AN MSP who had just been involved in a HIPAA breach once told me, “I haven’t slept in four days, because I know my business won’t survive this.”
He had good reason to worry. His business didn’t survive.
As hard as you work to provide great services that help your clients, the sad truth is you also create risks. The steps you must take to protect your clients from those risks will also protect your company’s value and reputation, and your personal financial future.
I’ve dealt with two examples of MSPs whose employees harmed their clients and their business. Both cost the MSP customers. Both reduced the value of the MSP’s business. Both were preventable.
One involved a fired technician who was still able to remotely access client sites, because his former employer used a single, shared company login and password for all its customers. The MSP didn’t care enough about the potential risk to change the password after terminating the tech, even though IT best practices, HIPAA, and common sense require IT providers to have procedures in place for blocking access by former employees.
He cared later, though—after the client told his help desk it couldn’t access its network, and the recently fired tech was the reason why. The MSP owner felt like a victim. The client, who couldn’t believe the MSP’s security practices were so lax, fired him and ultimately collected a financial damages settlement. The tech, believing he was committing some harmless mischief, thought it was funny until the police handcuffed him. Later he pled guilty to a crime.
The second situation was remarkably similar. A fired engineer was able to get back into the MSP’s network and used the remote access server to log into healthcare clients, with domain admin privileges, and delete medical records. That’s a reportable HIPAA breach, and the MSP wasn’t prepared to survive an audit or investigation. He thought his company was too small to get caught. In hindsight, he wished he’d implemented HIPAA policies and procedures, performed a HIPAA compliance assessment, and trained his employees in HIPAA requirements, which likely would have prevented the breach from happening.
To avoid becoming part of a similar incident, create a checklist identifying every way your employees can access your clients’ networks, cloud services, online backup services, vendor portals, and data. Use two-factor authentication wherever possible. When you terminate someone, immediately:
- Prevent your former employee from accessing your tools and client information.
- Go into your client sites and change your company’s access credentials.
- Change the access credentials to your network, devices, and applications if there is any possibility your former employee may have the information.
- Get your clients to change their passwords if there is any possibility your former employee may know them.
- Review network user lists with your clients to ensure your ex-employee hasn’t created a phantom account “just in case” they might have to get back in someday.
When you hire techs, stress that accessing your network, or a client’s, without authorization is a crime, and that you will assist in their prosecution.
Too harsh? Too much work? It’s nothing compared to sleepless nights, federal compliance violations, being fired and sued by your clients, and closing your business. Think your E&O insurance will cover you? A cyber-liability insurance company is currently suing one of its policyholders for $4.1 million after its MSP accidently published a medical client’s patient records to the internet.
It’s your choice whether you wake up at 2 a.m. wondering if your clients are really protected against your company, or roll over and sleep peacefully because you’ve done the right things.