A group of healthcare IT professionals has told the United States Congress that merely complying with HIPAA won’t necessarily lessen the chances of a data breach and that solely relying on HIPAA compliance may increase the chances of an organization suffering a data breach.
Laws vs. Standards
Looking beyond the limited scope of healthcare IT, at issue is whether following a law is sufficient to keep individuals and organizations safe from cybersecurity risk. To date, the managed services profession has not engaged in this discussion, but I believe it is time that we do.
There is a difference between following and being compliant with a law, and being well protected against cyber intrusions. As odd as this mean sound, merely following a law does not make you safe. Following a standard or best practice will do more to ensure safety and security than becoming compliant with a law.
Breach vs. Guilt
When determining whether an MSP (and its customer) has blame for a data breach or cybersecurity incident, I believe MSPs need to architect a new standard, one who evaluates the measures taken to protect the incident rather than the outcome.
For example, I believe there is an inherent bias against MSPs and internal IT departments; whenever there is a breach, they get blamed. There are legitimate cases where blame should be placed, but there are also situations where a breach has occurred, and the MSP should be not blamed. I can think of several scenarios where MSPs offer to deliver the service, but the customer declines, leading to a breach or other failure.
After hurricane Katrina, it was common to hear stories of MSPs asked to help companies who had declined to back up their data, only to find that conducting business without current data can be quite challenging. There are also stories where there is a breach, or the customer suffers a malware attack, solely because of internal user behavior. In such situations, the MSP cannot indemnify the customer against bad behavior.
It is now time for MSPs to stand up and help create a reasonable standard for IT accountability. Hopefully, such a standard will be distinct from any law claiming to reach the same goal.