Risky Business: MSPs Talk Security, Compliance Issues

Samantha Allen

September 30, 2014, 05:54 PM EDT

A managed service provider’s business has turned risky as more valuable information is digitized and entities look to their IT partners for assistance in securing and locking down that data.

An additional layer of complexity comes into play when certain businesses must comply with federal rules and regulations. That's particularly true for MSPs doing business in the healthcare space.

MSPs -- including Charles Love of Big Sur Technologies, Win Pham of RapidFire Tools and Chris Johnson of Untangled Solutions -- discussed the difficulties in securing clients’ data at Continuum’s Navigate conference in September.

[Related: Should MSPs retire the ’Trusted Adviser’ Label?]

Johnson, of Los Angeles-based Untangled Solutions, said most people think their information is secure when it isn’t.

’I would suspect in any of the breaches everyone’s talking about (now), they thought they were doing everything they’re supposed to …,’ he said. ’It’s never a promise or a guarantee. It’s always a best effort. … At the end of the day, it’s really about the people.

The panel, which convened in Boston, advised MSPs working with their clients to ensure the proper policies and procedures are in place so businesses are protected. For businesses that must comply with HIPAA, the experts recommended a HIPAA compliance officer be hired to keep the MSPs’ processes on track.

Love, of Big Sur in Tampa, Fla., said even the most basic principles should be taught over and over again by MSPs, and a back-up should be put into place for clients.

’(Tell them,) ’Don’t send social security numbers in emails. Don’t send medical information in emails.’ People still do,’ he said. ’As an MSP, we’re kind of responsible for educating those customers to say, in the event you do send that kind of stuff, we’ll put a system in place to protect you. We’ll put policies in, be it third party tools or whatever, to help them fix the human element.’

Pham, of RapidFire in Atlanta, pointed out MSPs should also keep track of devices users wouldn’t think to secure, from USB drives floating around the office to even the hard drives in a digital copier. He shared an anecdote of a hospital that was oblivious to how office staff potentially compromised information with a leased copying machine.

’Every single thing that was ever copied at this hospital was on that hard drive …,’ he said. ’It’s not encrypted, just because it’s in your office and you don’t think about it.’

Johnson warned about other unconventional ways data can be snatched, including for example, possibly in a bank where he saw an open and unsecured charging stations for visitors to plug in their phones.

The panel also warned about the security implications and difficulty controlling a BYOD or ’bring your own device’ work environment. All the panelists said they strongly advise against the use of outside devices in offices, especially considering sensitive information cannot be cleared once a person quits and takes a personal device home. Pham said there are also issues with employees using their own personal email accounts in a secure office.

’You’ve got Yahoo, Gmail, in financial industries, or a person in accounting who doesn’t realize they’re communicating financial information over the open Internet,’ he said. ’You benefit and strengthen by just thinking up these unusual ways that people have information sharing back and forth.’

Love said he typically advises his clients to follow HIPAA compliance standards, even if they aren’t in healthcare, to ensure everything is safe.

’HIPAA rules are a nice overview of what you’re supposed to do,’ he said. ’Even if (your client) has a car wash (business), they should still be adhering to the ’Don’t have a password for more than so many months’ standard.’

Sheryl Cherico, CEO of the Atlanta-based Tier3 MD, said her business focuses solely on the health care vertical and HIPAA compliance has been a focus of her firm’s since the law’s inception. She said the matter has become of greater importance in recent years, especially since the adoption of the ’HIPAA omnibus rule,’ which puts more responsibility on MSPs when it comes to user compliance.

’We do HIPAA awareness training with our staff. We put a cage in our office to lock up equipment,’ she noted. ’We’ll go pick up a PC. We’ll lock it in the cage. We do that every day.’

She said the daunting prospect of releasing valued information is a concern, but a task she proudly takes on.

’That’s the nature of our business. It’s risky for a heart surgeon to go in and crack someone’s chest open,’ she said. ’You do what you can.’

John Grein, senior systems engineer with the MSP Computer Troubleshooters (CT) Boulder in Boulder, Colo., said his company is beginning to do initial work with compliance for its customers. Of about 200 clients, he said the company is starting to do assessment work to secure these businesses since times are changing and more companies are looking to be protected.

’I think we’re not seeing clients feel that pressure yet, but I think because we’re out there educating ourselves, we’re starting to see the potential problems well in advance of what might be causing our client issues,’ he said. ’So when we start adding up all of these possibilities for security issues, they start to make us not sleep well at night.’

Grein said the challenge is in finding the problem and fixing it for a client, while also convincing a client to let his MSP technicians come in, do a full overview of office practices and secure and advise from there.

’A lot of times, people think we just want to do this to get billable hours,’ he said, ’but that’s not it.’

PUBLISHED SEPT. 30, 2014