Solution provider Lumen21 said this week it will give away for free its expert compliance manuals, which painstakingly lay out procedures for setting up and managing IT environments that adhere to strict government healthcare and financial services regulations.

Each compliance manual, known colloquially at Lumen21 as “the recipe,” can be downloaded from the firm’s website, giving MSPs with the technical wherewithal a step-by-step guide to building a compliance practice.

“We say, if you want to take the time and you have the ability, I’m going to give you the information you need,” said Eduardo Don, president and CEO of Lumen21.

“It’s kind of like your instruction manual, and I’ll give that to you free,” he continued. “If, after you look at the manual, you say ‘I still don’t get it,’ I’ll do it for you.”

Of course, that latter option comes with a price.

The manuals are the product of significant compliance expertise and long hours of development. Still, Lumen21 is wagering that widely distributing the recipes among MSPs will pay dividends beyond the value of the intellectual property.

Don cited the analogy of Linux and Red Hat in enabling open source communities.

“You can go to open source and get a free copy of Linux,” he said. “Or you can go to RedHat, with the same Linux, but they’ve done things to it to make it easier for you to consume it.”

The risks of poor cybersecurity compliance have been particularly visible in the healthcare space recently.

This year, several healthcare organizations and/or the IT contractors they hired agreed to pay a combined $23.5 million to settle more than a dozen cases alleging violations of the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA).

That’s up from just $6.2 million in HIPAA breach penalties won by the Department of Health and Human Services’ Office of Civil Rights (OCR) in all of 2015.

The OCR investigations were typically preceded by a security breach that compromised the electronic protected health information (ePHI) of millions of individuals, in some cases.

On at least two occasions, laptops containing unencrypted medical information were left unsecured and then stolen – one from a healthcare facility and another from a parked vehicle.

In several cases, the accused parties failed to properly engage IT contractors, or conduct the extensive and comprehensive cybersecurity risk assessments required under the rule.

One probe was launched after technicians installed a new server and failed to change a default setting, causing the ePHI of more than 31,000 patients to be publicly accessible over the Internet for an entire year.

The staggering liability – only recently extended to “business associates,” like third-party solution providers – is dissuading some MSPs from jumping into the booming vertical, Lumen21’s Don said.

“Not everybody understands enough or is set up to handle these issues around security and compliance,” he said.

Take the example of Office 365, one of many powerful, cloud-based products that must be customized for the healthcare space.

“The vendor is not making it (specifically) for healthcare,” Don explained. “There’s a bunch of things that have to be done in order to take that cloud environment or the Office 365 environment, and make it as secure and compliant as it’s going to need to be under HIPAA, or for financial services companies that are regulated by NIST and GBLA.”

Lumen21 is among several players in Compliance-as-a-Service (CaaS), which enables MSPs to market a branded service that manages everything from cybersecurity risk assessments to periodic staff training.

“You can come get my version…and you can sell that to your customers, ready-made and white label,” Don said.

The HIPAA compliance and cloud security manuals are available for free download immediately at the Lumen21 website. A PCI manual will follow shortly.

MSPs seeking to purchase the full (CaaS) service, should contact Nancy Wilson, the company’s vice-president of security and compliance, at [email protected].

Send tips and news to [email protected].