My consulting company recently received network scans done for a HIPAA security risk analysis of a healthcare client that is working with an MSP. That MSP has these promises on its website:
- We provide best-practice cybersecurity and HIPAA compliance to healthcare organizations that you can rely on.
- We monitor your systems 7/24 to make sure there are no security weaknesses. Weaknesses are immediately identified and patched for maximum security at all times.
- We will regularly assess your network and implement any changes needed to help you stay compliant and avoid the consequences of a compliance violation or data breach.
Sounds great, doesn’t it?
But is it true, or just hype?
Considering that the healthcare client’s November 2022 computer inventory shows that 54 of their 60 computers (90%) are using operating systems no longer supported by Microsoft with security patches and updates, I’m leaning toward hype.
Microsoft’s Windows 10 Lifecycle website shows that the 29 Windows Pro Version 20H2 systems lost their security patches in May 2022. The 10 Windows 10 Pro Version 2004 systems lost their security patches in December 2021, and the 15 Windows Pro Version 1909 systems (25% of the total number) haven’t received patches and updates since May 2021—a full 18 months before our assessment scans.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified unsupported operating systems and software as the No. 1 Bad Practice to avoid. HIPAA and other regulations require covered entities to only use operating systems and software supported by security patches and updates. Consider this from a 2018 federal HIPAA newsletter dedicated to patching systems: “identifying and mitigating the risks unpatched software poses to Electronic Protected Health Information (ePHI) is important to ensure the protection of ePHI and in fulfilling HIPAA requirements…”
Making matters worse, based on information provided by their MSP, our healthcare client attested on the application for their $2 million cyber insurance policy that their systems are patched, even though 90% of their 60 systems have unsupported operating systems. Cyber insurance requires that a client implement the cybersecurity to which they attested on their insurance application, otherwise their claims can be denied. For example, in July 2022, Travelers Insurance sued a client for misrepresenting its cybersecurity on its insurance application. Within two months, Travelers’ client agreed that the policy should be cancelled, and the ransomware claim denied.
The bad news for the MSP is that their unmet promises to this healthcare client aren’t just in the fine print of a contract—they are on the company website.
It’s a bad day when an MSP’s own advertising proves that they are either a liar or just careless.
In this case, either choice leaves their client open to cyberattacks, regulatory compliance penalties, lawsuits, and a claims denial of their $2 million cyber liability insurance policy if they are hacked.
While the unsupported computers are certainly a huge risk to the HIPAA-regulated client, what about the risk to the MSP if they have the same exclusion we have in our Errors & Omissions (E&O) insurance policy?
The coverage under this Policy will not apply to any Loss arising out of:
Deceptive Business Practices, Antitrust & Consumer Protection - any actual or alleged false, deceptive or unfair trade practices, antitrust violation, restraint of trade, unfair competition, violation of consumer protection law, false, deceptive or misleading advertising, inaccurate cost estimates or failure of goods or services to conform with any represented quality or performance.
If the client sues the MSP, the MSP’s E&O insurance will likely deny their claim because of the false advertising exclusion. That could make the MSP pay out-of-pocket for $2 million in incident costs plus additional damages and legal fees.
So, is this MSP lying or just careless?
I’m thinking a little of both, but not in the way you might guess.