A group of healthcare IT professionals has told the United States Congress that merely complying with HIPAA won’t necessarily lessen the chances of a data breach and that solely relying on HIPAA compliance may increase the chances of an organization suffering a data breach.

Laws vs. Standards

Looking beyond the limited scope of healthcare IT, at issue is whether following a law is sufficient to keep individuals and organizations safe from cybersecurity risk. To date, the managed services profession has not engaged in this discussion, but I believe it is time that we do.

There is a difference between following and being compliant with a law, and being well protected against cyber intrusions. As odd as this mean sound, merely following a law does not make you safe. Following a standard or best practice will do more to ensure safety and security than becoming compliant with a law.

Breach vs. Guilt

When determining whether an MSP (and its customer) has blame for a data breach or cybersecurity incident, I believe MSPs need to architect a new standard, one who evaluates the measures taken to protect the incident rather than the outcome.

For example, I believe there is an inherent bias against MSPs and internal IT departments; whenever there is a breach, they get blamed. There are legitimate cases where blame should be placed, but there are also situations where a breach has occurred, and the MSP should be not blamed. I can think of several scenarios where MSPs offer to deliver the service, but the customer declines, leading to a breach or other failure.

After hurricane Katrina, it was common to hear stories of MSPs asked to help companies who had declined to back up their data, only to find that conducting business without current data can be quite challenging. There are also stories where there is a breach, or the customer suffers a malware attack, solely because of internal user behavior. In such situations, the MSP cannot indemnify the customer against bad behavior.

It is now time for MSPs to stand up and help create a reasonable standard for IT accountability. Hopefully, such a standard will be distinct from any law claiming to reach the same goal.

Tags : cybersecurity,data breach,MSPs,Security

Post A Comment

Have questions?

We're here to help! Fill out the form below and we will get back to you as soon as possible.

Contact us


100 Europa Drive, Suite 569 | Chapel Hill, NC 27517





Sign Up For Our Newsletter

Select list(s) to subscribe to

By submitting this form, you are consenting to receive marketing emails from: MSPAlliance, 100 Europa Drive, Chapel Hill, NC, 27517, https://www.mspalliance.com. You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact