Healthcare cybersecurity concerns are rising. The number of reported healthcare data breaches has increased from 199 in 2010 to 365 in 2018 — a rate of one per day. Still, according to Black Book’s State of Healthcare Cybersecurity Industry 2018 User Survey, 4 percent of hospitals do not have an IT security executive, 57 percent say their teams aren’t aware of the types of cybersecurity solutions available to them, and 29 percent don’t have ways to discover an attack instantly. Black Book also found that almost a quarter of healthcare organizations outsource IT security.
Security as a Service Drivers in the Healthcare Vertical
Mike Nobers, Director, Global Channel Sales for Infosec, says there are several reasons healthcare providers from large healthcare systems to small physicians’ practices are outsourcing cybersecurity. “Security isn’t a healthcare provider’s primary focus. Their job is to take care of people. They look to managed security service providers (MSSPs) to be security experts,” he says. An MSSP can function as a healthcare organization’s virtual CISO, using their knowledge of the threat landscape, the range of available security products, and experience working with other clients to deploy the best solutions to protect them.
Other factors in a healthcare provider’s decision to outsource IT security could include:
- Budget: Healthcare organizations are constantly trying to make the best use of their resources. Using an MSSP’s services can be a cost-effective way to address cybersecurity, rather than hiring in-house staff.
- IT security talent shortage: If a healthcare organization does choose to hire security professionals, the next hurdle is finding them. The IT talent shortage, especially in the area of security, continues, and demand far exceeds supply.
- Regulatory compliance: Healthcare is strictly regulated. “Think of all the people that touch a hospital — insurance providers, Medtech vendors, consumer payments that need to be compliant with PCI — healthcare providers want to go to an MSSP to find out where they meet requirements for compliance and where they don’t,” Nobers says.
- Support as they scale: Hospital acquisitions are common, but, from a security standpoint, they require new ways to manage solutions. Nobers says, “It may be easier to have a provider take on the project and standardize security protocols.”
Step One: Educate Yourself and Your Team
There’s little doubt that there is a market for Security as a Service in healthcare and other verticals, but it’s not always clear how to build an effective offering. Nobers says MSPs often come to Infosec looking for advice on how to begin. “They know they’ve lost business or will lose business if they don’t know the nuts and bolts of security,” he says. “The first step is to learn.”
MSPs need to expand their focus on firewalls and antivirus to address a broader scope, including managing security in the cloud, on mobile devices, and at the application level, and they need to raise users’ security awareness.
Although partnering with a vendor can provide you and your team with opportunities to learn, Nobers says a vendor may teach around their products, giving you only a limited view of the security space. It’s vital to take a broader view — and to learn about all security solutions that are available.
Nobers says MSPs have busy schedules and may struggle to find the time for security education and research. He points out, however, that self-paced online courses are available, and they’re well worth the time. “If a member of your team is in a meeting with a client who asks about security, and they respond that your company doesn’t have the expertise to quote the project, you’re already disqualified,” he points out.
Encouraging your team to expand their expertise in security may also provide your business with the benefits of keeping employees engaged and improving employee retention.
Don’t Reinvent the Wheel
Nobers also advises MSPs who want to learn more about offering Security as a Service to look into memberships in industry organizations such as The ASCII Group and HTG. “For someone new to security, you get a lot of value from joining. Not only are certifications cheaper, but you also have networking opportunities,” he says. “And you can attend events to hear MSPs from different parts of the country explain how they approach security and how they pitch their plans.”
Specifically, to provide Security as a Service to healthcare, Nobers says there are experienced, reputable vendors who offer HIPAA security risk assessments or other relevant services. “You could form a partnership and find a missing piece of the puzzle to get started,” he says. “It can benefit you both. You bring them clients and they’re helping you.”
It’s Not a Transition. It’s an Addition.
Nobers comments that there’s some underlying fear when MSPs look at “transitioning” to the role of MSSP. “They’ve been around for 10 years or more, and they have the IT side down,” he says. “But there’s no reason to give up core services. Becoming an MSSP is about adding the security side.”
“It will help with existing clients. You’ll just take a different approach to how you protect them. It’s the best of both worlds,” he says. “It’s vital to your clients and vital to your business.”