HIPAA & NY SHIELD Act Fine: MSPs Can Capitalize on Compliance Demand
The recent settlement between the New York Attorney General and Enzo Biochem, Inc. marks yet another instance of regulators cracking down on compliance. In August, the biotechnology company agreed to pay $4.5 million for violating HIPAA and the New York SHIELD Act, contributing to a 2023 cyberattack that compromised the private records of 2.4 million patients. And this list (i.e. “The HIPAA Wall of Shame”) from the U.S. Department of Health and Human Services shows Enzo is far from alone. The number of breaches investigated by the Office for Civil Rights in the past 24 months now include 849 covered entities.
While regulated businesses are shaking in their boots, managed service providers (MSPs) offering compliance as a service (CaaS) should be jumping for joy. When states start taking the lead on enforcement, it opens the door for selling CaaS SKUs.
In this article, we’ll discuss how you can leverage a trend toward stricter enforcement to sell assessments and compliance services in New York state and beyond.
The Intersection of HIPAA and New York SHIELD Act
Adopted in July 2019, New York’s Stop Hacks and Improve Electronic Security Act (SHIELD) shares breach notification and cybersecurity provisions with HIPAA.
- Breach notification: When an entity must report a breach notification to the Secretary of Health and Human Services under HIPAA, they must also notify the New York State Attorney General. (Compliance Scorecard features sample notification templates that you can leverage)
- Cybersecurity measures: Like HIPAA, the SHIELD Act requires entities that own or license computerized data containing the private information of New York residents to implement reasonable security measures to prevent data breaches.
Since its introduction in 2019, HIPAA-covered entities and their business associates in New York state must comply with both HIPAA and SHIELD.
Case in Point: What Not to Do
Risk Assessment Findings
Enzo Biochem Inc., a HIPAA-covered entity, received a HIPAA risk assessment from one of their vendors in November 2021. This assessment identified several major risks to their systems and provided recommendations for mitigation. For example, Enzo did not encrypt HIPAA-covered protected health information while the data was at rest, nor were they using automated detection of security and network anomalies.
Security Breach and Non-Compliance
Enzo neglected to implement these recommended measures. Consequently, in April 2023, threat actors infiltrated their network and encrypted their files, including those containing patient information. Beyond the failure to comply with HIPAA cybersecurity measures to protect that information, Enzo did not fully disclose what private information was compromised, thus failing to meet the requirements of breach notification.
Legal Consequences and SHIELD Act Implications
In the settlement agreement with the Attorneys General of New York, Connecticut, and New Jersey, Enzo was found to be in violation of 10 sections of the HIPAA Security Rule and two sections of the Breach Notification Rule. More pertinent to our discussion today, the agreement explicitly states that Enzo's violations of HIPAA constitute violations of the New York SHIELD Act.
Selling Compliance Assessments in NY State
We know how difficult it is to sell HIPAA compliance. When MSPs broach the topic, clients often respond with “nobody ever gets audited by HIPAA,” or the even more common “insurance will handle it.” However, this case could signal a crackdown on compliance—if not with HIPAA directly, then with state-level regulatory frameworks that are much easier to enforce.
While HIPAA doesn't grant individuals the right to sue for violations, it empowers state attorneys general to enforce the law. This recent action could serve as a precedent for any HIPAA-covered entity operating in New York, especially those subject to the SHIELD Act. Here's how you can explain this to your clients:
Know Thy Suppliers
The settlement agreement contained specific obligations regarding Enzo’s suppliers. Moving forward, Enzo must select service providers that take the appropriate measures to safeguard personal information and verify that these providers comply with contractual requirements.
The Attorney General’s focus on vendor management is nothing new. We’ve seen evidence of an increased focus on the supply chain in NIS2, CMMC, GDPR, and ISO 27001. This trend in supply chain security and managing the risk associated with third-party service providers means your clients need to know their partners’ weaknesses as well as they know their own. Step 1 in fulfilling this obligation is performing a risk assessment that identifies their vulnerabilities.
Implementing Compliance
Don't just assess, act! Risk assessments are valuable, but only if they lead to action—and this is how you upsell clients from assessment to remediation.
With the information gained through an assessment, you can help clients prioritize and strategize remediation efforts. Be sure to document the steps taken to address any recommended actions. This documentation is crucial for proving compliance when regulators (or attorneys general) come knocking.
Have the Risk Conversation
When clients claim they're too small for an assessment, the settlement agreement described above offers a compelling way to frame the risk conversation in a way that speaks to them:
Dual Liability Under HIPAA and SHIELD Act
The agreement highlights that noncompliant HIPAA-covered entities can be prosecuted under both HIPAA and the New York SHIELD Act. Violations, especially where negligence results in a cyberattack, will be penalized to the fullest extent. This settlement, for example, demanded a $4.5 million payment—enough to bankrupt many small businesses.
Benefits of Proactive Compliance
Taking steps to perform an assessment and remediate identified issues reduces the risk of a cyberattack. In doing so, it protects both revenue and reputation. Your clients can concurrently reduce their potential exposure to fines, legal fees, remediation expenses, and loss of investment.
Compliance Scorecard Tools for HIPAA and SHIELD
Compliance Scorecard is a compliance-as-a-service platform built for MSPs. It facilitates assessments, alignment with regulatory frameworks like HIPAA, and all the documentation and reporting you’d need during an audit. Here’s how it works.
Assessments
The settlement agreement required Enzo to set up a risk assessment program, highlighting the importance of conducting regular assessments and having up-to-date information regarding their risk. MSPs can use our scorecards to conduct all kinds of assessments and define a regular review cadence. We have a Risk Matrix Scorecard to help identify and prioritize risks, an Asset Scorecard for tracking and managing assets, and a general Assessment Scorecard to evaluate current compliance posture against industry-specific standards.
Policy Packs
We’ve already gone over why conducting an assessment is not sufficient in and of itself. When it comes time to mitigate risk according to framework measures, we’ve got you covered. Use our HIPAA Policy Pack to align your clients’ day-to-day business with required controls. We’ve got expertly written and HIPAA-specific documents for access and authentication, incident response, and even business associate agreements.
Integrations
Cybersecurity requires technical controls like multifactor authentication (MFA), encryption, penetration testing, continuous monitoring, and intrusion detection. As an MSP, these services are already in your wheelhouse, but what if you had an all-in-one platform that could integrate with the tools you already use? Compliance Scorecard is that platform. We integrate with 20+ of the programs MSPs love most, like ConnectSecure’s attack surface mapping, NodeWare’s continuous monitoring, and LionGuard’s asset management.
Compliance Management
Assessments, policies, and technical controls are great, but you need a way to prove compliance when auditors ask to see your program. Compliance Scorecard facilitates compliance management like no other. The centralized platform tracks progress, stores documentation, and automates reporting so you’re never without proof of all the measures you’ve taken.
Step Into CaaS with Compliance Scorecard
The recent settlement between the New York Attorney General and Enzo Biochem Inc. highlights the growing scrutiny and enforcement of compliance standards, making it imperative for organizations to prioritize cybersecurity and seek expert guidance. MSPs can play a pivotal role in helping clients navigate the complexities of regulations.
By offering compliance solutions and leveraging tools like Compliance Scorecard, MSPs empower their clients to mitigate risks, enhance their security posture, and avoid costly penalties. Don't let non-compliance haunt your clients. Partner with Compliance Scorecard to become a cybersecurity hero.
Read More
Game Plan for Growth: Selling CaaS by Solving Problems
Go for the Goal: Deploying Scorecards to Differentiate Your MSP
Your Ticket to Hitting a Compliance Home Run? The Assessment Scorecard