It’s hard not to agree with Sean’s takeaway, when your data is being hosted elsewhere, a lax security profile can have some serious effect on your business. One you can’t do anything about.
“Organizations using full-service IT-managed service providers, such as Magnolia Pediatrics, are particularly at risk because the security of all of their systems is dependent on that of the MSP. As was the case in Texas, this meant that all their data was put at risk. In Magnolia’s case, all patient data was encrypted, but it could just as easily have been stolen by attackers—and since that data includes personal identifying data for children, it could have significant long-term consequences. A clinic spokesperson said that “out of an abundance of caution,” Magnolia advised patients’ families to monitor credit card statements and credit bureau reports.
These issues are why having a conversation (and a contract) with a service provider that includes security is so important.”
I’d add not just any conversation, a detailed, deep dive into the security, response plans, and independent validation through ISO certifications, etc. should probably be part of that as well. You don’t want to find out later that a company was being careless.