.st0{fill:#FFFFFF;}

Podcast

Insights for Customers of MSPs – CISA – Ep 324 

 October 1, 2021

By  Donna Grindle

Share0
Tweet0
Share0

Managed Service Provider Customers

In a world where people are more dependent on technology but lack the expertise to manage their own networks and systems effectively and efficiently, they turn to Managed Service Providers (MSPs). CISA has released a guide, Risk Considerations For Managed Service Provider Customers, that outlines risk considerations organizations need to consider when they partner with a MSP. We will cover this in today’s episode and we are making a big announcement that you’ll want to hear.

A 5 star review is all we ask from our listeners.
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Insights for Customers of MSPs – CISA – Ep 324

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[07:55] Here is a story we found on DataBreaches.net about a nurse who worked at several rehab facilities in the Tempe, AZ area and was stealing identities from patients to lease apartments, buy a $19,000 car, buy $2600 worth of wigs and much more. Clearly, these facilities had an insider problem that needs addressing.

Tempe nurse assistant stole patient identities to open bank accounts, lease apartments, police say

[14:00]

Don’t Forget…. It’s National Cybersecurity Awareness Month.

Do Your Part. #BeCyberSmart.

Check out the list of Cybersecurity Awareness Month events and participate in helping everyone #BeCyberSmart

Insights for Customers of MSPs – CISA

[15:25] Cyber Security and Infrastructure Security Agency (CISA) of the Department of Homeland Security published a document called Risk Considerations For Managed Service Provider Customers. This document isn’t geared towards MSPs (well, not directly anyway), but their customers. It was put together to aid organizations in making informed IT service decisions.

Basically, this guide is providing risk considerations for MSP customers when it comes to them outsourcing IT services to MSPs. MSP customers need to understand that even though they are outsourcing to MSPs, they are still taking on a business risk. But, at the same time, you are helping mitigate other risks to the organization.

Here is a PDF version: CISA Insights: Risk Considerations for Managed Service Provider Customers

What is it?

This CISA Insights guide provides a framework that government and private sector organizations (to include small and medium-sized businesses) outsourcing some level of IT support to MSPs can use to better mitigate against third-party risk.

It has three sections aimed towards different audiences:

  1. Strategic Decision Making – for senior executives and board of directors
  2. Operations Decision making – CIOs, CISOs, COOs, Chief Risk Officers, etc
  3. Tactical Decision Making – network administrators, systems administrators and front line cybersecurity staff

Strategic Decision Making

One of the biggest key points is that outsourcing IT services does not absolve executives of risk management responsibilities. Organizations can’t just say “Oh, IT’s got that.” And MSP’s can say “Oh, don’t worry. I got that.” It is a shared responsibility.

[24:34] Who’s responsible for security and operations when outsourcing IT services to an MSP? Again, it is a shared responsibility. And there is a balance between security and convenience. Executives and security teams will draw that line in very different ways. But at the end of the day, it is a business decision on behalf of the organization and they should be prepared to potentially have to answer as to why they made those security decisions.

Organizations share in the responsibility for faults or failures that impact business operations and affect customers. In order to minimize such disruptions when outsourcing IT services, organizations can define roles and responsibilities in a vendor agreement using the Shared Responsibility Model4, which articulates the vendor’s responsibilities, the customer’s responsibilities, and any responsibilities shared by both parties.

If you do that, you include things like who’s going to apply patches, who maintains the hardware, who trains your employees. If you don’t figure that out, guess what happens? The client thinks the MSP is doing everything and the MSP thinks the client is doing their part.

Then there is this sub-section for Strategic Priorities for Small and Medium-sized Businesses under the Strategic Decision Making section which basically says that while you don’t have the financial resources or technical expertise, you are still responsible for risk management decisions when you decide what you are doing. SMBs should catalog which assets are the most critical to their organization so that you can prioritize and exclude certain things from your vendor agreement and develop contingency plans and incident response and all those kinds of things. They should weigh weigh risk management decisions by determining the following factors in potential vendor agreements:

  • Which tasks and responsibilities will the MSP take on?
  • Which will the SMB continue to execute?
  • Which tasks and responsibilities will be shared?

Operational Decision Making

[31:23] In the Operational Decision Making piece you determine how all these things are going to happen. One important point in this section states that just because you are a small business, it doesn’t mean you should go without doing risk assessments and creating risk management plans. You still should but many times those roles are integrated in other areas.

Organizations can also require self-attestations from MSPs to validate the use of industry standards and best practices, maintained by continuous monitoring processes and tools.

The guide goes on to provide a list of things that an MSP should provide to an organization before signing a contract with an organization. A few of the highlights from the list include:

  • [33:49] Providing a clear definition of the IT services and security services they are providing. Remember, IT is not security and security is not IT.
  • [34:53] Detailed guidelines for incident management, including the MSP’s incident response responsibilities, warranty information, compensation for service outages, and plan to provide continuous support during a service outage.
  • Remediation acceptance criteria that define the steps the MSP will take to mitigate known risks.
  • [37:44] A Software Bill of Materials or similar verification of the security of any software the MSP will use to provide its services.
  • [40:56] Statement from the MSP on how data from different clients will be segmented or separated on the MSP’s networks.
  • [41:28] Documentation of vetting of employees (including subcontractors and independent consultants) to minimize risks of intellectual property theft, manipulations, or operational disruptions.
  • [43:35] Transition plan to support a smooth integration of the IT services.
  • [48:30] Documentation of MSP’s financial health, performance record for other clients, and disclosure of any previous legal issues.

Tactical Decision Making

[51:54] Tactical decision making involves the day to day IT and security needs of the business.

Policies and controls on network access, controls, and logs, remain the organization’s responsibility while outsourcing IT services to an MSP. Organizations should identify personnel responsible for monitoring and managing the day-to-day activity of MSPs and must set careful policies on the access given to any third-party vendors.

In this section the guide provides considerations and best practices for network and system administrators. It recommends that organizations should apply access using the least privilege principle and assign the minimum rights for short durations of time for these administrators. In other words, the customer should have the administrative login credentials to their systems and only give the MSP technician access to these credentials as needed. So, they enable and disable those credentials when there is a support need for the organization. That’s going to be a hard sell for the MSP as they are usually the keeper of these administrative logins and they are active all the time.

[52:48] CISA provides a tactical guidance for MSP customers to mitigate risks of outsourcing to MSPs, including:

  • Managing supply chain risks
  • Implementing strong operational controls
  • Managing architecture risks
  • Managing authentication, authorization, and accounting procedure risks
  • Reviewing contractual relationships with all service providers
  • Implementing CISA’s Cyber Essentials to reduce the organization’s cyber risks

The document also talks about how organizations should incorporate vendors in the incident response planning and business continuity planning. Something we’ve also stressed many times in our podcasts. And it reiterates again to small and medium sized businesses that if you outsource IT requirements to an MSP to achieve efficiency and cost savings, it still does not completely allow you to delegate the responsibility of things.

SMBs outsourcing IT services to an MSP should maintain full control of access to their systems and maintain awareness of vendor access by setting clear policies agreed to by the vendor. SMBs should also maintain logs of all MSP activity and have offsite backups of all critical data separate from the vendor’s storage. These requirements should be included in vendor agreements and validated periodically.

Wow! So, basically, Prove it.

Big Announcement:

[1:03:42] We are rolling out a new HIPAA for MSPs package that is going to help MSPs incorporate Recognized Security Practices into their business model and things on this CISA list we just reviewed. Through the work we are doing on the 405d committee and the work we are doing with our own clients, we are building new content and the capability for MSPs to fully utilize these guides and tools.

One of the key elements of the new HIPAA for MSPs is the Kardon Club membership program. The Kardon Club All-Stars membership level is included with the HIPAA for MSPs subscription. This is a package that includes training and reference material, a Wiki for Q&A, a forum to discuss the different topics and participate with your clients. You would be a part of HIPAA for MSPs and your clients could be a part of kardon All-Stars.

Now, this is not a sales thing, no sales allowed. This is not what it’s about. This is about getting proper information to the people that need it. So, the Kardon Club All-Stars is designed that if you are responsible for privacy and security in any way, shape or form, if you need information, it should be under the Kardon Club All-Star community site. Whether it’s training you need, reference to documents, articles, or advice, it’s going to be in that community. And if it’s not there, we’ll go get it and put it in there so that it is all in one place and you’re not looking all over for it.

There are all kinds of access to our audio and video content, which we’ve never had before. So, if you want to find an episode or a webinar or part of the courses that come with the All-Star program, you do a search and it will find the audio and video content and it’ll take you directly to that spot in the episode.

The information about the new HIPAA for MSPs is available on the Help Me with HIPAA website. So, look for the information. It is all starting and we are rolling it out to celebrate National Cyber Security Awareness Month.

But wait, there’s more….

We are going to give you, as a MSP, a license to use the ComplyAssistant software for your own internal compliance as an MSP.

Lastly, we have partnered with a healthcare accreditation organization and have built an MSP specific HIPAA program that they have vetted and are creating a test for the HIPAA or MSP folks on that course material. And if you pass, they will give you an accreditation to say that you are a Certified HIPAA Managed Service Provider (CHMSPC). This is not us providing the accreditation, it’s third party accreditation service.

This is proof that we are not creating something for the minimum service providers out there. This is for the people that want to knock it out of the park and do things right.

So, to find out more, go to HIPAA for MSPs. For more information on the Kardon Club side of things, go to the Kardon website.

Go to top

Wow. We covered A LOT in this episode. It is a clear indication that there is a lot to do in the MSP space and there is a lot to do in the business space dealing with MSPs. Guides like CISA’s Risk Considerations for Managed Service Provider Customers are being released continuously these days. We’ve covered some in other episodes and will cover more as they are released. It’s hard to keep up with everything, so let us help you do that. Continue to listen to the podcast and consider getting involved in the HIPAA for MSPs program.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: