Webinar: From phishing to fallout — Why MSPs must rethink both security and recovery

Threat Overview

Phishing remains the dominant attack vector in healthcare cybersecurity, responsible for over 70% of successful breaches according to recent FBI data. For managed service providers (MSPs) serving healthcare practices, this creates a cascading risk — a single compromised MSP credential can expose dozens of client practices to ransomware, data theft, and HIPAA violations. The webinar addresses a critical gap: most practices focus exclusively on prevention while lacking functional recovery capabilities when phishing attacks succeed. This dual-strategy approach — combining security hardening with verified recovery protocols — is now considered baseline competency by OCR enforcement teams evaluating breach response adequacy.

Attack Vector & Tactics

Modern phishing campaigns targeting healthcare exploit credential harvesting through convincing impersonation of EHR vendors, insurance portals, and telehealth platforms. Attackers use stolen MSP access to:

• Deploy ransomware across multiple client networks simultaneously
• Exfiltrate ePHI before encryption to enable double-extortion
• Persist undetected for weeks using legitimate remote access tools
• Compromise backup systems to prevent recovery without ransom payment

The MSP supply chain amplifies risk because healthcare practices often grant broad administrative access without continuous monitoring or vendor risk assessment. A single phishing-compromised MSP technician can bypass practice security controls entirely.

Defense Measures

Effective defense requires security-plus-recovery architecture:

• Email authentication: Implement DMARC, SPF, and DKIM to block domain spoofing
• MFA everywhere: Require phishing-resistant multifactor authentication for all MSP remote access
• Vendor BAA enforcement: Verify MSP Business Associate Agreements include security commitments and breach notification timelines
• Immutable backups: Maintain offline, air-gapped backups tested monthly for restoration speed
• Access logging: Deploy session-level audit trails to detect anomalous MSP activity
• Incident response drills: Run tabletop exercises simulating MSP compromise scenarios

What This Means for Your Practice

If your practice relies on an MSP for IT support, you're vulnerable to both their security posture and your own. OCR holds practices accountable for vendor breaches under the HIPAA Omnibus Rule — "vendor chose weak passwords" is not a valid defense. You must:

• Demand evidence your MSP uses MFA and endpoint detection
• Verify your MSP agreement includes guaranteed recovery time objectives (RTOs)
• Maintain independent access to your own ePHI backups
• Document vendor risk assessments annually as OCR requires

Practices without recovery plans face average downtime of 21 days after ransomware attacks, often resulting in permanent closure.