Cybersecurity management is a consistent challenge due to the ever-evolving nature of cyber threats. As hackers become more sophisticated and their tactics shift rapidly, organizations struggle to keep up with the latest threats.
Furthermore, technological environments nowadays are more complex, making it difficult to secure all the different components of the environment and ensure they are properly protected. This is exacerbated by the fact that cybersecurity requires a significant amount of resources, including technology, personnel and budget, all of which many organizations sometimes struggle to allocate adequately.
As a result, organizations turn to MSPs, as they provide outsourced IT services to organizations such as security, vulnerability management, endpoint security and compliance management.
So sure, security can become a top-of-mind point for most organizations, but they cannot exclude compliance management from that. MSPs help organizations comply with various regulatory and industry standards, such as HIPAA or PCI DSS. If not, the organization can expect a fine to head their way, such as law firm Heidell, Pittoni, Murphy & Bach, HPMB, which was fined $200,000 over a 2021 data breach.
New York Attorney General Letitia James announced the settlement with HPMB and alleged that the firm’s data security failures violated not only state law, but also the HIPAA.
In November 2021, an attacker was able to gain access to HPMB's systems by exploiting vulnerabilities in their server, as stated in the Assurance of Discontinuance from the attorney general's office. Despite Microsoft releasing patches for the software vulnerabilities several months prior, HPMB had not applied them, which allowed the hacker to deploy malware on the company's systems.
And the numbers related to the breach are staggering, to say the least. The private information of approximately 114,000 patients, including more than 60,000 New Yorkers, was compromised.
“Confidential patient information should be treated with care and secured online to protect New Yorkers from identity theft and fraud,” said James. “The institutions charged with protecting this information have a responsibility to get it right, and to keep authorities and New Yorkers informed about breaches.”
HPMB is now required to take measures to better protect their clients' patients' personal information. These measures include maintaining a comprehensive information security program, encrypting private and health information, implementing centralized logging and monitoring of network activity, establishing a patch management program, developing a penetration testing program, and updating data collection and retention practices.
These measures are intended to ensure that the company is up to date with changes in technology and security threats and that they collect and use data only when necessary and in compliance with legal requirements.
“Companies can, and should, strengthen their data security measures to safeguard consumers’ digital data, otherwise they can expect to hear from my office,” said James.
It’s difficult to say if an MSP would have 100% prevented HPMB’s breach (as well as the state and HIPAA violations). But if anything, this acts as a reminder that MSPs not only still provide a level of protection that is often beyond the capabilities of in-house IT teams, but they also provide compliance management that requires organizations to stay on top of data security.
Edited by Alex Passett