MSPs Selling Regulated Industries Expertise
Demand is high for managed services providers in the complex verticals, but the potential for stiff penalties poses risks.
As governments tighten rules surrounding the handling of sensitive consumer data, managed services providers (MSPs) are increasingly on the front lines, navigating the myriad laws and policies, and playing key roles in keeping the information secure.
From hospitals and doctors offices, to banks, credit unions and retail shops, organizations in these regulated industries are leveraging the knowledge and experience of MSPs to set up and mange compliant IT environments.
The growing demand is creating new opportunities for MSPs that are able to invest in meeting the requirements and willing to accept the risks to treasure and reputation if something goes wrong.
“MSPs that are working in regulated industries are having to deal with a lot of other things that are above and beyond handling managed services,” said Eduardo Don, CEO of Lumen21, which provides managed services to firms in the regulated verticals of healthcare and financial services.
During the MSPWorld Spring Conference, held this week in Orlando, Fla., regulated industries were identified as growth market for MSPs.
Technology attorney Robert Scott said during a public policy discussion that MSPs with expertise in a regulated vertical experienced higher valuations than their counterparts during mergers and acquisitions.
“We need to start shifting our perceptions of what our role is from keeping people working, to keeping people working in a legally compliant manner,” Scott said, according to an article in TechTarget.
Successfully selling managed services in regulated industries can require more time, money and effort than working with other types of clients.
Lumen21 is among the MSPs with a dedicated compliance and security department, charged with staying on top of every arcane aspect of regulatory regimes, like the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry (PCI) Data Security Standard, and any number of others.
When Lumen21 set out to design HIPAA-compliant environments for customers in its healthcare vertical, the firm’s compliance staff worked with engineers to design a protocol based on minimum standards from HITRUST (pronounced “hi-trust”), a third-party organization that advocates for improved healthcare IT security.
HITRUST then reviewed the completed solution and certified that Lumen21’s approach was HIPAA compliant.
Not all HIPAA-regulated organizations are as rigorous.
“There are people out there selling policies and procedures on the Internet,” Don said. “And there are clients out there buying them off the Internet and printing their names on them.”
Employing slipshod compliance strategies carries substantial risk. In addition to the reputational damage of a significant data breach, criminal and civil penalties can reach $1.5 million.
Following a successful hack, investigators from the U.S. Department of Health and Human Services descend on the victim organization to determine whether it followed the law, had appropriate policies, and whether those policies were accompanied by procedures that demonstrate appropriate care.
Were passwords sufficiently strong? Was the IT environment properly designed and segregated? Was there anti-malware protection? Do employees receive regular training on how to avoid phishing scams? Are staff members held accountable for poor security practices?
“What they’re looking for is, ‘was your environment conducive to this type of breach?’” Don said. “You want to show that you’re constantly trying to be vigilant.”
HIPAA laws require that MSPs with access to personal health information sign Business Associate Agreements (BAA) with the client. The BAA ensures that all those who handle sensitive information are accountable for the security of records.
Diligent MSPs should take an active role in encouraging clients in regulated industries to keep policies updated and make certain that procedures are being meticulously followed.
“Compliance is a process,” Don said. “It involves the infrastructure … it involves the clients’ policies and procedures. It’s a collaboration.”
Send tips and news to [email protected].
About the Author
You May Also Like