunity to expand their services to virtual CISO or CSO, DePerro says, pointing out that cybersecurity extends beyond IT to medical devices and equipment.
For instance, he says, “Do you manage their logins for their electronic health records system? Do you manage the login for the X-ray machine? Are you sure every nurse in the office doesn’t have the exact same password for the MRI, and the password is password? When you peel back this onion, that’s a lot.”
Of course, he says, “I do not expect an MSP to manage the X-ray machine. That’s not what you do. There’s a company that does that, right? What I do expect is the MSP to coordinate with them to make sure every user has unique credentials…. like a chief security officer would do.”
Be The Expert, Not The Salesperson
To capitalize on this opportunity, DePerro advises that MSPs should first read the HHS recommendations and know them inside and out. Then compare the Essential and Enhanced goals to your current service offering to determine what additional services you can add to your portfolio. Finally, schedule a meeting to discuss with your clients and prospects why they are or are not meeting these goals, and what their next steps should be.
“Don’t be the sales guy,” DePerro advises. “Be the industry expert who says, ‘This is what state of the art is. This is what best practices are. This is what the government is telling you is a minimum. They use the word essential, and you don’t do it.’”
Discuss why this is the new norm and where they can expect the industry to move to. Waiting until lawsuits start to drop means the “catch-up spend is going to be massive” for practices that are reluctant to spend on cybersecurity now, DePerro says.
Small practices in particular are going to need an MSP partner, he says.
A good on-ramp would be to focus on helping them meet the HHS’ Essential goals in 2024, and then look toward the Enhanced goals for 2025.
“Make spend predictable,” DePerro suggests. “Make the bad guy the government, because that’s an easy bad guy. ‘I’m not telling you you’ve got to spend more money. The federal government, your insurance company, your credit card [company], everyone on the planet is telling you, you are not doing enough. Let’s do the minimum this year and then let’s get on the road to do the rest next year.’”
That’s the kind of partner small business practices want, DePerro says.
Finally, all your healthcare clients and prospects know—or should know—that a major update to HIPAA is coming at some point in the near future. HHS’ new cybersecurity performance goals are likely an indicator of what to expect, in DePerro’s opinion. “I would be stunned if this is not a precursor to what they’re looking to move to.”
Until then, he says, there are “massive opportunities right now.”
For more on the standards and regulatory bodies (and tips to deal with them) that MSPs need to know about, go here.
