With the number of email attacks on the health and public health sector growing, many HIPAA-covered entities are taking advantage of MSP spam filtering services and are outsourcing email security.
Demand for managed security services has been growing due to the increasing number of healthcare data breaches, especially among small to medium-sized healthcare organizations that either cannot or do not want to manage cybersecurity in-house. Recruiting cybersecurity professionals is difficult and costly, especially for smaller organizations. There is currently a global shortage of cybersecurity professionals and Cybersecurity Ventures reports there were 3.5 million unfilled cybersecurity positions in 2021, and the shortfall in workers sufficiently skilled to take on those positions is unlikely to be resolved for at least the next 5 years.
Phishing attacks are a leading cause of healthcare data breaches and Coveware reports that phishing has been the leading initial attack vector used by ransomware gangs for the past three quarters. SonicWall reports that for the first time in three years, malware attacks have increased. Email threats have become much more sophisticated and are providing difficult for healthcare organizations to block, so it is no surprise that MSP spam filtering services are in such demand. MSPs have responded to the demand and have developed a range of managed security services. According to Datto, 99% of MSPs offer managed security services, with 82% offering email security services.
When considering outsourcing email security and signing up for MSP spam filtering services you should carefully check what those services cover. Many MSPs will provide email security solutions for blocking spam and malicious emails, but simply signing up for those services does not guarantee that all malicious emails will be blocked. It should be clear in the contract with the MSP what their security services cover, the responsibilities of the MSP with respect to security incidents, and whether remediating any security incidents is covered by the price. HIPAA-covered entities should have a service level agreement (SLA) that clearly states the obligations of the MSP and hours of support. SLAs are invaluable in the event of a dispute.
In addition to MSP spam filtering services, MSPs may offer HIPAA-compliant email and will encrypt messages to prevent the interception of emails in transit and may offer email archiving and backup services, but the services provided can vary considerably from MSP to MSP. It may be necessary to seek a managed security service provider (MSSP) if you need comprehensive security services.
You should ensure that the email security solutions provided incorporate malicious URL protection, advanced malware protection, and robust anti-phishing controls. Outbound scanning of emails should be provided to detect compromised mailboxes and for data loss prevention. Some MSP spam filtering services allow ePHI to be detected when it is being sent externally and controls implemented to prevent accidental disclosures, and for encryption to be enforced for all external emails.
By providing MSP spam filtering services, MSPs will have access to all business emails and any electronic protected health information they contain. That means MSPs that provide those services are classed as business associates and must therefore enter into a business associate agreement with a HIPAA-covered entity and will be required to comply with certain HIPAA provisions. Before signing up for managed spam filtering services and providing an MSP with access to your email system you must obtain a signed BAA.
MSPs considering working with healthcare organizations should be aware that they share the responsibility of ensuring the confidentiality, integrity, and availability of electronic protected health information, and must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional and accidental disclosures of PHI. If any subcontractors are used, they too will be bound by HIPAA and must enter into a BAA with the MSP.