Sophos: Processes, Policies Critical in Health Care Security

Clients in the health-care vertical can be either the best or the worst, depending on who is making the decisions.

A lot of MSPs get nervous when working in a HIPAA (Health Insurance Portability and Accountability Act) environment, which is understandable considering that the levels of security demanded by HIPAA are becoming harder and harder to meet and maintain. But, as provider inRsite IT Solutions (No. 443 on the 2018 MSP 501) puts it, as long as the proper processes and policies are in place and enforced, supporting medical clients can be as easy as counting backward from 10.

inRsite’s John Watkins

Unfortunately, there are those who flat out refuse even the most basic security policies, even something as simple as having a workstation lock when not in use. These tend to be smaller practices and clinics where the physician is also the manager and is unable (or unwilling) to look past the cost or slight inconvenience the security policies entail.

“Even with the near-constant news stories about data breaches and the massive fallout that comes after, they can’t seem to shake the ‘it won’t happen to me’ line of thought,” says John Watkins, vice president and chief operating officer at inRsite.

As highlighted in the results of Sophos’ State of Endpoint Security Today survey, health-care services are a top target for today’s cybercriminals looking to access high-value data. Scott Barlow, vice president, global MSP at Sophos, says health-care businesses are also perceived by adversaries as being soft targets for cyberattacks, as many have aging IT infrastructures and restricted resources for improving IT security. As a result, a growing number of health-care organizations are looking to MSPs to protect them from the mass amounts of attacks aimed at businesses in the industry.

Sophos’ Scott Barlow

“Now more than ever, it’s critical that MSPs partner with a next-generation security vendor that provides security solutions in tandem with hands-on technical trainings and initiatives that give them a thorough understanding of security trends and the threat landscape so they can serve as a trusted adviser to their clients,” says Barlow. “For example, we ensure our MSP partners have access to a constant flow of security knowledge from Sophos security experts and real-time threat intelligence from SophosLabs to help them better protect their customers and be more knowledgeable about the products they are selling.”

Sophos is doing it right by making quality technical training available for their products, inRsite says. This is a critical step in the security process and should be a core focus.

Along those same lines, having robust best-practices documentation is a must.

“It is one thing to know all the features of a program, firewall or switch, but especially with newer L1 techs, having a step-by-step standard operating procedure (SOP) on how to set up basic features is a huge help,” says John Watkins.

One thing is for sure — security in the health-care sector is vital. What’s at stake needs to be clear, and proper systems must be implemented. Don’t let clients bury their heads in the sand. Or vendors for that matter. MSPs have the answers.