25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Essential Elements of the MSP Security Stack

Posted By on Sep 3, 2023

Managed service providers are being increasingly used by healthcare providers to help them achieve HIPAA Security Rule compliance. Here we explore the essential elements of the MSP security stack that are needed to meet the needs of healthcare organizations.

Growing Demand for MSP Security Services

The healthcare industry has long been a target for cybercriminals and cyberattacks and data breaches are increasing each year, with threat actors developing increasingly sophisticated ways of breaching defenses and gaining access to sensitive healthcare data. To protect against these threats, healthcare organizations need to adopt a defense-in-depth strategy, where multiple cybersecurity solutions are deployed to protect their network, applications, and data, along with monitoring solutions to rapidly detect breaches of their defenses. They also need to implement and test an incident response plan for when hackers succeed.

That is a massive job for any healthcare organization and one that many small- and medium-sized healthcare organizations struggle with. It is therefore no surprise that many healthcare organizations are now outsourcing security to managed service providers (MSPs). Traditionally, the MSP software stack has included productivity and IT management tools, with the services provided mostly limited to general IT functions such as network and application management, storage, email, hardware, and software maintenance, configuration management and optimization, data backups, and helpdesk support. However, the majority of MSPs have now developed an MSP security stack and are now providing managed security services. A recent Datto survey, conducted on 1,800 MSPs, found 99% were providing managed security services to some degree.

MSPs Must Be Compliant with the HIPAA Security Rule

MSPs are classed as business associates under HIPAA and must enter into a business associate agreement with a HIPAA-covered entity. MSPs have many responsibilities under HIPAA and can be held accountable for any breaches of protected health information. MSPs will need to identify all risks and vulnerabilities and are required to conduct a security risk analysis, which must span the entire organization and cover all potential risks to the confidentiality, integrity, and availability of ePHI that they could potentially access, view, create, receive, maintain, or transmit.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

All identified risks must be managed and reduced to a low and acceptable level, and the MSP must document all aspects of that risk analysis and remediation process. They must also continuously assess their security policies, procedures, and ensure they continue to provide the required level of protection, and must monitor for potential intrusions and threats. MSPs are commonly targeted by threat actors if their systems are breached, hackers can use their remote monitoring and management tools to gain access to the networks of their clients. MSPs must plan for such a preach and develop and test an incident response plan to ensure that they can respond quickly and effectively in the event of a security breach. Achieving compliance can be a challenge, which is why many MSPs seek assistance from compliance professionals. This is recommended, as it will help to ensure that no aspect of Security Rule compliance is overlooked and will help them develop a program to ensure continued compliance.

Managed Security Services for Healthcare Organizations

One of the best approaches for MSPs to take to help their healthcare clients achieve HIPAA Security Rule compliance and implement appropriate safeguards to ensure the confidentiality, integrity, and availability of ePHI is to base their managed services around the NIST Cybersecurity Framework. While it is important to implement cybersecurity solutions that can detect and block threats such as malware, ransomware, and phishing, a more comprehensive approach to security is required. The five core functions of the NIST Cybersecurity framework are identify, protect, detect, respond, and recover, and MSPs should strive to provide managed security services in all of these areas.

The security tools in the MSP security stack will need to provide comprehensive protection and deliver several layers of protection. The MSP security stack should protect against the tactics, techniques, and procedures used by threat actors in the MITRE ATT&CK knowledgebase. That framework is highly beneficial for MSPs and can help them to develop a comprehensive security plan for their clients and select the best solutions for the MSP security stack.

Essential Components of the MSP Security Stack

In order to meet the needs of healthcare clients, a comprehensive MSP software security stack is required, and the services provided should be based on zero-trust principles. The specific tool and services provided will depend on the environments and existing solutions used by each client, however, it is useful to offer a core set of cybersecurity solutions and services.

The MSP security stack should, at a minimum, include services and products in the following areas:

  • Perimeter security, such as firewalls, intrusion prevention systems (IPS), and unified threat management (UTM) systems
  • Endpoint protection
  • Identity and access management, including single sign-on, multifactor authentication, and password management
  • Mobile security and device management
  • Email security
  • Web security
  • IoT Security
  • Vulnerability scanning and penetration testing
  • Managed detection and response
  • Network monitoring
  • Backup and recovery
  • Security awareness training and phishing simulations

It can be difficult for MSPs to fully address all of these aspects of security when first developing managed security services, which is why 6 out of 10 MSPs partner with managed security service providers and 4 out of 10 MSPs partner with managed detection response providers and outsource these critical security functions to specialists while they develop their MSP security stack.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist