A group of healthcare IT professionals has told the United States Congress that merely complying with HIPAA won’t necessarily lessen the chances of a data breach and that solely relying on HIPAA compliance may increase the chances of an organization suffering a data breach.

Laws vs. Standards

Looking beyond the limited scope of healthcare IT, at issue is whether following a law is sufficient to keep individuals and organizations safe from cybersecurity risk. To date, the managed services profession has not engaged in this discussion, but I believe it is time that we do.

There is a difference between following and being compliant with a law, and being well protected against cyber intrusions. As odd as this mean sound, merely following a law does not make you safe. Following a standard or best practice will do more to ensure safety and security than becoming compliant with a law.

Breach vs. Guilt

When determining whether an MSP (and its customer) has blame for a data breach or cybersecurity incident, I believe MSPs need to architect a new standard, one who evaluates the measures taken to protect the incident rather than the outcome.

For example, I believe there is an inherent bias against MSPs and internal IT departments; whenever there is a breach, they get blamed. There are legitimate cases where blame should be placed, but there are also situations where a breach has occurred, and the MSP should be not blamed. I can think of several scenarios where MSPs offer to deliver the service, but the customer declines, leading to a breach or other failure.

After hurricane Katrina, it was common to hear stories of MSPs asked to help companies who had declined to back up their data, only to find that conducting business without current data can be quite challenging. There are also stories where there is a breach, or the customer suffers a malware attack, solely because of internal user behavior. In such situations, the MSP cannot indemnify the customer against bad behavior.

It is now time for MSPs to stand up and help create a reasonable standard for IT accountability. Hopefully, such a standard will be distinct from any law claiming to reach the same goal.

Tags : cybersecurity,data breach,MSPs,Security

Post A Comment
YouTube Logo | MSPAlliance

Subscribe to MSPAlliance on YouTube!

Explore a world of valuable content, including full-length podcast episodes and clips, thought-provoking special interviews, immersive events, enriching webinars, live streams, and more.

Join our community on YouTube, subscribe to our channel, and elevate your MSP journey!

Mobile and Laptop device image of YouTube MSPAlliance Channel | MSPAlliance

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

First Name *
Last Name: *
Contact Email: *
*Required Fields
Note: It is our responsibility to protect your privacy and we guarantee that your data will be completely confidential.






Contact us


510 Meadowmont Village Cir, #289 | Chapel Hill, NC 27517

MSP News

Sign up for MSP News, the weekly newsletter bringing you news and analysis from the managed services industry.