MSPs that have unsuccessfully implored their existing and potential healthcare industry clients to address cybersecurity shortcomings now have new ammunition for their pitches—supplied by the Department of Health and Human Services (HHS). The HHS recently introduced new Healthcare and Public Health (HPH) cybersecurity performance goals (CPGs) designed to guide healthcare organizations’ pursuit of modern cybersecurity best practices.
The HPH CPGs (how’s that for an acronym mouthful) are based on the Cybersecurity & Infrastructure Security Agency’s cybersecurity performance goals, strategies, and guidelines from NIST and other major cybersecurity frameworks. This guidance also takes the findings from 2023’s Hospital Cyber Resiliency Landscape Analysis into consideration, providing additional goals addressing the most common vectors used in recent attacks.
The MSP Opportunity
If MSPs could only quote five words from the HPH CPGs to break through to healthcare technology and business leaders unmotivated to take their cybersecurity obligations seriously, these do the job: “Cyber Safety is Patient Safety.” Anyone doing business in this industry should have a deep, instinctive reaction to seeing the government define cyberthreats as direct threats to patient outcomes. Those businesses’ insurance companies, financial backers, and attorneys will have similarly attentive reactions.
This is an opportunity for MSPs to pick up the phone and deliver an important message. The HHS has something new to say: there are updated cybersecurity best practices for our industry, and failing to meet these performance goals is no different from putting patients in jeopardy. As a current or potential partner to businesses that are out of step with industry best practices, MSPs have a mandate to reach out and make the case for treating cybersecurity with the gravity the HHS recommends.
Leverage the HPH CPGs’ Essential and Enhanced Goals
MSPs can tout their capabilities to align clients with practices prescribed by HPH CPGs at both the Essential and Enhanced tiers. The Essential goals now recommended by the HHS include cybersecurity fundamentals, including robust encryption, data access control (including tiered permissions, secure credentials, multifactor authentication, and active management to revoke access immediately when appropriate), email security, vulnerability mitigation, incident and response planning, and employee security training.
Goals under the Enhanced heading take cybersecurity a step further, defining mature best practices that include asset inventorying, active cybersecurity testing and mitigation, third-party vulnerability disclosure and incident reporting, and the ability to detect and respond to relevant threats and tactics, techniques, and procedures. Enhanced Goals also call for network segmentation, centralized log collection, centralized incident planning and preparedness, and configuration management.
This tiered structure is perfect for MSPs’ positioning. In your approach to current and potential clients, make it clear that the impetus to adopt these measures isn’t coming from you. The government now emphasizes that cybersecurity is inseparable from patient security; it categorizes security measures lacking in the business you’re engaging with as “essential.” You’re not here to sell but to help.
To be most successful, MSPs must become fluent experts in the HPH CPGs. They also need to match the capabilities of their current tools to specific goals and then add more tools if necessary to fulfill the CPG requirements. Utilizing comprehensive MSP-friendly tooling built for compliance can simplify and expedite this process. For example, we use the cloud-managed data security tool BeachheadSecure because it alone fulfills 76% of requirements from the NIST cybersecurity framework that the CPGs are based on (which is increasingly the de facto standard across industries).
An MSP’s goal should be to have two packages on hand: one that enables clients to successfully meet 100% of Essential CPGs and a more intensive package that meets 100% of the Enhanced Goals. Taking that tact empowers MSPs with the flexibility to manage and mitigate risk exactly how they see fit. That flexibility can be especially valuable for MSPs acting as the virtual Chief Technology Officers that smaller healthcare businesses lack but need. For example, medical devices and equipment beyond the standard IT purview present security concerns covered in the CPGs. While MSPs aren’t directly managing the strength of passwords on specialized machinery, acting as a functional CSO that coordinates with technology partners and effectively enforces those cybersecurity practices is an extremely valuable service right now.
Meet Clients Where They Are
Approach current and potential clients by specifying the areas where they currently meet and fall short of the government’s goals, and offer your (at this point very informed) opinion on the right path to filling those gaps. Make it clear how the HHS is moving the healthcare industry in this direction—likely as a future update to HIPAA—and that investing now in cybersecurity will be far more efficient than trying to play catch-up when legal actions inevitably arrive to force new practices.
Use the two-tier Essential and Enhanced CPGs to define a clear path forward for businesses, keeping spending predictable and in check. For example, structure an implementation plan that meets the minimum requirements of the Essential Goals this year and the Enhanced Goals after. Again, it’s not you; the government and clients’ insurers and banks need to see cybersecurity practices aligned with these goals.
Make Your Pitch Now
Small and medium-sized healthcare and public health businesses need a strong ally to navigate the latest evolutions and rising expectations in cybersecurity practices. For MSPs ready to make the most of this moment, there’s a tremendous opportunity to introduce yourself as that partner these businesses now require.
This post was originally published on 3rd party site mentioned in the title of this site
