Healthcare cybersecurity concerns continue to rise. Becker’s Health IT finds that reported healthcare breaches increased by 19 percent from 2020 to 2021, from 758 to 905, and the number of people whose protected health information was exposed due to a data breach increased by 10 percent in 22 U.S. states. In response to these trends, healthcare organizations are increasing their cybersecurity spending. Allied Market Research reports that the healthcare cybersecurity market will grow from $12.85 billion in 2020 to $57.25 billion in 2030, a 16.3% CAGR. And some of that spend will be on Security as a Service solutions.
Security as a Service Drivers in the Healthcare Vertical
Mike Nobers, Director, Global Channel Sales for Infosec, says there are several reasons healthcare providers, from large healthcare systems to small physicians’ practices, are outsourcing cybersecurity. “Security isn’t a healthcare provider’s primary focus. Their job is to take care of people. So they look to managed security service providers (MSSPs) to be security experts,” he says. An MSSP can function as a healthcare organization’s virtual CISO, using their knowledge of the threat landscape, the range of available security products, and experience working with other clients to deploy the best solutions to protect them.
Other factors in a healthcare provider’s decision to outsource IT security could include:
- Budget: Healthcare organizations are constantly trying to make the best use of their resources. Using an MSSP’s services can be cost-effective to address cybersecurity rather than hiring in-house staff.
- IT security talent shortage: If a healthcare organization does choose to hire security professionals, the next hurdle is finding them. The IT talent shortage, especially in security, continues, and demand far exceeds supply.
- Regulatory compliance: Healthcare is strictly regulated. “Think of all the people that touch a hospital — insurance providers, Medtech vendors, consumer payments that need to be compliant with PCI — healthcare providers want to go to an MSSP to find out where they meet requirements for compliance and where they don’t,” Nobers says.
- Support as they scale: Hospital acquisitions are common, but, from a security standpoint, they require new ways to manage solutions. Nobers says, “It may be easier to have a provider take on the project and standardize security protocols.”
Step One: Educate Yourself and Your Team
There’s little doubt that there is a market for Security as a Service in healthcare and other verticals, but it’s not always clear how to build a compelling offering. Nobers says MSPs often come to Infosec looking for advice on how to begin. “They know they’ve lost business or will lose business if they don’t know the nuts and bolts of security,” he says. “The first step is to learn.”
MSPs need to expand their focus on firewalls and antivirus to address a broader scope, including managing cloud security, mobile devices, and applications. They also need to raise users’ security awareness.
Although partnering with a vendor can provide you and your team with opportunities to learn, Nobers says a vendor may teach around their products, giving you only a limited view of the security space. So it’s vital to take a broader perspective and learn about all available security solutions.
Nobers says MSPs have busy schedules and may struggle to find the time for security education and research. However, he points out that self-paced online courses are available, and they’re well worth the time. “If a team member is in a meeting with a client who asks about security, and they respond that your company doesn’t have the expertise to quote the project, you’re already disqualified,” he points out.
Encouraging your team to expand their expertise in security may also provide your business with the benefits of keeping employees engaged and improving employee retention.
Don’t Reinvent the Wheel
Nobers also advises MSPs who want to learn more about offering Security as a Service to look into memberships in industry organizations such as The ASCII Group. “For someone new to security, you get a lot of value from joining. Certifications are cheaper, and you also have networking opportunities,” he says. “And you can attend events to hear MSPs from different parts of the country explain how they approach security and pitch their plans.”
Specifically, to provide Security as a Service to healthcare, Nobers says there are experienced, reputable vendors who offer HIPAA security risk assessments or other relevant services. “You could form a partnership and find a missing piece of the puzzle to get started,” he says. “It can benefit you both. You bring them clients, and they’re helping you.”
It’s Not a Transition. It’s an Addition.
Nobers comments that there’s some underlying fear when MSPs look at “transitioning” to the role of MSSP. “They’ve been around for 10 years or more, and they have the IT side down,” he says. “But there’s no reason to give up core services. Becoming an MSSP is about adding the security side.”
“It will help with existing clients. You’ll just take a different approach to how you protect them. It’s the best of both worlds,” he says. “It’s vital to your clients and vital to your business.”