This article was written by guest contributor Chris Henderson, who runs threat operations and internal security at Huntress.
For small and midsized businesses (SMB) in healthcare, the once simple prospect of cybersecurity has turned into an all-consuming threat. Just 15 or so years ago, a small chain of dentist offices could add a firewall with some new passwords and feel pretty safe. Today is a different story. Worst of all, increasing cybersecurity demands create headaches that many of these small, productive businesses are ill-equipped to address while juggling patients, paperwork, and processes.
MSPs have a significant opportunity to provide a remedy for what’s ailing healthcare SMBs. It’s certainly not a one-size-fits-all prescription; those days are long past. Luckily, there are some relatively consistent practices MSPs can implement to help healthcare SMBs position themselves for better cybersecurity and simpler operations for the long term.
Headache No. 1: Downtime
Healthcare organizations, by and large, have some of the lowest tolerance to downtime. Something malicious like a ransomware attack can take a healthcare SMB’s systems offline for days, weeks, or (frighteningly) longer. MSPS need to help these organizations get a business continuity and disaster recovery (BCDR) plan in place now to respond to or recover from a cyberattack, as well as other interruptions like natural disasters or long-term outages. Test and review the BCDR plan regularly with your clients—including tabletop exercises and in-depth reviews of technical recovery procedures. Business continuity is more than just a “restoration plan” for technologies. It ensures that there are non-technical fallbacks for the critical processes that healthcare organizations rely on.
Headache No. 2: Slowdowns
Security business practices often trade convenience for security, but for fast-paced healthcare settings, the duty of care rules all. This makes healthcare far more sensitive to slugging trade-offs made in the name of better cybersecurity. MSPs should take a “slow and steady” approach to change management for healthcare clients. Rolling out controls should be done slowly, ensuring adoption and wide understanding of the new processes.
This measured approach, while not as in line with aggressive prescriptions that can work in larger enterprises, is going to be ideal for healthcare organizations that need to focus on patient care as their primary concern.
Headache No. 3: Targeted Cyberattacks
Attackers know that healthcare organizations are often some of the easiest targets. They’re easier to breach, and often, quicker to pay the ransom that gets them back in operation. MSPs should be using an active threat modeling practice with your clients. This means tapping into the top industry threat reports and modeling those threats against your clients.
By gradually adapting your healthcare SMB clients to combat the chief risks faced in an evolving cybersecurity landscape, you can fortify them against the most likely vectors for attack. Allowing your clients to participate in threat modeling exercises will increase their understanding of threats but also offer context to the controls they are implementing.
Headache No. 4: Third-Party Risk
Healthcare is consolidating rapidly, with large healthcare systems quickly absorbing smaller chains and introducing untold new variables of vulnerability. This generally will increase their recovery time in the event they face a security incident.
It may not be possible for MSPs to control every risk that comes with consolidation, but it is critical to work with your clients to understand which business applications have the least fault tolerance. Spend the time during procurement to ask questions around merger and acquisitions in the past year and seek to understand how the existing products are still being maintained and supported.
Defending Healthcare SMBs Means Deep MSP Involvement
Healthcare SMBs bring with them a unique level of vulnerability that requires an adaptive, data-driven, and scalable approach. The great news is, MSPs are uniquely positioned to do just that. By partnering with your healthcare SMB clients and providing education, guidance, and accessible solutions, you can build a solid foundation that will defend your healthcare clients for the threats they face today—and the ones to emerge in the future.
For more ways to keep your clients safe, learn how default secure configurations can keep your clients safer.