Compliancy Group Exec To MSPs: Your Customers’ Risk Is Your Risk As Well
Joseph F. Kovar
‘That’s right, you get blamed for absolutely everything. You can mitigate your own risk, do it yourself, get compliant, make sure that you are doing your part and your client is as well because their risk is yours. Use a system—mine, somebody else’s, I don’t care—use something that centralizes it and puts it into a place you can manage it or you will fall down and your risk is not mitigated,’ says Paul Redding, vice president of channels at Compliancy Group.
Understanding the intricacies of compliance, and helping customers implement it, is not easy. But it is something that almost every MSP will some day need to do, hopefully before they or their customers get into trouble.
That’s the word from Paul Redding, vice president of channels at Greenlawn, N.Y.-based Compliancy Group, who this week told MSPs at the XChange August 2023 conference that every MSP who works with a customer that needs to adhere to some compliance standard—and with HIPAA that means any company that deals with employees’ private health-care information—needs to be ready to make compliance a part of their business.
The XChange August 2023 conference is hosted by CRN parent The Channel Company and is being held in Nashville, Tenn., this week.
Compliancy Group was founded by HIPAA auditors almost 20 years ago. The company at the time worked with major hospitals or organizations like the Tennessee Department of Health via six-figure or seven-figure annual contracts and tell them what they are doing wrong, Redding said.
“We would come back a year later, and everything was still a disaster,” he said. “Nobody had done anything. Because a risk assessment is not a compliance program. A risk assessment is a list of things you are doing wrong, and a bunch of policies and procedures you are not following. It is not a work plan.”
Compliancy Group learned that no matter how sophisticated the organization is, whether it has internal compliance officers, attorneys or, like most midsize companies just some IT person stuck with handling compliance, it does not know how to track and manage it, Redding said.
That led to the introduction of its software called The Guard, which Redding said is a central repository of truth for compliance. And because Compliancy Group was born with a focus on health care, its primary market targets HIPAA compliance, he said. The Guard, however, in October is slated to be available with full Center for Internet Security (CIS) assessments aimed at helping MSPs align with the CIS framework, he said.
Compliancy Group will also be cross-mapping and bringing in things like System and Organization Controls (SOC 2) and Cybersecurity Maturity Model Certification (CMMC), he said.
“Instead of just giving you a risk assessment, we give you a work plan, a tool to do your work in a place where you can dump both your evidence and your assessments and all that stuff together so that when the auditors come knocking, you have something to show them other than, ‘Oh, God help me, I’ll come back with some spreadsheets,’” he said.
It is important to understand that companies like Compliancy Group are not HIPAA certifiers, Redding said.
“There is no such thing,” he said. “If anyone ever tells you they’re giving you a certification for HIPAA, [it’s not true]. ... There is no such thing. What there is is a third-party validation. What that means is we will not only send you through our process and allow you to use our software, but at the end of that process one of our people—we have multiple in-house attorneys, multiple in-house compliance officers—who will look at your stuff and make sure what you did is right.”
If an organization gets audited for HIPAA, it has a 10-day response window during which it is expected to put together an entire proof of its whole compliance program, Redding said.
“And without someone helping you do it, you won’t,” he said. “If we give you [our HIPAA Seal of Compliance] and you get audited, we are going to present your audit preparation. We are going to present all the documentation. And I’m very proud to say that in the 18 years we’ve been issuing that, not only have we been audited around the validity of it through the FTC, no one that has that seal has ever failed a HIPAA audit.”
Businesses tend to think of security and compliance as the same and assume that the MSPs that manage their security are also compliant with things like HIPAA, Redding said.
“You guys do a portion of it,” he said. “But without all of it, the client will never be safe. You see, compliance is about a law, and laws are painful to read and are purposely vague. You ever pick up the HIPAA law? It is 700 pages of legalese written for an entire industry from the smallest one-person chiropractic shop all the way up to Kaiser Permanente. They have the same standards. There is cybersecurity in this. But it is deliberately and purposefully technologically vague because the risk profile of a chiropractor and Kaiser Permanente are wildly different.”
Security, the industry most MSPs have entered, is all about risk management, Redding said.
“And the problem is, your customer has no idea about what I just said,” he said. “They hired you because they said, ‘Here nerd, keep me safe. Do your nerd magic. And don’t let me go to jail, for the love of God. Don’t let my company go out of business.’”
The reality is, both security and compliance are needed because compliance mandates security, Redding said. “The foundation of compliance is security.”
While the financial industry has done its job in terms of meeting its compliance obligations, the health-care industry has not, Redding said.
“Health-care stayed in the ’90s with their head stuck in the sand waiting for something to happen because for the first decade nobody enforced this law,” he said. “So today, you’ve got over a 400 percent increase just in the last few years of enforcement against health care. We see fines issued on an almost daily basis. And the bad guys are winning 85 percent of the time.”
Most health-care organizations when hit are going to fall and be penalized, Redding said. And, he said, it’s not just those companies that get hurt from compliance issues.
“There’s 5 million small businesses in health care alone,” he said. “Of those, only about 800,000 are medical professionals, covered entities, doctors, insurance companies, the people involved in treatment. The rest are you. For every doctor, there’s at least four vendors, the phone company, Microsoft 365, their MSP, the shredding company, the people that handle their medical billing, their accountant, their attorney. All of these people are involved in the management of ePHI [electronic protected health information]. And all of them fall under the Health Care Law.”
Bringing those different organizations to HIPAA compliance becomes a differentiator for them, Redding said.
“I sell to attorneys based on the fact it’s impossible to tell the difference between two attorneys,” he said. “’Hey, for a few grand a year would you like to see your website content showing that you’re health-care-proof, that you’re an attorney who works in medical malpractice?’ You’re right. It’s an investment in advertising for the right business associates.”
Manufacturing is another industry ripe with opportunities for health-care compliance, as workman’s compensation is ePHI.
“If you self-insure, you do your own workman’s compensation,” he said. “About 50 [percent] to 80 percent of factories, give or take, are going to be self-insured or doing some form of workman’s compensation management, and all of them have to be HIPAA-compliant, and they have no idea. These guys are going to be fined first by the state of Illinois, then by Health and Human Services, then they’re going to go on what’s called the ‘Wall of Shame,’ and they’re not a health-care organization.”
Redding cited a number of examples, including a company fined $2.4 million because of a press release it did that included one of its client’s patients’ information because it thought it had their permission, a company fined $25,000 because of a Google review that included enough information considered ePHI, and a company fined $2.7 million for unencrypted devices.
“They weren’t fined because the devices were unencrypted,” he said. “They were fined because they didn’t have a bring-your-own-device policy. In the middle of the pandemic, they let everybody work from home. [They needed] something that says that home machine you’re working on has to be encrypted. They weren’t. When they got audited, they got hit, and raked over the coals. But it wasn’t because they got hacked. It’s because they didn’t have an effective compliance program.”
“So imagine a world where every single state passes their own standard,” he said. “And in order to work in 50 states, you have to adhere to 50 standards. Isn’t that gonna be a blast? No, it’s going to be completely [horrible]. The government will eventually come for you guys as a whole and for most of your clients because they are holding sensitive data,” he added.
“The state of Louisiana, for instance, already has an MSP registration act so that if you sell to the public sector, you have to register them, you have to tell them how many employees you have, and what you’re doing for protection. Right now, it’s just so they know who you are. I’m a comic book nerd. In the ‘X-Men,’ they made all the mutants register. I’m not going to tell you the end of that story. Not good. Not good. Eventually, the people registered, and they came for them. And if you are not compliant, [you’ll be in trouble].”
It’s important to realize that an MSP with health-care customers will need HIPAA certification, Redding said.
“It’s the omnibus rule,” he said. “If you have clients on this HIPAA bus, get on the bus with them. You’re in health care. This is what brought you in. And for every rule, there’s an assessment you have to make that says, ‘Hey, am I doing this?’ There’s policies you have to have in place that shows how your company handles this rule. And there’s policies and procedures that your employees are supposed to be trained on that tells them how to actually do this stuff.”
No matter what an MSP does, it will get the blame for a compliance fault, Redding said.
“That’s right, you get blamed for absolutely everything,” he said. “You can mitigate your own risk, do it yourself, get compliant, make sure that you are doing your part and your client is as well because their risk is yours. HIPAA and CMMC compliance ... is horrible. Instead, use a system—mine, somebody else’s, I don’t care—use something that centralizes it and puts it into a place you can manage it, or you will fall down and your risk is not mitigated.”
Compliance has become a huge market for Tech Sage Solutions, particularly with the Department of Defense where the San Antonio-based MSP has a large focus, said President and CEO John Hill.
Hill said his company has not worked with HIPAA, but three and a half years ago it developed a focus on CMMC because of its Department of Defense work.
“We market only to government contractors,” he said. “And it’s been a huge market for us. I’ve actually recently gone to several of the Kaseya Connect local events around the country, speaking to other MSPs about why they should get on the compliance bandwagon because that’s a huge untapped potential for any MSP that wants to put in the work.”
Hill estimated at least 70,000 of the 300,000 companies in the defense industrial base will need Level 2 CMMC, while the rest will need at least a lower level of CMMC.
Hill said he has talked with Compliancy Group about entering the CMMC market for years, and is happy to see the company is getting ready to do so.
Hill said his company already uses a variety of tools for CMMC compliance, but Compliancy Group would add a big layer of automation to the process.
“It’s going to depend on the program they put together with it,” he said. “Right now, it’s pretty profitable. As long as we can maintain profitability and work with Compliancy Group, that would be great. But we’ll have to evaluate that at that time.”
The biggest takeaway from Redding’s presentation is that even today, a lot of people are not paying close enough attention to compliance, Hill said.
“They don’t understand that it’s gonna bite them if they don’t,” he said.