In March, the U.S. Department of Health & Human Services Office for Civil Rights announced that it was launching the second phase of its HIPAA Privacy, Security, and Breach Notification Program. In short, healthcare organizations of any size and “a range of business associates of these entities” (read: those who “touch” patient data) are eligible for an audit. This is just one example of the challenges SMBs face in keeping up with the continued onslaught of regulations such as HIPAA and PCI, giving rise to a new offering: compliance as a service, or CaaS.
PCIHIPAA, a CaaS firm based in Scottsdale, Ariz., works directly with SMB clients in the medical and dental professions, as well as IT services companies. Focused on HIPAA and PCI, its subscription-based offering includes risk assessments, data backup, encryption, a HIPAA compliance portal that provides policy and procedure resources, PCI compliance certification, and PCI and HIPAA breach insurance. “If [practices] ever were audited, they can now show that they’re developing a culture of compliance,” explains Jeff Broudy, co-founder and CEO at PCIHIPAA.
For MSPs looking to offer CaaS, Broudy says this provides recurring revenue. PCIHIPAA, for example, charges $199 a month for its services, and he says MSPs can make up to $40 to $50 a month per client depending on the volume they generate.
Where Responsibility Begins and Ends
TierPoint LLC, a provider of colocation and disaster recovery services in St. Louis, recently acquired data center services firm Cosentry Inc., which will bring in more CaaS layers to its portfolio, explains Paul Mazzucco, chief security officer at TierPoint. “Really what we establish is a clear line of demarcation around where our layers of responsibility begin and end, and where the client’s layer of responsibility begins and ends,” he says.
Intronis MSP Solutions by Barracuda, headquartered in Chelmsford, Mass., offers data backup and protection solutions. (PCIHIPAA is an Intronis partner.) Neal Bradbury, senior director of business development, cautions MSPs that offering CaaS is an “all-in” venture. “You’ve got to be in 100 percent and you’ve got to invest the time, and it may require either hiring a resource or bringing on someone else to help you down this path,” he says. It also exposes MSPs to risk, notes Chris Crellin, senior director of product management at Intronis: If your client is breached, you can be held liable.
For Brad Thies, principal at Barr Assurance & Advisory Inc., a risk consultancy in Overland Park, Kan., it’s best for MSPs to start small. “My advice to small to medium-size businesses is start with a niche and then go from there,” he says. “You want to focus on one, do it really well, and then move on to the next one.”