Although cyber-security is nothing new, healthcare providers are becoming more susceptible to attacks on their electronic information ranging anywhere from financial support such as electronic invoices to personal information on residents and patients in their care. Attacks can be severe, the most insidious of which is a ransomware attack. In mid-November 2019, a Wisconsin-based organization that manages the IT systems for some 110 clients that serve approximately 2,400 nursing homes in 45 U.S. states was hit by the Ryuk ransomware strain. The company declined to pay the multi-million dollar ransom demanded by their extortionists, and the attack cut off many of those elder care facilities from their patient records, email and telephone service for days or weeks while the network was completely rebuilt.
If you contract with an outside IT service provider to manage, store, or maintain your IT, be aware that cyber-attacks on Managed Service Providers (MSPs) have intensified. Most MSPs have unrestricted access to their clients’ systems and data. A security breach at a single MSP can affect the operations of dozen, or even hundreds, of organizations that depend on it. The risks of consequential damages from a single cyber attack on a health care provider can be enormous.
While no solution is bullet-proof, there are certain steps that you, as an MSP client, can take to better understand the risks associated with outsourcing IT operations and help you should you become a victim of a cyber-attack:
- System and Organization Controls (SOC) audits: ask your MSP if they undergo audits and how often those audits occur. SOC audits are performed by Certified Public Accountants on services offered by a service organization. An SOC 1 audit is the audit of a vendor’s accounting and financial controls (e.g., controls related to outsourced payroll processing), while an SOC 2 audit deals with the examination of the controls at a service organization over one or more Trust Service Criteria such as Security, Availability, Processing Integrity, Confidentiality, and Privacy. An SOC 2 report can help you identify where you are vulnerable.
- Cyber-insurance: review your policy to understand which events are covered and what is excluded. Seek assistance from a Certified Information Systems Auditor to ensure insurance requirements are satisfied such as unique usernames, password requirements, and other IT credentials. Ask your MSP if they have cyber-insurance and review the terms and requirements for compliance and claim protocols in the event of an attack.
If you would like more information regarding cyber-security audits and compliance, contact Michal Gurgacz, IT Risk Assurance Manager or Nate Davenport, Senior Manager at MSL, PA.