MSPs are like the backstage crew for your business’s IT show, handling everything from network management to cybersecurity. But here’s the kicker: while they’re busy protecting you, they’ve got to make sure they’re not accidentally opening the back door for trouble with their own tools and business practices in the process of delivering their services. Security is a shared responsibility.
In this episode:
Mitigate MSP Risks – Ep 452
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
The HIPAA Privacy and Security Boot Camp
3.5 day In Person Event
April 9, 10, 11 and 12, 2024
PriSecBootCamp.com
HIPAA Say What!?!
[10:13] Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates | HHS.govThis Bulletin addresses:
- What is a “tracking technology”?
- How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
- Tracking on user-authenticated web pages
- Tracking on unauthenticated web pages
- Tracking within mobile apps
- HIPAA compliance obligations for regulated entities when using tracking technologies
Mitigate MSP Risks
[15:04] A couple of quick stories before we get to the main topic.Suggested Privacy Rule Updates
Sen Cassidy published a whitepaper reviewing the changes needed in the HIPAA Privacy Rule to address all of the changes we have experienced since the basic requirements were created. Worth a read. It points out areas of concern such as how do you determine the minimum necessary today? You can’t just redact info from a paper record. What about fees for record retrieval and passing them along.
Strengthening Health Data Privacy for Americans: Addressing the Challenges of the Modern Era
Remember Alexa and her friends really are always listening!
Amazon’s Alexa recorded while she was sleeping, the customer said. What happened? – nj.com
Creegan said the device recorded for 67 minutes while she was sleeping and she wanted to know why. Guess what, it heard what it thought was it’s name then it heard what it thought was a Find My Phone command so it called her phone in the middle of the night and was sent to voicemail where it left the message it heard. Explanation but – 67 minutes?
Note: AI tools will only make this a trickier situation.
Cloud Security Best Practices from CISA and NSA
[21:08] CISA and NSA Release Cybersecurity Information Sheets on Cloud Security Best Practices | CISAThere are several different angles in this release. No way we can cover all of them but make sure you check them all out.
Another TLA to remember that is included in these is MCAs for Malicious Cyber Actors
Implement Network Segmentation and Encryption in Cloud Environments
Use Secure Cloud Identity and Access Management Practices
Use Secure Cloud Key Management Practices
Mitigate Risks from Managed Service Providers in Cloud Environments
====================
==========================
[28:15]When organizations choose MSPs, NSA and CISA recommend the following:
- Adhere to important security standards as part of selection criteria when choosing MSP services.
- Choose services and service levels that provide visibility into MSP actions via IAM and log analytic systems.
- Perform and test configurations to ensure that logs and IAM information related to MSP actions are integrated into the organizational security infrastructure.
- Regularly review MSP accounts and privileges in IAM systems and investigate unusual or unexpected changes.
- Audit MSP actions via log analytics and prioritize procedures for alerting on and investigating unusual activity.
- [42:48] Consider the need for MSP services if an incident occurs, and choose service levels that provide the necessary level of support.
- Perform tabletop exercises around incident response or system failures related to the MSP and incorporate the findings into incident response and system recovery plans.
Imagine an MSP as your buddy who’s super good at setting up home security systems but sometimes forgets to lock their own front door. That’s why it’s important for your MSP to double-check their own work and make sure security is tight and secure, so they don’t end up being the reason something sneaky gets through to their clients’ systems. It’s all about keeping the trust and making sure everyone sleeps a bit easier at night, knowing the digital fort is well-guarded from all sides. Security is a shared responsibility.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.