Three Critical Considerations for MSPs with Healthcare Clients

Three Critical Considerations for MSPs with Healthcare Clients

November 20

When you’re talking about data that contains social security numbers, birth dates, and some of the most sensitive information a person has, it stands to reason that there should be special considerations for how to secure and transmit it, which is why there are compliance standards like the Health Insurance Portability and Accessibility Act (HIPAA) and Sarbanes-Oxley. These are compliance standards that healthcare and financial practices are required to meet, lest they pay hefty fines.

But it’s not all scary. IT providers who know the ins and outs of compliance can find revenue opportunities in servicing clients with these specific needs.

Xamin is a great example. They’re a Chicago-based IT provider specializing in everything from managed IT services to project services, consulting, and strategic services. Two major areas of focus for them are medical and financial practices. As Pete Smothers, director of sales engineering at Xamin says:

“These two markets are very heavily regulated and audited, both private and public entities. They require a specific set of skills and implementation strategies to make sure data is protected and that mobility is secured. There are a lot of pieces with hardware and software—not only for implementing it, configuring it, and supporting it, but also guiding those customers along the compliance road so they understand the various barriers they face.”

Pete explains that clients typically know they have barriers but they often look to their service providers for answers on how to mitigate the risks of non-compliance,

“Since a lot of these clients have regulatory and compliance requirements, it’s not us telling them they need it—they know that. It’s usually them coming to us and asking, ‘what’s the best solution for the dollar? What will help us have everything together when the auditors come around?’ It’s our job to build a solution around those needs.”

Non-compliance isn’t something any institution wants to deal with, especially when fines can cost up to $50,000 per lost record. An IT provider can certainly help, but there are two aspects in particular that can be difficult for IT providers handling these clients: uptime and security.

Ensuring uptime and security is a matter of making sure recovery objectives are met, that backups are encrypted and secure, and that they are recoverable, which involves testing. Let’s dig into each point further.

Recovery Objectives

Recovery point objectives (RPO) and recovery time objectives (RTO) are two metrics used in disaster recovery. RPO refers to how much data a company can stand to lose if there’s a failure, and RTO refers to how much time a business can be without a particular system. Many medical practices can’t be down for any amount of time, and many financial institutions might not be able to recreate data they lose. Good IT providers are careful to make sure clients have the right objectives and work hard to make sure they’re met. For more information on these objectives, see What is RPO? and What is RTO?.


Compliance, whether it’s HIPAA in the medical industry or Sarbanes-Oxley in the financial industry, involves making sure medical and financial records are secure whether they’re onsite or offsite. This makes encryption essential. Xamin uses encryption for backups across the board. “We use AES 128-bit encryption. That’s standard across all companies—we require encryption for all backups from all clients,” says Pete. (Note that backups made using StorageCraft ShadowProtect can also be encrypted with AES 256-bit encryption for even more security).


Encryption keeps information secure, but companies usually aren’t compliant without proper annual testing. For this, Xamin often takes client backups to a third party that specializes in testing for HIPAA. As Jeff Kuehn, manager of systems engineering for Xamin, says,

“Most of our clients have a contract with a third party that provides the environment for testing. We take the backups there on physical media and then we do restores of servers and test functionality at the third-party facility.”

It’s also noteworthy that some backups and recovery solutions, such as ShadowProtect, make it simple to test backups by either mounting them as a NTFS drive letter, or in the case of ShadowProtect, using VirtualBoot, which allows quick virtualization of backup images. Whatever the case, it’s essential to test backups for validity—whether you’ve got compliance requirements or not.


Compliance isn’t the trickiest thing in the world, but it is nuanced. Be sure to keep on top of the latest regulatory requirements for both HIPAA and Sarbanes-Oxley so you understand how they will affect your business and any you work with.

If you’re curious about HIPAA specifically, check out:

–          One Guy’s Opinion: MSPs and HIPAA Compliance

–          Stupid Things Doctors Say about HIPAA

Want to know more about Xamin? Check out our recent case study with Xamin and Western Digital.

Photo credit: Tyler via Flickr