Today, technology is at the center of modern medicine, which is why IT expertise is a skill that’s growing in importance for healthcare providers. The complexity of data systems, networks, and cybersecurity continues to increase each day. With this being the case, managed IT service providers (MSPs) are poised to be more valuable than ever.
Healthcare providers look to MSPs for several key services, such as:
- Understanding Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance
- Prompt IT helpdesk and support
- Business continuity planning
- Proactive security and alerting measures
- Partial or fully outsourced IT staff
In this article, we’ll explore some best practices every MSP should employ while working with healthcare providers.
Know Who You Are Working With
This might seem obvious, but healthcare customers provide a unique challenge to service providers. For example, healthcare providers require logging, auditing, and a greater security posture than other customers you may work with.
Another aspect is regulatory compliance, which is always a top priority. Health systems are required to comply with a variety of state and federal regulations, from Joint Commission Certification to Affordable Care Act requirements, Department of Labor requirements and HIPAA. MSPs working with healthcare providers need to constantly keep a pulse on healthcare compliance. A good MSP has the expertise necessary to ensure that business operations continue to function without interruption, and to understand the healthcare workers’ overall workflow.
Best Practices for Serving MSP Healthcare Clients
Now let's discuss best practices MSPs can employ while working with healthcare providers.
Understanding HIPAA
HIPAA applies not only to healthcare providers, like doctors and dentists, but also to vendors and suppliers who require access to protected health information (PHI and ePHI) to perform work. Vendors and suppliers are referred to in HIPAA regulations as business associates (BAs) and, as an MSP, if you have healthcare clients, you likely share in your clients’ risks.
Healthcare providers should make HIPAA compliance part of their IT planning, and have the staffing and budget to do so. Smaller organizations don’t always devote the same level of resources to HIPAA compliance, but they should, as it is critical to their operation. If you’re an MSP working with small healthcare providers, be sure to plan accordingly, as penalties for non-compliance could easily put your company out of business. See this list of examples of violations:
HIPAA rules require that MSPs, as HIPAA business associates, must document the protective measures in place for ePHI (electronic personal health information). Encryption is one area where HIPAA isn’t completely explicit. Instead, the Human & Health Services Department (HHS) states: “In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:
- Implement the addressable implementation specifications
- Implement one or more alternative security measures to accomplish the same purpose
- Not implement either an addressable implementation specification or an alternative.”
Essentially this states that the healthcare organization or their BA must find an effective way to secure data — and, for ePHI compliance, this means that data in transit or at rest must be secured. While HIPAA doesn’t specifically require encryption, encryption is the only reasonable and viable way to meet HIPAA demands that ePHI be always protected.
As your healthcare clients’ trusted IT adviser, part of your responsibility to your clients is to ensure they’re HIPAA compliant, even if HHS guidance is not exclusive.
Evidence of compliance is when a healthcare organization produces documentation that shows its efforts to adhere to HIPAA. The documents should be able to prove the steps that were taken to identify and mitigate security risks related to HIPAA. MSPs can support their clients by conducting internal audits on a regular basis in order to be able to produce the evidence of compliance. In the event of an external government audit, if the healthcare organization cannot produce evidence of compliance, it can be slapped with large fines for “benign neglect” — even if there is no security breach.
Further reading The Basics of HIPAA Cloud Backup Compliance
Guarantee Response Times
When it comes to providing healthcare services, fast response is not the only thing that matters. You should make sure you guarantee your response times. If you have staffing and the capacity, build them into 24/7 contracts. Some healthcare providers operate 24/7 and need to have guaranteed response times. If you are an MSP shop that supports both small to medium businesses as well as healthcare clients, having a separate on-call rota and phone number is ideal. Setting up your after-hours support in this manner ensures that you have dedicated staff ready to answer calls or be paged in emergency scenarios. This helps guarantee response times.
Further reading Creating an Effective MSP Help Desk
Backup and Business Continuity Planning
Without a backup and business continuity plan, your organization is at risk and in jeopardy if your MSP can’t assist in recovering from major outages or natural disasters. A business continuity plan is an absolute necessity with healthcare organizations — you simply can’t afford to lose all your valuable medical data in the event of a disaster. Healthcare customers need all the help they can get from MSPs to maintain redundant systems and manage automatic failovers.
Maintaining high availability is crucial for healthcare providers. Be prepared to supply extra resources to deliver highly available services.
Proactive Security
In the world of healthcare data security, complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandate is essential. Failing to meet regulations may result in huge fines and serious penalties. Healthcare providers require proactive security from MSPs that offer core security services that include identity-based security and encryption, authorized privileges and access control, and data accountability and integrity.
Auditing, logging, and reporting are critical in terms of security. Healthcare executives are often extremely busy and need reports that demonstrate that you are properly securing their environment.
Further reading How MSSPs Can Serve Healthcare Clients In 2021
Outsourced Staff
The staffing dynamics of healthcare IT require a sophisticated workforce, which is exactly why providers need MSPs to provide full or partial staffing. If you are hoping to work with healthcare customers, market yourself to assume full responsibility for the clinical labor, while providing a single point of contact for all operations, including account management, customer support, order placement, and more.
Further reading How Help Desk Outsourcing Can Boost MSP Business
Conclusion
In conclusion, the healthcare sector needs qualified MSPs that can deliver services on time and empower them to achieve more. MSPs should strive to streamline operations, reduce operational costs, and enhance security.
By following the best practices listed in this article, MSPs can ensure that healthcare providers will be better suited to protect their medical practices and, most importantly, serve their patients.
- HIPAA-compliant relationships between parties
- Summary of requirements for HIPAA-compliant backup and recovery
- Features your backup solution must provide for compliance
