For the second time in a month, the federal government has given MSPs a compelling talking point to sell advanced security services to healthcare clients and prospects so they will be HIPAA compliant.
On February 14, NIST released a revised cybersecurity resource guide for the HIPAA Security Rule. This came on the heels of January’s new voluntary healthcare-specific cybersecurity performance goals from the U.S. Department of Health and Human Services.
Two major publications telling your healthcare clients they need to fix their cybersecurity—and how to do it—coming out within a month of each other is not a coincidence. I spent a career in the federal government, in the army. I don’t believe in coincidence. They’re giving healthcare organizations time to get things fixed.
If you’re not having a discussion with your clients and prospects about how they are securing their patients’ electronic protected health information (ePHI) to be HIPAA compliant, your competitors will be!
Here’s the talking point around the February 14th release of the NIST Cybersecurity Resource Guide: There’s something new that didn’t exist the last time we spoke. And you need to see this because this is changing your industry.
Now, it’s no longer you, the MSP, trying to sell the cybersecurity solutions you’ve been recommending for the last year, two years, or longer. You’re acting as their trusted adviser, updating them on why they need to reassess their security posture.
Start By Looking Internally
Before you even have this discussion with your healthcare customers or prospects, look internally. Use this Cybersecurity Resource Guide as a framework to make sure you’re HIPAA compliant. Regulated entities that must comply with the HIPAA Security Rule include healthcare providers, health plans, healthcare clearinghouses, and business associates—THAT’S YOU! You need to be compliant yourself if you want to market to healthcare companies.
Start reading. This resource guide can help you with all the definitions you may not understand. It offers step by step advice on how to provide HIPAA Security Rule compliant IT services.
By going through the process yourself, you’ll learn how long it takes, what tools you need, who on your staff is good at certain things, and what documented policies and procedures you need to have.
More importantly, you will understand how to price your compliance services properly and profitably—you won’t be under- or overpricing. Pricing can be very hard to nail down if you’ve never done it before.
Use HIPAA Compliance As Your Value Proposition
Now you’ve got a unique value proposition—a reason why Dr. Bob the dentist will choose your MSP services over a competitor without HIPAA experience.
When you meet with Dr. Bob, pick a salient point or two from the resource guide to bring to his attention. For example, take security incident procedures. Walk him through what’s recommended for an incident response plan, what needs to be accounted for, what needs to be documented, who needs to be accountable, and what reports they may need to produce for the attorney general. It’s a great way to get your customer, in this case Dr. Bob, to say, “No one on my team can do that.”
Your response should be, “So if it’s not your team, do you want it to be my team?”
That’s the “gateway drug” to vCISO or full managed services.
Since you’ve already done the math by going through the compliance process yourself, you can now confidently tell Dr. Bob how much a seat your services will cost.
If Dr. Bob needs more incentive, remind him that if his practice takes credit cards, the credit card companies are requiring similar security measures to meet PCI DSS compliance guidelines.
Focus On Risk Management, Not Tickets
The federal government has opened the door for you to refocus your QBRs with your healthcare clients. Instead of talking about how many open tickets you had last month, tell Dr. Bob about the latest HIPAA developments and how they are going to fundamentally change his practice’s IT systems over the next year or so.
The biggest takeaway for your MSP business? We’re just at the beginning of the compliance opportunity. The time to get on board is now.
