.st0{fill:#FFFFFF;}

Podcast

Mitigate MSP Risks – Ep 452 

 April 5, 2024

By  Donna Grindle

Share0
Tweet0
Share0

MSPs are like the backstage crew for your business’s IT show, handling everything from network management to cybersecurity. But here’s the kicker: while they’re busy protecting you, they’ve got to make sure they’re not accidentally opening the back door for trouble with their own tools and business practices in the process of delivering their services. Security is a shared responsibility.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Mitigate MSP Risks – Ep 452

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

The HIPAA Privacy and Security Boot Camp

3.5 day In Person Event

April 9, 10, 11 and 12, 2024

PriSecBootCamp.com

HIPAA Say What!?!

[10:13] Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates | HHS.gov

This Bulletin addresses:

  • What is a “tracking technology”?
  • How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
    • Tracking on user-authenticated web pages
    • Tracking on unauthenticated web pages
    • Tracking within mobile apps
    • HIPAA compliance obligations for regulated entities when using tracking technologies
Further, visits to unauthenticated webpages do not result in a disclosure of PHI to tracking technology vendors if the visit is not related to an individual’s past, present, or future health, health care, or payment for health care.Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates | HHS.gov

Mitigate MSP Risks

[15:04] A couple of quick stories before we get to the main topic.

Suggested Privacy Rule Updates

Sen Cassidy published a whitepaper reviewing the changes needed in the HIPAA Privacy Rule to address all of the changes we have experienced since the basic requirements were created. Worth a read. It points out areas of concern such as how do you determine the minimum necessary today? You can’t just redact info from a paper record. What about fees for record retrieval and passing them along.

Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era

Remember Alexa and her friends really are always listening!

Amazon’s Alexa recorded while she was sleeping, the customer said. What happened? – nj.com

Creegan said the device recorded for 67 minutes while she was sleeping and she wanted to know why. Guess what, it heard what it thought was it’s name then it heard what it thought was a Find My Phone command so it called her phone in the middle of the night and was sent to voicemail where it left the message it heard. Explanation but – 67 minutes?

Note: AI tools will only make this a trickier situation.

Cloud Security Best Practices from CISA and NSA

[21:08] CISA and NSA Release Cybersecurity Information Sheets on Cloud Security Best Practices | CISA

There are several different angles in this release. No way we can cover all of them but make sure you check them all out.

Another TLA to remember that is included in these is MCAs for Malicious Cyber Actors

Secure Data in the Cloud

Implement Network Segmentation and Encryption in Cloud Environments

Use Secure Cloud Identity and Access Management Practices

Use Secure Cloud Key Management Practices

Mitigate Risks from Managed Service Providers in Cloud Environments

Security in the cloud is a shared responsibility. This principle extends to the use of third party services and capabilities as offered by MSPs. Malicious cyber actors (MCAs) are known to have an interest in targeting MSPs and using compromised MSPs to target customers.
MSPs, by their nature, must have access to their customers’ data and resources. In many cases, MSPs will have privileged access. An MCA who has compromised an MSP may be able to use the access to pivot into customer environments. The potential for a successful pivot is increased if privileged access has been granted. Such activities are less likely to be detected because they come through a trusted MSP.

====================

In contingency planning, organizations should identify and understand the agreements provided by MSPs. Areas to consider include the responsibility of an MSP regarding the notification of suspected security incidents, such as potential breaches, and service level agreements related to remediation or recovery from security incidents or outages. Incident planners should consider what incident responders might need from an MSP in terms of data or support and how to achieve this. System recovery planners should consider how to respond if a capability failure occurs on the part of an MSP.

==========================

[28:15]

When organizations choose MSPs, NSA and CISA recommend the following:

  • Adhere to important security standards as part of selection criteria when choosing MSP services.
  • Choose services and service levels that provide visibility into MSP actions via IAM and log analytic systems.
  • Perform and test configurations to ensure that logs and IAM information related to MSP actions are integrated into the organizational security infrastructure.
  • Regularly review MSP accounts and privileges in IAM systems and investigate unusual or unexpected changes.
  • Audit MSP actions via log analytics and prioritize procedures for alerting on and investigating unusual activity.
  • [42:48] Consider the need for MSP services if an incident occurs, and choose service levels that provide the necessary level of support.
  • Perform tabletop exercises around incident response or system failures related to the MSP and incorporate the findings into incident response and system recovery plans.
Mitigate Risks from Managed Service Providers in Cloud Environments
Go to top

Imagine an MSP as your buddy who’s super good at setting up home security systems but sometimes forgets to lock their own front door. That’s why it’s important for your MSP to double-check their own work and make sure security is tight and secure, so they don’t end up being the reason something sneaky gets through to their clients’ systems. It’s all about keeping the trust and making sure everyone sleeps a bit easier at night, knowing the digital fort is well-guarded from all sides. Security is a shared responsibility.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: