Kaleigh Alessandro (KA): All right. Hello and welcome, everyone who’s joining us today. We are excited to have you here with the Omega Systems team breaking down some of the fascinating data from our 2025 Healthcare IT Landscape Report.
I’m Kaleigh Alessandro. I’m the Director of Marketing for Omega Systems, and I’ll be your host and moderator today.
If you’re not familiar with Omega, we are a managed IT and security provider to highly regulated and security-conscious companies across the US, including those in the healthcare industry.
I am excited to be joined today by two of my favorite thought leaders from the Omega Systems universe, my colleagues Ben Tercha and Rick Mutzel. Gentlemen, I’ll let you say a word about yourselves for those listening. Ben, you want to give a quick intro?
Ben Tercha (BT): Of course. Thank you, Kaylee. Pleasure to be here today.
Ben Tercha, Chief Operating Officer at Omega Systems. I’ve been with the organization close to 20 years and have seen all the different stages of growth starting as a small company and growing to the size that we’re at today.
I work closely with Rick, and it’s really kind of funny, Rick and I work so closely together, but I can’t recall the last time he and I actually did a webinar together. I was thinking about this morning. It has to have been probably at least 18 months. We’re both on like our own separate tracks.
But today, I oversee service delivery, customer success side, work with Rick closely in technology, and just looking forward to talking about the data.
And, the data is the data, but really it’s about the thoughts and what organizations can do to really bolster their security defenses and be prepared for cyber attacks that are targeting healthcare organizations.
Rick, I’ll pass it over to you.
Rick Mutzel (RM): Thanks, Ben. My name is Rick Mutzel. I’m the manager of technology here at Omega Systems. I’ve been with the company 11 going on 12 years.
So again, same as Ben, I’ve seen fantastic growth within the organization and it has been great to be along for the ride as we continue to expand.
Personally, I’ve worked in the behavioral health sector of healthcare for many years, starting as a help desk technician and eventually serving as an IT director. So been there and done that, experienced a lot of what we’re going to talk about today.
My position here as manager of technology is to kind of review and oversee new technologies that we use within our stack of services — the latest and greatest, the new shiny toys and seeing what works, what doesn’t work, and how we can make a service offering to help our customers meet their technology needs.
KA: Awesome. Well, excited to have you both here today to talk about our survey results.
Let’s talk about just quickly what we have planned on the agenda today. So we’re here to talk about our recent healthcare IT survey report, which was just released a couple of short weeks ago. Ben and Rick are going to help me break down some of the key findings and talk about some of the trends that we uncovered, as well as what those might signal for the wider healthcare vertical.
Just a little quick background on the survey itself. We surveyed 250 healthcare executives in the US. This included titles responsible for some level of technology and security decision-making, so from CEO and CTO, Chief Information Security Officer, as well as VP and directors of IT and cybersecurity. The organizations have between 50 and 500 employees, so right in the mid-market space, and we covered a wide array of healthcare sectors, including providers and practitioners, as well as life sciences companies and managed care plans.
So, I thought we could start with some of our, what I’m calling big picture takeaways that I will pull up here.
80% of healthcare organizations surveyed told us they were targeted by cyber attack in the last 12 months. One in five said a cyber incident has already impacted patient care. And more than half of these leaders we surveyed believe that a fatal patient incident caused by a cyber attack is inevitable within the next five years.
Yet, despite these concerns, we saw cybersecurity still ranks lowest on the list of IT priorities, trailing behind cost control, compliance, AI adoption, and other challenges.
So, I want to get some kind of initial thoughts on these statistics. Rick, what was your initial reaction when you saw these numbers?
RM: I mean, not totally surprised. If you follow the news cycle at all, you’re seeing some kind of healthcare compromise, ransomware attacks, something along those lines almost weekly.
Healthcare is a large target these days and they know it does impact patient care. They are systems that have to be running 24-7 so recovery ransomware is more than likely going to be paid to speed up those recoveries. They’re high value targets.
The more surprising part, or maybe not surprising, based on what we see in the news, is that the cybersecurity initiatives don’t always align with budgeting, prioritization and deployments, information technology, devices, all of that is used so much now in the healthcare space.
The internet of medical things, everybody is walking around with some kind of device on a cart or as a handheld or something, right? So patient care is highly reliant these days on information technology and the security related around those.
Making sure that we get budgets aligned with the use of those new technologies, I think needs to definitely be thought about at the top level down.
KA: Ben, you spend a lot of time with healthcare leaders helping educate them on the nuances of security and compliance.
Why do you think leaders are still underestimating the ripple effects of a data breach?
BT: I think there’s three reasons, Kaleigh, that come to mind.
One is it’s not going to happen to me, right? This belief that even though it’s happening to all their peers, it’s not going to happen to them.
Rick dubbed it the ostrich effect at one point in the prior session that we did.
I think that’s one big reason, right, is people think, oh, I have my internal IT team, I have the Greek defenses that the threat actors are going to move past, and that may be true, but a lot of times what we’re seeing is this complacency of, I’m not going to worry about it until it actually happens, right? And I think that’s kind of misguided because when the situation does happen, a lot of people think they can just recover from backups.
That’s the default approach to back up running as quickly as possible, restore from backups, and move on. And in some end markets, you can do that, right? You shouldn’t, but you can.
In healthcare, you really can’t and that’s the challenge. If your environment has been compromised, data has been exfiltrated. Now we have to bring in forensics. There’s incident response, there’s legal, there’s insurance to deal with, right?
I think what a lot of people underestimate is really the time it takes to recover from a cyber incident like this. In a small commercial setting enterprise, it could be two to three weeks.
When there is an incident, you have to go through the forensics to discover what actually happened. What did the threat actors do? What did they get access to?
That’s a big, you know, we’ll say unknown for a lot of people until you actually go through it.
Preparedness is key, so having that incident response plan ready to go when something does happen is really critical.
Testing your own defenses, which I think we’ll talk about later on as we get into the content.
I think the last thing is cost. It kind of goes back to the first point of, I’m not going to spend the money unless it happens, which again is really misguided. Spending the money up front to protect your organization from threats before it actually happens is where you should be investing your money and not after the incident happens.
KA: Ignorance is not a risk management strategy is the guess.
BT: No. Ignorance is no excuse of the law or is the saying, right? It kind of goes along right here too.
KA: It does not work. That’s a good, perceptive insight there.
One of my big kind of overarching takeaways from the survey is what I’ll call the gap between perception and reality. I want to dig into some of the discrepancies we noticed within the data and get each of your thoughts and perspective on why we’re seeing some of these variances.
I mentioned earlier that cybersecurity ranked last on the list of operational challenges for IT leaders today. The perception of that being, maybe companies feel like they have a good handle on security programs and have infrastructure control and processes in place to support strong cyber hygiene. But reality is telling us a different story and one data point that stood out to me was that 55% of IT leaders said the use of on-premise or legacy infrastructure would hinder their ability to recover from a data breach. Kind of glaring in that more than half of folks are still reliant on these outdated systems.
Rick, what does that number really tell you and why do you think healthcare organizations are, you know, behind, frankly, in upgrading or migrating their technology away from these on-prem and legacy environments?
RM: There are really two verticals that this hits hard: healthcare and manufacturing. Oftentimes, the machines that they’ve invested in, we’ll say an MRI machine they got a decade ago or two ago, still runs fine and there’s nothing wrong with it. But to control that machine, it needs this Windows XP workstation that kind of runs the machine. To replace that one desktop is going to cost a quarter million and they see nothing wrong with it so why do anything, right?
It’s an exposure point and there’s vulnerabilities associated with that.
Like what Ben is saying with the ostrich effect, they’ll just ignore the problem until it becomes a problem or just accept that risk because they don’t think it makes sense financially to do something about it right now. And we see that kind of perpetuate.
Same thing with ERP systems, patient health systems, moving to electronic medical records. There was a large shift in that in the past few years with moving to cloud versions of patient record systems, but we still have the old system because we didn’t actually migrate everything. So, you still have an old system, and I’ve seen this over and over again, where there’s an old system that holds the past 20-some years of patient records in it. They didn’t want to pay the migration to the full system so they kind of still operate out of both. And there’s the misconception of, well, I’m in the new system, so I don’t have to worry about the other stuff anymore, but you still do.
Those are some of the common things that really run into play with just keeping up with the legacy systems. Some of the new HIPAA regulations specifically address those kinds of items with network segmentation and items like that to help give guidance on what to do with those.
KA: Yeah, and we’ll talk about HIPAA shortly, so we’ll kind of come back to that.
Another interesting gap that I noted, 80% of leaders said they are confident or very confident in their employees’ ability to detect and prevent AI-powered phishing and social engineering threats. But the reality is only about half of companies are using simulated phishing tests to actually train their users in real time, which we’ve certainly seen to be an incredibly effective method for educating and training users.
Rick, how important is that real-time simulation-based training when it comes to building employee resilience against threats like AI-generated phishing scams? And how do you think healthcare leaders should think about measuring the effectiveness of a program like that?
RM: The number one target in almost every organization is going to be the lowest common denominator, and that’s always going to be your end users, right?
And if you think about it in the perspective of any business, but especially in healthcare, you know, these people are trained professionals. They’re excellent at what they do, and that’s delivering services to consumers. This vertical is consuming services for saving people’s lives, providing health, mental health services, right? They’re not IT people. IT is a tool that they use. So, keeping that in mind, keep using IT as a tool to sharpen the tools that you have in the toolbox. The tool in this case is the end user.
The rise of AI and large language model data correlation makes the pretexting, gathering the initial information to make these phishing attacks super easy to do. All the data’s correlated from publicly accessible breach data, social media, your LinkedIn, all your business information from your websites, all that kind of stuff is now just a chat prompt away. Crafting a very specific e-mail to an end user is just typing a few words in and getting an output. It’s very hard to track those common things that used to be there, weird grammatical errors, spelling errors, translations in different languages.
It’s really good now. It makes it very hard to spot a phishing email these days. It also lowers the barrier because the amount of effort taken by a threat actor, they would go after high value targets where they would get the most return on their investment for their time being put into crafting these campaigns. And so they will go after larger and larger providers because the perception is they would get more money out of the campaign. If it doesn’t take as much work to do the same effort, then they are going to start targeting smaller and smaller organizations. And so again, it goes back to like Ben’s point of, we’ll just wait till something happens. They’re moving lower and lower in the size of organizations that they’re trying to target because they’re seeing the return on their investment because it’s easier for them.
KA: Makes a lot of sense. All right, let’s move on to our next perception versus reality.
66% of companies we surveyed said that cybersecurity investment is always or frequently prioritized in executive-level decision-making meetings. But the data shows that there’s still limited adoption, in some cases less than half, of critical next-gen security controls that we see and would argue are essential today. So EDR, endpoint security, data discovery, managed detection and response are kind of three I called out here, but Ben, any one of these controls or other controls, stick out for you as more concerning or more necessary than any others in the healthcare space?
BT: Yeah, so looking at this data, Kelly, it’s interesting because I look at EDR as something like everyone must have, right? EDR has replaced your traditional antivirus.
Every organization should have this, they should be running it, no matter if they have regulated data or not, it’s just good hygiene and from a cost perspective, they aren’t that different anymore. So why wouldn’t you invest in an EDR platform versus traditional antivirus?
But the one that really surprised me here was data discovery. When I think of data discovery, and we talk data discovery internally, right? This is the ability to quantify and identify the value of your PII or PHI inside your environment, where it’s at, who has access to it, what are the vulnerabilities around it, what are the controls around it? And 45% say that they’re doing that. That’s just kind of surprising to me because that, in my mind, is a very advanced control. So, if 45% of our surveyed population has that, why aren’t the EDR and the MDR numbers higher? It doesn’t make any sense to me.
I mean, the data is the data. And so it’s just really surprising that at that point, 45% of our respondents say they have that capability, which is great. It’s just kind of surprising. It jumps off the page.
But there’s other controls there that aren’t mentioned. I think we talked about it pretty hard on the last topic, but that’s the phishing and social engineering testing.
If you look at our report that we’ve published on page 6, and I have it here at my desk, just so it’s easier to reference, but phishing or smishing and business e-mail compromise were two of the largest reasons why organizations were breached. That has nothing to do with EDR, or you know, MDR will help in that regard, but that goes back to training your end users and that, you know, we dub it the human firewall. These people who are operating the machines have access can identify and provide a very critical level of protection against the information and the systems.
Training the end users and routinely testing them is extremely important. I think the biggest attack factor that we use is e-mail.
Having a very good email security platform, not just relying on Microsoft controls, because they are good, but front-ending it with a third-party solution that provides traditional allow list, block list, spear phishing protection, right?
All the advanced e-mail security pieces are really going to protect the organizations and protect the end users from clicking on the wrong link, going to the wrong site, or falling victim to that fake suspicious, oh, if we don’t get your password, we’re going to delete all of your e-mail type thing, right? Those types of things are what allow threat actors into the organization and putting the defenses up front are really going to protect all of our organizations.
KA: Yeah, that’s a good point. We’ve kind of covered the basic security controls but there’s also a perception versus reality gap on the compliance front as it relates to some of these security controls.
80% of organizations say they are prepared or very prepared for potential regulatory changes based on what was recently proposed under HIPAA back in January. Our survey results show some of the newly proposed controls don’t have widespread adoption yet. So how they’re very or extremely prepared is a little suspect.
Now, the latest HIPAA proposal, if enacted, would require the use of multi-factor authentication, require encryption of electronic PHI at rest and in transit, require vulnerability scanning at least every six months.
Rick, you noted network segmentation, there’s a host of other controls, but unfortunately, we haven’t yet seen complete adoption of these controls amongst all applicable organizations yet.
Ben, I’ll start with you. When it comes to preparing for evolving HIPAA standards, where do you see healthcare orgs getting stuck most often? Is it awareness, prioritization, budget we’ve talked about, or something else?
BT: Yeah, I think it’s a little bit of everything. There’s not one thing that I think is tripping people up. It’s awareness of the new HIPAA regulations. How is that going to be kind of rolled out and enforced? And, you know, the draft period is closed, now we’re just waiting to see kind of when the effective date is going to be.
I think the one thing you mentioned was the data at rest encryption. For some healthcare organizations, that can be really hard to manage when you think about it.
You’re dealing with a legacy EMR or EHR platform that can’t encrypt inside the application so now you’re relying upon data at rest encryption but also making sure your backups are encrypted when you’re transmitting. That actually sounds simple in practice, but from technical control implementation, it can be really, really complicated or really hard to achieve.
Based upon the platform that you’re right, I think you and Rick were talking about kind of the systems and kind of the on-premise. I think the reason you see a lot of on-premise environments is because the applications have not moved to the cloud or you’re still relying upon that legacy infrastructure to run those applications. And that is going to kind of sometimes be a boat anchor and slow organizations down from adopting these new HIPAA regulations. It’s going to require creativity. It’s going to be kind of some out-of-box thinking and using more IT-related controls maybe than application-based controls.
I think the other piece where people get stuck is the balance of, well, I have my internal IT staff and they can do it all, right? And I don’t need an MSSP because I have my internal IT.
We will talk about the pros and cons in a bit, but I feel like sometimes executive leaders are putting too much responsibility on their internal IT teams. They’re overburdened and say, well, I have internal, they can do vulnerability scans.
Well, sure, you can buy the software or run the tool, but that doesn’t mean you necessarily know how to interpret the output, know how to prioritize, and know how to handle the remediation.
That’s going to be a big change is doing the vulnerability assessments for a lot of organizations. Doing it every six months is fine, but it’s what you do with the data afterwards and just writing the report and filing it away isn’t good enough now. You actually have to respond to the data in that report and close those security gaps and do it again every six months. I can tell you from our own experience that is very laborious. It could be a full-time person or multiple full-time people for several organizations. If you don’t have the skill set, it means you’re going to require more people and you’re going to do it inefficiently.
I’m probably getting into the topic that we’re going to talk about is why organizations should partner with an MSSP, so I’ll hold those thoughts for that section when we get to it. But I think it comes back to kind of that balance and the reality of the effectiveness of what you’re doing today compared to doing it somewhere else.
KA: Yeah, really good point. All right, well, we definitely will come back to your notes on MSSP support.
We asked IT leaders how they were managing the processes. Are they doing it manually? Are they working with a third party? Do they have a managed compliance tool or platform?
It looks like about 46% of companies are using a managed compliance platform to perform their HIPAA assessments.
Rick, you’ve worked directly with our customers as their virtual CISO, aiding them in the compliance process, using a managed compliance tool. What do you see as the biggest enablers there and why should a healthcare company who’s currently managing all those assessments manually, consider moving to a platform or a tool like that?
RM: Yeah, I mean, traditionally, if you’re not using some kind of platform, you’re kind of all over the place. Typically, we’ll see three or four spreadsheets getting passed around. Hopefully, that sits on some kind of shared backend where people can update it, but then you have this spreadsheet was updated by this person, and they missed the updates on this one, and my risk register is over here, and so it becomes this very fractured kind of landscape on keeping everything managed and under control. Having one place to put everything, having my risk register, having all of my policies and procedures in one place, being able to track my deficiencies, keep everything updated, have it send reminders. And some of the greater parts of that are automated evidence capture for those kinds of controls so when you’re doing the assessment, you can keep it updated. It’s much easier to manage on an ongoing basis, having an actual tool designed to do this versus manually doing it kind of in all these different systems. Adding that tracking mechanism into place and reminders is great.
Moving I’ll say more towards a continuous compliance model for managing your security program versus the dreaded once a year carve out two or three days just to sit down and knock this out and update everything. Makes it a little bit more manageable being able to revisit this on a quarterly basis and chunk things up across the board. You’re spending less time out of your schedule on a more frequent basis.
KA: You can coordinate directly with your vendors and your third parties, right?
RM: Absolutely. I mean, the trickle-down effect, especially with like business associates, the onus is on you as covered entity to make sure that your other vendors that you’re working with as business associates are meeting the standards as well. It comes back to you.
Vendor management is a big piece and I harp on it a lot, but you’re outsourcing your medical record system to a third party, but obviously you should have a business associate agreement, but did something change on their end? When was the last time you asked them for a new business associate agreement update on their security controls or a SOC 2 report updated yearly? Those kinds of things become very laborious and maybe somebody’s tracking that in another spreadsheet or a database if you’re a larger entity, right? Just compiling those things into one place is very handy for whoever the fantastic person is in your organization who’s managing your compliance.
KA: That’s right.
Ben, what would you say to a healthcare IT leader or team that feels like a compliance platform is nice to have, but not critical?
BT: Yeah, I would say, Kaleigh, that thinking is outdated, wrong. I would also say you’re going to see a shift where IT historically did everything and compliance was in there. You’re going to start to see compliance in healthcare in many different markets break out into its own department. Compliance will be telling IT what to do. Don’t want to hear that, but that’s the reality of where this is going. You’re only seeing regulations increase. It doesn’t matter if it’s healthcare, financial services, even MSPs, we’re going to see regulations come down on MSPs probably in the coming years.
There’s going to have to be some team who is responsible to manage the clients or adhering to that framework. It shouldn’t live necessarily in IT is kind of my thinking.
And I agree with Rick, the old way of managing this through Excel spreadsheets, yeah, it worked. I remember when we did our first SOC 2, you know, type 1 and then the type 2 audits. We were banging around Excel spreadsheets and controls and then the responses and then links to network drives on evidence. It took forever to get through that thing. We moved several years ago to a company that used a compliance tool to do all this and it was great. I mean, we went from probably six weeks working through the audit down to less than two.
But I also think about the new HIPAA rules that are coming down and this concept that you could be audited at any time, meaning if you’re a medical practice that, you know, you can be called upon to go through basically a spot HIPAA audit right then and there. They could be staying in your lobby saying, I need to assess your systems, show me your records and if you’re fumbling through spreadsheets or having to find this person who knows this versus a compliance platform where you can sit the person down in a conference room, bring it up, and show all the things that you are doing to meet these controls. It’s going to give those auditors a lot better feeling than someone fumbling through Excel spreadsheets or getting the IT guy to give you a screenshot of Active Directory versus here it all is at your fingertips.
RM: When the auditors, when the auditors see you’re prepared, they ask less questions.
BT: Yeah.
KA: I want to come back then to your notes on MSSPs and how we’re helping to alleviate some of these gaps and discrepancies. We actually saw some variances within our data in terms of companies who are managing all of their security compliance in-house versus those who are working with MSSPs. A few data points noted where MSSP-aligned organizations actually outperformed their peers faster at detecting threats. So to your point where sometimes it takes two, three, four weeks, companies using MSSPs are able to do that a little bit faster according to our data. They run more frequent vulnerability assessments. There’s higher adoption of some of those proposed HIPAA controls like MFA, data encryption, et cetera. And there’s greater use of managed compliance platforms.
Ben, without tooting our horn too much, can you talk a little bit more broadly about the advantages of working with a managed security partner and why for healthcare in particular, that type of partnership can help close some of these critical security gaps?
BT: I’ll try Kaleigh. It’s really hard not to talk about how great we are, but I’ll break it down into three categories: expertise, tech stack, and bandwidth.
Expertise is pretty simple. We work with a lot of healthcare companies so we have a lot of exposure to what companies are doing, kind of the pitfalls, how they address certain business challenges. You gain access to that insight and advice and guidance partnering with an MSSP.
Tech stack, you know, I think Rick has built one of the most diverse, broadest and the deepest tech stack, when you look at all the things that have to be done from a technology perspective. Everything that a customer needs to meet the new HIPAA regulations from a technology perspective, we have it. And we have it packaged up in products that are easy to consume, and easy to deploy so that you can focus on patient care and let us focus on handling the technology aspect.
Last thing is bandwidth. Your one, two, three-person IT team is great. I think there’s a lot of organizations that struggle, how do I navigate my internal team versus partnering with an MSSP?
There’s going to be overlap and people aren’t going to want to give up control. We have seen and we’ve navigated all of those situations so we’re here to help.
What we’ve seen to be very successful is allowing a company like Omega to take more of the cyber and back office functions in place. And focusing, again, the teams, if you have internal IT team, focusing on application or in clinic or anything like that requires hands-on.
That’s been a great balance. We’ve navigated and executed that strategy several times and have a lot of great success stories.
But the bigger thing when we talk about bandwidth is you aren’t hiring just one person. You aren’t hiring Ben or Rick. You’re hiring a team of 100 professionals that are here to help you, right? So when you talk about kind of closing the gaps here on this slide, Kaleigh, makes a lot of sense is partnering with MSSP to handle your vulnerability management.
We have a dozen people focused on security. That’s what they do for you and all of our other clients. So, we’re able to do it a lot more efficiently and become more effective in delivering those solutions versus someone trying to do it themselves.
When you think about it, if you staff your own service desk, your network team, your server team, your security team, your compliance team, you may have to hire a team of five, six, 10 people to deliver that. Which the cost doesn’t really, it just doesn’t make sense for a lot of organizations if they don’t have those teams today. And then building it to meet the new regulations, this is where partnering with someone who is very well versed in this end market, has the skills, has the technology, and has the team to deliver, makes a lot of sense.
KA: It sure does.
All right, I’m going to throw a few key takeaways up on the screen. We actually received a couple of questions in advance that I want to throw out to you guys and get some initial thoughts.
One question is, if we all assume a breach is inevitable at some point, then response is the critical process. What are the biggest obstacles to faster detection and response, and how can they be addressed?
Rick, I’ll put you on the spot.
RM: The best way to respond is to be prepared. As Ben mentioned, having an incident response plan in place, having it up to date and current, and people know what to do when an incident occurs, and then having the tools already in place. A lot of times we kind of roll into an incident — someone calls us, the world’s burning down and they don’t have the tool stack in place already. And so, forensics become more difficult because we’re having to go back and backtrack instead of having the data available and logged and being able to go back. Sometimes, these incidents occurred months ago and the threat actors already exfiltrated all the data. It takes time before you can start the recovery process, like Ben is saying.
Being prepared ahead of time, having your plans in place and having your tools in place that efficient and fast forensics can occur makes the response way faster.
KA: Ben, to your point, bandwidth and hiring internally, I will toot our horn for a second, having access to a 24×7 SOC team without building that function internally is obviously going to be a huge asset to someone who ultimately does experience an incident.
BT: Absolutely.
KA: Question here on incident response.
For healthcare orgs that don’t have a documented or tested incident response plan, what should their first step be?
BT: Build one, but then also test it. We’ve done tabletop exercises with customers. You don’t actually have to like have a real incident.
If you don’t have an incident response plan, we can help you build one. And even if that’s the first step, take aside to the full MSSP support and all the different great things we do, we can be here to help just building the incident response plan and running you through a tabletop exercise. Because that training, and that’s what it is, that’s training. You’re training your team on how to respond to an incident based upon the policy that you’ve written or the policy or procedure. And that for a lot of organizations, it shows the gaps and it shows them right away. We’ve done this with customers and it’s kind of like eye-opening as big as an organization is and how strong you think they are from a policy and procedure or even just IT control perspective. That thing happens that they weren’t prepared for and seeing how the team responds to it is really just eye-opening to the team and the leadership.
So, build a plan and test it regularly is my advice.
KA: One last question here. I’ve never used an MSSP before. What should I look for in a partner?
BT: Look for someone who has experience in the industry, right, in the end market, healthcare in particular, right, since we’re talking about it. Also look for someone who knows the regulations, knows what your business has to implement from a technology, info sec, compliance.
I can’t tell you the number of customers that we’ve taken from other MSPs who don’t know the customer’s end market and they’re just wide gaps in info sec controls that are really required from a regulation that they just didn’t have and they didn’t know about it. So, we’re kind of doing this awareness and education with the customer as we’re talking to them and really shedding light on some of the gaps that they need.
And again, it’s the simple things, security awareness training, advanced email security, MFA. Those are a lot of things that a lot of people maybe overlook or a lot of, you know, MSPs say, you don’t need it’s a hindrance because it’s going to require more time for them to support. In reality, you actually you’re creating a huge exposure for those customers.
I think talking with someone who knows this market, knows what regulations are in place today, but also are coming down the road and how to be prepared. This is not always a technology discussion, right? This is a business consulting discussion. This is guidance and we are helping businesses become more secure. We just do it through the guidance of technology.
KA: It’s a good note to leave us on, but I will offer the opportunity if there are any other takeaways you guys want to highlight for our audience today, any other data points or best practices you want to share.
RM: I always like to recommend the IT guys that never get the budget to make any of these changes, to make a friend in the C-suite, find a champion or try to get present in the board meetings, in the C-level meetings.
We see almost across the stack in almost all markets that are being regulated, that that’s becoming required in some of those regulations where, you know, board presence from the IT departments is now becoming required.
And, having a champion, the IT guy, and I was just talking about this at a different conference, like tell the IT guy to get up and walk around, like go talk to somebody, don’t be a shoulder surfer, but get out there, go talk to the higher ups. Make a friend and get your point across to them so that the IT’s perspective can be represented properly to try to get the funding, make it apparent why the technology is needed, get the new HIPAA regulations out in front so you can be prepared instead of waiting around, you know, for causality.
Don’t react to it. Try to be proactive. And so try to get those points made.
My advice always when I’m talking to IT professionals is just go make a friend on the board or the C-suite. That’s going to go a lot longer and a lot farther for you to get the initiatives put in place that you’re asking for instead of just being a number on a budget line somewhere that’s being checked off, right?
KA: Yeah. Good advice. Ben, any last thoughts you have already covered?
BT: Yeah. If you’re in healthcare, take a look at the new HIPAA proposed rules, because we say say it’s not a matter of if, but when, and that’s how I think we’re viewing these new rules is you have time, so use that to your advantage.
A lot of these new rules are going to require budget so use the time now to prepare.
To Rick’s point, start talking to your executive and C-suite and board members about of your current state and where you need to go or where you need to be once the new rule goes into effect. Because I can tell you, I think a lot of organizations kind of looked at HIPAA and like, oh yeah, it’s not that big.
I’m not going to be worried about it that much. This new rule totally changes that. There’s fines, there’s penalties, immediate, right? You don’t have to wait for a data breach. They could show up at your door and do an audit and determine that, oh, you’re missing these gaps, these controls, immediate fines. I think that this is something that’s going to be enforced a lot stricter than what it was in the past. I would urge organizations who haven’t prepared to take the time now to do your own gap analysis and figure out kind of what you need to shore up before the new rule goes into effect.
KA: Good, great advice.
Okay, I want to thank you both for your time today, breaking down these survey results with me.
For our live listeners, keep an eye out tomorrow afternoon for a link to this webinar recording, as well as a copy of our 2025 Healthcare IT Landscape Report if you haven’t read it yet. It includes all of the findings we discussed today and many more insights on healthcare security and compliance readiness.
Ben and Rick, thanks again for your IT perspectives. We hope to see everyone again soon. Bye all.
BT: Thank you.
RM: Bye.
Discover key findings from Omega’s 2025 Healthcare IT Landscape Report
