Ask a practice administrator what they spend on technology and you will usually get one of two answers. Either a number pulled from the MSP invoice – the monthly managed services fee that gets auto-paid and mostly ignored – or a shrug followed by “it’s in the budget somewhere.” Both answers mean the same thing: nobody actually knows. That is not unusual. Most independent specialty practices have never done a complete accounting of what technology costs them. MSP, software, hardware, emergency hours, breach response – scattered across line items, credit cards, and catch-alls. Some of it – printing, phones, circuits – is not even in a technology budget at all; it is lumped in with rent or office expenses. Add it up and the actual number is almost always higher than what anyone expected. More importantly, it is almost always structured in a way that makes it impossible to manage. The Problem With “Last Year Plus a Percentage” Most practice technology budgets are built the same way: take what was spent last year, add a percentage for inflation or anticipated growth, and call it done. Nobody questions the baseline. Nobody asks whether last year’s spending was rational. The number just carries forward, year after year, accumulating history without accumulating logic. This approach has a few predictable consequences. You overspend on things you have forgotten you are paying for. Licenses for software nobody uses anymore. Support contracts on hardware that has been replaced. Vendors and products that made sense three years ago and have not been re-evaluated since. These items rarely surface on their own. They persist because the invoice keeps coming and nobody is looking closely enough to notice. You underspend on things that actually matter. Security tools. Backup and recovery infrastructure that would actually hold up under a real incident. These are not dramatic “crowd-pleasing” items. They are boring. They are easy to defer. And they are the ones that, when they fail, cost more to remediate than they would have cost to maintain properly. And you have no framework for making decisions when something new comes up. Should you invest in a new platform? Replace aging hardware? Add a security layer? Without a clear picture of what you are already spending and why, every new request gets evaluated in a vacuum, and as a one-off. You are not making strategic technology decisions. You are making individual purchasing decisions, one at a time, without a strategy connecting them. What a Real Technology Budget Actually Requires Building a technology budget that means something starts with an inventory – not a spreadsheet of line items, but a genuine accounting of everything touching your technology environment. That means every vendor contract, every software license, every hardware asset and its age, every support agreement, and every one-off project that has landed in the last two or three years. It means understanding what you own versus what you lease versus what you are subscribing to month-to-month, sometimes without even realizing it. It means knowing which contracts auto-renew, when they renew, and what the cancellation windows look like. Most practices that go through this exercise for the first time find two things. First, there are items on the list that nobody recognized until they looked. Second, there are gaps – things the practice needs and does not have, or has in an inadequate form, that have been easy to defer because there was no formal process for surfacing them. The inventory is not the budget. It is the foundation the budget is built on. Without it, you are estimating. With it, you are planning. The Costs That Never Make It Into the Budget The most dangerous technology costs are the ones nobody budgets for because they feel unpredictable. They are not. They are entirely predictable in aggregate, even if the specific timing is uncertain. Hardware fails. Every piece of equipment in your practice has a lifespan. A planned hardware refresh cycle – one that replaces aging equipment before it fails, on a schedule you control – costs significantly less than emergency replacement after an unplanned failure. The difference is not just the cost of the hardware. It is the downtime, the data recovery effort, the staff disruption, and the clinical impact of a system that goes down at the wrong moment. Breaches happen. The average cost of a healthcare data breach has climbed consistently for a decade. Most practices carry some cyber insurance, but insurance does not cover the full cost – the forensic investigation, the remediation work, the regulatory response, the patient notification, the reputational damage. A practice that has invested in security infrastructure has lower exposure. A practice that has deferred those investments has higher exposure and a less defensible position if a breach occurs. None of these are surprises. They are certainties on an uncertain schedule. A technology budget that does not account for them is not a budget. It is a best-case scenario. What Good Looks Like A technology budget that actually works looks different from what most practices have. It is reviewed at least annually against actual spend and actual needs – not to rubber-stamp last year’s number, but to ask whether the allocation is still right. Are there vendors that should be renegotiated or replaced? Are there investments that have been deferred long enough that they are now overdue? Are there new risks that have emerged that the budget does not reflect? And it is connected to a technology roadmap – a forward-looking view of where the practice is going and what technology investments will be required to get there. Not a wish list. A plan, with timing and cost estimates and a rationale for prioritization. That roadmap, built on a clear architectural picture of what you have and what you need, is also where real cost reduction happens – consolidating redundant tools, renegotiating from a position of knowledge, and replacing reactive spending with planned investment. Most independent specialty practices do not have this. They have a number.
What Happens to Your Technology When Your Practice Grows? | Healthcare IT for Growing Practices
You signed the lease. Or the letter of intent. Or you closed the acquisition. Maybe you just added a surgeon. Or an imaging center. Or a new service line. Either way, your practice just got bigger. Everyone celebrates. Leadership talks about capacity and market share. Marketing sends a press release. And then, about sixty days before go-live, someone asks the question nobody thought to ask earlier: what are we doing about the technology for this new endeavor? That question – usually asked late, answered fast, and executed under deadline pressure – is where most physician groups create a technical debt they might spend years paying off. The Bolt-On Problem The most common approach to practice growth is also the most expensive one: bolt it on. Take whatever infrastructure exists, connect it to what you already have, patch the gaps as they appear, and get clinical operations running as fast as possible. It works, in the narrowest possible sense. Staff can log in. The EMR is accessible. Patients are seen. What it creates underneath that is usually an increase in the patchwork quilt. Different hardware and network configurations. Undocumented workarounds because someone put something in place three years ago and nobody fully understands anymore. Different security postures. And here is what most finance teams do not see: adding a new location, a new service line, an ASC, an imaging center, or even a new provider is not just a cabling and workstation exercise. Every one of those changes touches the technology environment. A new surgeon means new device integrations, new credentialing workflows, new EMR builds. A new service line may require entirely different imaging or diagnostic systems that need to talk to your existing infrastructure. An acquisition brings a full legacy environment – vendor contracts, potentially aging hardware, and a security posture that usually hasn’t been formally assessed – directly onto your network. The people making growth decisions often think of technology as the last item on the checklist. The people responsible for that technology know it usually needs to be the earliest one. What an Acquired Practice Brings With It When you acquire a group, you are not just acquiring their providers and their patient panel. You are acquiring their vendor relationships, their legacy contracts, their hardware at whatever age it happens to be, and their security posture for better – or for significantly worse. A practice that has been operating independently for fifteen years without a formal IT strategy has almost certainly accumulated real risk. Unpatched systems. Credentials that have never been rotated. Shared logins. HIPAA obligations that were technically acknowledged and operationally ignored. When you bring that practice into your organization, you inherit every one of those risks. The breach that was their problem before the acquisition is now your problem afterwards. The acquiring group that completes careful clinical and financial due diligence but treats technology as a checklist item learns this the hard way – usually a few months months after close, when a security incident traces back to infrastructure that was already compromised before the ink dried. The Timeline Problem Here is how the timeline usually goes: leadership picks an opening date. That date gets communicated to staff, to patients, to the market. Nobody asked the technology team whether that date is achievable. Technology deployments take real time: procuring hardware, configuring infrastructure, establishing network connectivity, provisioning access, testing integrations with the EMR and practice management system, and training staff. That work cannot be compressed past a certain point without cutting corners, and the corners that get cut at go-live become the problems that surface six months later at the worst possible time. The practices that handle growth well start the technology conversation the moment something new is seriously in play – not after the LOI, not after closing, and certainly not after the opening date is already on a press release. At the point where leadership says “we are pursuing this,” the technology team needs to be in the room. What Getting It Right Looks Like A well-executed technology deployment is not complicated. It is disciplined. It starts with an honest assessment: what is there, what condition it is in, what needs to be replaced, and what risks need to be addressed before anything connects to your network. That assessment drives a realistic timeline – not a number pulled from the last project, but one specific to this new endeavor. It builds toward a defined standard. Wherever possible every location, every service line, every new piece of the organization should run compatible hardware configurations, network architectures, security stack, and backup configurations. Variations should be documented exceptions, not undocumented drift. It doesn’t mean they need to be identical, however they need to be similar Every addition made under deadline pressure without a standard creates technical debt. That debt compounds. The bolt-on that worked well enough for the second location is harder to maintain by the fifth. The security gap deferred at acquisition grows every year. Growth is worth protecting. The infrastructure that supports it should be treated accordingly.HealthSpaces is a co-sourced technology partner built exclusively for independent specialty physician groups. We work with growing practices to build technology standards that scale with them — not against them. Connect with our team to learn how we approach multi-site technology strategy
Is Your Practice Recording Meetings? Here’s What You Need to Have in Place First
AI is moving fast and it’s already inside your practice whether you’ve formally addressed it or not. That AI notetaker that joined your last staff meeting? The bot your vendor uses to transcribe calls? The “free” add-on someone downloaded to summarize emails? All of it touches your data, your patients, and your liability. . Recording meetings has become second nature. With hybrid work and virtual appointments now a permanent part of how medical practices operate, it’s easier than ever to hit “record” and move on. But in healthcare, that convenience comes with real responsibility and most practices haven’t formalized the rules around it. If your practice doesn’t have a clear policy governing how recordings and these AI tools are used, you’re not just behind the curve you’re exposed. Not Every Meeting Should Be Recorded The first thing a recording policy needs to establish is where the line is. Not all meetings are appropriate to record, and conflating the two creates unnecessary risk. Internal training sessions and routine staff meetings are generally fair game. But meetings involving patient information, confidential employee matters, or regulatory discussions are a different story. Recording those conversations, even unintentionally, can put you in violation of HIPAA and state privacy laws before anyone realizes what happened. Your policy should name the categories clearly so staff aren’t left guessing. Managers and staff should understand the guardrails you have established for the practice. Consent Isn’t Optional Before any recording starts, everyone in the room or on the call needs to know it’s being recorded. That means being told upfront, not buried in a calendar invite that the meeting will be recorded, why it’s being recorded, and how that recording will be used. This isn’t just a best practice. Many states have consent laws that require all-party notification before a recording can legally be made. In a healthcare setting, the bar is even higher given the sensitivity of what gets discussed. Make it a standard part of how meetings are opened: state that recording is happening, confirm there are no objections, and proceed. Simple, but it needs to be consistent. Use One Approved Tool and Only That Tool One of the easiest ways recording policies break down is tool sprawl. Someone uses the built-in Zoom recorder. Someone else uses a third-party transcription app. A vendor joins the call with their own bot running in the background. Each of those scenarios introduces a different set of unknowns: Where is that recording stored? Who has access? Does it meet HIPAA and other privacy standards? Your IT or compliance team should designate a single approved recording tool and require that everything goes through it. Unapproved tools, especially free add-ons or browser extensions, may be routing recordings to third-party sites with no guarantees around data security or retention. Standardizing on one tool also makes training easier and keeps your audit trail clean. Know Where Recordings Go and When They’re Deleted Recordings don’t just disappear after a meeting ends. They live somewhere, and that somewhere matters. All recordings should be stored in an approved environment that meets HIPAA and applicable state privacy standards. Access should be limited to those who actually need it. On retention, recordings should be automatically deleted or formally archived per your data retention policy. Staff should know this timeline so they can export or reference anything they need before it’s gone. Unauthorized sharing of recordings internally or externally should be treated as a serious policy violation, not an oversight. Third Parties Are a Special Case This is where things get especially tricky. Vendors and contractors often bring their own recording tools to meetings – sometimes without mentioning it. Without explicit prior authorization, that’s a problem. Your practice has no visibility into where that recording goes, who can access it, or whether the tool meets HIPAA and other privacy standards. Your policy should require written approval before any external party records a meeting, full stop. That expectation should also be baked into your vendor agreements – not left to a verbal check at the start of a call. If a vendor shows up with an unapproved tool running, your staff should know they have both the right and the responsibility to ask for it to be turned off. A Policy Your Team Will Actually Follow Even with the right policies in place, incidents happen. Meetings got recorded without full up-front disclosure. A recording ends up somewhere it shouldn’t. An unauthorized tool was used. Someone shared a file without thinking. This should be brought to the attention of your Compliance or Security Officer. The goal here isn’t to make recording so complicated that people stop doing it. Used correctly, recordings are genuinely useful – for training, for documentation, for follow-up. The point is to make sure the right guardrails are in place so that usefulness doesn’t come at the expense of compliance. A clear, practical recording policy communicated well and reinforced regularly is one of the simpler wins a practice can put in place. If yours doesn’t exist yet, it’s worth developing. HealthSpaces helps specialty practices build these and other operational frameworks they need to run smarter and stay protected. Get in touch!
The Ticket is a Trap: Why Independent Practices Need Help, Not a Queue
In healthcare, efficiency depends on people being able to communicate directly with each other. If someone has a question or issue, they simply ask the person or department responsible. If they need clarification from accounting or billing or payroll, they reach out directly. There’s no ticket to submit, no portal to navigate, and no automated message saying, “We’ve received your request and will respond within 48 business hours.” There is just a person with a problem, and a person (or department) with a solution. So why, when it comes to the technology that keeps your clinics running and your EMR functional, are you forced to bow to the traditional ticketing system? At many medical practices, we often see technology management and support as a kind of black hole. Requests go in, tickets are created, emails are auto-sent, and somewhere along the way visibility disappears. The system is designed to protect the IT vendor’s time, not yours. For an independent physician group, it may be time to stop filing tickets and start having conversations. The “Square Peg” Problem: Why Tickets Fail Physicians Traditional Managed Service Providers (MSPs) love tickets because they allow them to commoditize your staff’s frustration. They treat a broken vitals monitor in Room 4 with the same clinical indifference as a request for a new mousepad. In addition, tickets and break-fix represent billable events, even if “support” is billed at a flat monthly rate. For an independent physician practice, this model is fundamentally broken for three reasons: The Solution: From “Queues” to “Conversations” Modern healthcare technology shouldn’t feel like the DMV; it should function like an internal department. The solution for independent groups isn’t a “better” ticketing system, it’s the elimination of the system altogether in favor of Co-Sourced Collaboration. When a practice moves away from the “gatekeeper” model of IT, the dynamics shift immediately: Technology Should Serve the Practice, Not the Other Way Around Ultimately, every group should be working toward a state of technological health. That doesn’t happen by filing more tickets. It happens by fostering a culture where technology is a shared asset, and the people supporting it are as accessible as the colleague down the hall. Independence is the greatest asset a physician group has. Don’t let a “support ticket” be the thing that slowly chips away at it.Is your technology infrastructure a partner in your growth, or a hurdle for your staff? Transitioning from a “ticket” culture to a “collaboration” culture is the first step in reclaiming clinical autonomy.
Technology as a Strategic Lever for Healthcare Leadership
In many healthcare organizations, technology has evolved organically over time, often shaped by immediate operational needs, regulatory demands, and rapid growth. As a result, leadership teams frequently find themselves managing a complex mix of systems while balancing clinical priorities, staffing pressures, and patient care demands. In this environment, technology can quietly become difficult to oversee not because of poor decisions, but because it has historically been treated as an operational necessity rather than a coordinated strategic function. A virtual Chief Information Officer (vCIO) can help address this challenge by bringing structure, visibility, and alignment so technology consistently supports the organization’s clinical and operational goals. Aligning Technology Decisions with Organizational Priorities Healthcare leaders are responsible for making countless decisions that affect patient access, provider efficiency, and long-term stability. Technology choices are often made within this broader context, which can lead to systems that work well individually but lack overall coordination. A vCIO provides a structured approach to ensure technology decisions are guided by leadership priorities from the outset. By working closely with executives, physicians, and operational leaders, the vCIO helps translate organizational goals into a clear roadmap, allowing technology investments to support workflow efficiency, scalability, and continuity of care. Creating Clarity Through Governance and Shared Decision-Making Technology initiatives often involve multiple stakeholders, each with valid perspectives and competing priorities. Without a clear framework, it can be challenging to maintain consistency in decision-making or ensure alignment across departments. A vCIO helps establish governance processes that create transparency and collaboration, bringing clinical, operational, and executive voices into a structured decision environment. This approach allows leadership teams to move forward with confidence, knowing that priorities are clearly defined, responsibilities are understood, and progress is measured against shared goals. Strengthening Organizational Readiness for Risk and Security As cybersecurity risks and regulatory expectations continue to evolve, healthcare leaders must remain vigilant while balancing many competing responsibilities. A vCIO supports this effort by providing ongoing visibility into risk posture, helping leadership understand potential vulnerabilities, and guiding proactive planning. Through regular assessments, preparedness planning, and clear communication, executives gain confidence that security and compliance are being managed thoughtfully and systematically, allowing them to focus on broader organizational priorities. Providing Transparency Into Technology Performance and Investment Technology represents a significant and essential investment for healthcare organizations, yet it can sometimes be difficult to clearly measure its performance or long-term value. A vCIO introduces reporting, metrics, and planning processes that help leadership better understand how systems are performing, where opportunities for optimization exist, and how future needs can be anticipated. This transparency supports more informed decision-making and helps ensure technology continues to align with operational realities and strategic direction. Serving as a Trusted Strategic Partner to Leadership At its core, the role of a vCIO is to strengthen leadership’s ability to make confident, informed decisions about technology in an increasingly complex environment. Rather than operating as an external authority or a purely technical resource, a vCIO works in close collaboration with executives and physicians, providing insight, structure, and continuity while respecting the organization’s existing expertise and leadership priorities. This partnership ensures technology discussions remain constructive, transparent, and aligned with clinical and operational realities. By bringing a steady, collaborative presence to technology leadership, a vCIO helps organizations move forward with clarity, knowing their systems are positioned to support both today’s demands and tomorrow’s opportunities.
How Can Healthcare Leaders Overcome the Barriers to Change?
Most healthcare leadership teams recognize that change is needed. The pressures are clear: operating costs continue to rise, reimbursements continue to decline, and expectations around technology performance, security, and integration continue to grow. And now AI is on the scene promising to magically turn water into wine. The challenge is not awareness. It is that many organizations feel trapped and unable to act, even when leadership fully understands the need. This isn’t about lack of vision or commitment. It is about the reality that over time, technology environments accumulate constraints that make meaningful change feel risky, disruptive, or financially out of reach. The Barriers to Change Across mid-enterprise physician organizations, the same patterns tend to emerge. Responsibility often becomes concentrated among a very small group – the same three people (STP) syndrome. These leaders manage daily operations, have most of the institutional knowledge, and are tasked with strategic initiatives. Because they are focused on maintaining stability, there is little remaining capacity to drive broader improvement or transformation. At the same time, legacy workflows remain in place long after they have outlived their original purpose. Processes created to solve past challenges continue operating simply because replacing them would require coordination, time, and resources that feel unavailable. Technical debt also builds gradually. Systems are implemented to meet immediate needs, but the follow-through work – optimization, cleanup, and integration refinement rarely occurs. Frequently systems are implemented quickly to “get it live”, with minimal changes to workflow. Over time, these layers create inefficiency that becomes increasingly difficult to untangle. Long-term vendor contracts often lock organizations into technologies that no longer align with current priorities. Vendor roadmaps may tease about needed improvements, but their timelines frequently extend far beyond the urgency leadership feels today. And when interfaces between systems fail to work as promised, the burden shifts to staff workarounds, creating hidden operational costs that rarely appear in financial reporting but significantly impact productivity and morale. The Financial and Operational Backdrop All of these factors exist within an increasingly constrained financial environment, with declining reimbursements and higher expenses, there is little appetite for any project requiring an investment in either time or money. As a result, many organizations reach a familiar conclusion: They recognize the need for modernization, but feel there is simply no way to pursue it. Change becomes something deferred not because it is unimportant, but because it appears financially and operationally unattainable. Where Successful Transformations Actually Begin The organizations that break through this cycle approach the problem differently. They do not begin by asking how to spend more. They begin by asking where resources are already being lost, and how to recover time and/or money to fund real change. Within most environments, significant inefficiencies exist through overlapping vendor services, underutilized platforms, manual workarounds caused by poor integrations, and contracts misaligned with actual organizational needs. These costs often remain hidden because they are distributed across multiple systems, departments, and workflows. Individually, each inefficiency may seem manageable. Collectively, they often represent a substantial opportunity. Funding Change Through Real Savings When leadership teams take a deliberate approach to identifying and eliminating inefficiencies, they often discover something unexpected: the resources required for modernization frequently already exist within the organization. Hidden across redundant systems, underused contracts, manual workarounds, and lingering technical debt is significant reclaimable capacity – both financial and operational. By redirecting this reclaimed spend and reducing operational waste, practices can create a self-funding pathway for change, one that enables progress without increasing overall technology budgets. Just as importantly, successful organizations do not attempt a full transformation all at once. They begin incrementally, targeting high-impact areas where improvements can produce measurable returns quickly. Early wins generate real savings in time, cost, and operational stability, which can then be reinvested into the next phase of improvement. Over time, this creates a compounding cycle of progress funded by value already unlocked within the environment. This shift fundamentally changes the conversation. Modernization is no longer viewed as a large capital request or a future aspiration dependent on new funding. Instead, it becomes a disciplined process of reinvestment, reallocating existing resources toward initiatives that directly support organizational outcomes. The Leadership Opportunity The greatest barrier to change is rarely technological complexity. More often, it is the assumption that meaningful improvement requires new funding that simply is not available. In reality, the most successful organizations begin by creating clarity around where resources are currently being consumed inefficiently. They focus not on vendor promises of dramatic, theoretical ROI, but on identifying tangible, verifiable savings within their own environment – reductions in operational friction, eliminated redundancy, stabilized infrastructure, and reclaimed staff capacity. Once this visibility exists, leadership can make deliberate decisions about where to reinvest for the greatest measurable impact. This approach restores control. Organizations are no longer reacting to constraints or chasing inflated vendor claims. Instead, they are actively shaping their technology environment through steady, evidence-based progress aligning investments directly with strategic priorities and building sustainable momentum over time.
Technology Is Too Important to Leave to Technology People
In many physician-owned practices, technology quietly becomes a difficult-to-fully-understand area of investment, where even well-run practices struggle to clearly connect spending to outcomes, plus a steady stream of promises of better performance and more efficiencies, which are rarely actually achieved. Systems become stagnant. Add-ons and integrations proliferate. Contracts renew automatically. Vendors send upgrade recommendations at the last minute, before any rational alternatives can be determined. Leadership reviews the technology budget once a year and has to take the word of their technology teams, whether internal or outsourced, because the complexity of technology makes it difficult to fully see alternatives. Technology directly shapes clinical throughput, documentation burden, revenue cycle performance, compliance exposure, recruiting strength, and ultimately enterprise value. It affects how physicians experience their day. It determines whether operations run predictably or constantly compensate for friction. It influences whether growth feels controlled or chaotic. All too often technology seems to take on a life of its own, and is frequently a block or inhibitor instead of the enabler it was promised to be. When it is treated as a specialized technical silo, instead of being a leadership function (The C-Suite and Physician Leadership), misalignment and disappointment is inevitable. Stability Is Not the Same as Alignment One of the most common misunderstandings in healthcare technology is equating “nothing is broken” with “everything is working.” When IT sets priorities in isolation, even with strong technical competence, the organization optimizes for uptime and the status quo instead of outcomes. Ticket reports say user issues are being resolved. Infrastructure remains stable. Security reports show compliance. Dashboards look healthy. SLAs (Service Level Agreements) are met. Then why is there so much frustration with tech in healthcare? Stability at the infrastructure layer does not automatically translate to alignment at the organizational and operational layers. Physicians begin creating workarounds to move faster through visits. Operations build shadow processes to compensate for inefficiencies between systems. Finance absorbs variability in margins caused by inconsistent workflows or data fragmentation. None of it rises to the level of a system outage, so it rarely feels urgent. Over time, though, that quiet friction compounds. Good ticket reports, SLA dashboards and quarterly security reviews do not guarantee organizational success. A system can be stable and still be misaligned with how the practice actually needs to operate, and be causing larger problems that may not be noticeable from the reports coming out of the technology stack. Leadership Should Decide. IT Should Deliver. Technology teams are essential. Strong engineers and support teams are critical. Their role is to translate strategy and user needs into systems and solutions, identify risks, options and constraints, and execute with precision. But their role is not to determine what matters most to the organization. That responsibility belongs to leadership particularly in physician-owned environments where autonomy, culture, and long-term value are deeply interconnected. When IT or vendors implicitly set priorities, decisions tend to revolve around tools: products, platforms, security layers, feature sets, technology “stacks”. Those discussions are important, but they are downstream conversations. The upstream conversation is different: Leadership should decide, IT should deliver. When those roles blur, technology becomes reactive and tool-driven rather than strategic and outcome-driven. And the organization has to accept whatever technology delivered, with little feeling of involvement, buy-in and collaboration. Technology feels like something that’s done TO them rather than FOR them. Don’t Call the Vendor. Call Your People. When something feels off, the reflex is to reach out to the vendor. Sometimes frustration with existing systems means reaching out to a new vendor, before even determining what is the current state. Every vendor out there is hard-wired to showcase how their product is different from whatever you have. Start internally instead. Ask physicians where technology slows patient care or adds cognitive burden. Ask operations where duplication, rework, or inconsistent data creates strain. Ask finance where unpredictability appears in revenue cycle performance and margins. Vendors are built to propose solutions. That is their role. And those solutions many times are focused on feature-sets rather than usefulness, and result in yet another locked-in contract with hidden and unnecessary costs that benefit the vendor, not the practice. Your people are the ones living with the friction. They are the only ones who can accurately define the problem. When practices skip this internal clarity step, they often end up layering new tools onto misaligned workflows. The technology stack grows. Complexity increases. The original friction remains. Costs increase. User frustration and resignation becomes the norm. Technology decisions should begin with organizational alignment, not product demonstrations. Governance, Not Gadgets The most resilient physician-owned practices do not treat technology as an operational afterthought. They treat it as a governance issue. They define clear decision processes.They involve clinical, operational, and financial stakeholders in prioritization.They tie technology initiatives to measurable outcomes. They evaluate vendors and solutions in light of their internal needs and priorities, not on the next BSO (Bright Shiny Object) from vendors. This is not about slowing decisions down. It is about ensuring decisions are anchored to strategy rather than the latest tech buzz-words or vendor roadmaps. Technology is now too important to autonomy, profitability, and patient care to sit outside leadership conversations. It cannot be delegated entirely to engineers. And it cannot be outsourced to vendors who don’t truly have the best intentions. It belongs at the leadership table. Because it is too important to leave technology to technology people alone.
You Completed the HIPAA SRA. Now What?
The False Sense of Completion Completing a HIPAA Security Risk Assessment (SRA) is required. Full stop. But too many practices treat the SRA like their annual Holiday Shopping – to be done once a year. You may have completed yours in the last 6-8 weeks. However the environment has already changed. New users have been added, devices move on and off the network, staff create workarounds under pressure, phishing emails land in inboxes, and vendor access quietly persists without review. And yet leadership sleeps better because “we did our SRA.” That sense of relief, and the accompanying complacency, is one of the most dangerous situations in healthcare security. Diagnosis vs. Defense The HIPAA SRA exists to identify risk, not to resolve it. It doesn’t fix anything, reduce exposure on its own, or protect patients. Its value only shows up after the assessment, when findings are translated into ownership, decisions, and an ongoing security program. Not only that, as we have pointed out in numerous other blogs, HIPAA is actually pretty ineffective in actually minimizing real-world risk. When practices confuse documentation with defense, they create a false sense of safety that lasts right up until a breach, audit, or incident forces reality back into focus. Security rarely fails because an SRA wasn’t completed; it fails because everything stopped once it was. Why Compliance Alone Breaks Down HIPAA compliance is often treated like an annual exercise, but security doesn’t work that way. Threats evolve continuously, staff behavior changes daily, and attackers don’t care what your last assessment said. In fact they’re counting on your complacency and false sense of…security! This is why modern frameworks, including those from the National Institute of Standards and Technology (NIST), assume constant change rather than stable environments. They emphasize regular access reviews because stale credentials are a leading cause of breaches, tested incident response plans because unused plans fail under pressure, and controls that align to real workflows instead of ideal ones no one actually follows. For example, many practices document “role-based access” during their SRA and move on. Months later, a contractor still has an active account, a staff member keeps elevated permissions after changing roles, and credentials are quietly shared during busy clinics. Frameworks like NIST assume this drift will happen, which is why they emphasize periodic access reviews and least-privilege enforcement, not one-time configuration. Security is not a yearly technology project. It’s an operational discipline that touches every role in the practice. When it lives only in a binder or in a vendor portal no one revisits, it becomes performative. And performative security is easy to bypass. The Risk That Technology Can’t Fix Most healthcare breaches don’t begin with sophisticated attackers with sophisticated tools. They begin inside the practice. Untrained staff clicking links, sharing credentials to save time, unauthorized chart access, and well-intentioned shortcuts during busy clinics. The “bad guys” know all this and are crafting increasingly-sophisticated threats designed to take advantage of complacency, busyness and familiarity. That email from the “CEO” to the “CFO” asking for another copy of last month’s bank statement looks sooo benign. Frameworks like NIST assume this reality, which is why people and process matter as much as technology. You can deploy every security product on the market and still fail if policies are unclear, processes are inconsistent, and staff aren’t supported with ongoing education. Technology cannot compensate for misalignment. What Real Security Actually Requires Effective security programs move beyond the SRA and align with what frameworks like NIST actually emphasize in practice: Policies, Processes, People, and Products. Clear policies set expectations for how ePHI is protected. Repeatable processes turn those policies into day-to-day behavior. Ongoing investment in people, through training and awareness addresses the human risk no technology can eliminate. And products are used to support and reinforce the first three, not to replace them. Miss any one of these, and the entire structure weakens. You can document policy without process, deploy tools without training, or train staff without enforcing standards and still remain exposed. This work is rarely flashy. It doesn’t sell well in vendor demos or come neatly packaged as a “HIPAA-compliant” solution. But it’s what actually reduces risk, because it changes how the practice operates every day instead of relying on security theater to create a false sense of protection. The Work Starts After the SRA The HIPAA Security Risk Assessment is required, and it should be taken seriously. But it is only the beginning. Real security shows up in governance and ownership, follow-through on findings, ongoing education, regular review, and leadership engagement, not delegation. Using a framework like NIST provides a cadence to allow your practice to work on security throughout the year, continuously improving your security posture. Don’t go to sleep because you checked the box six weeks ago. Take ownership. Build a program. Treat security as a living part of how your practice operates, not a once-a-year compliance exercise. That’s what actually protects patients, providers, and the business.
AI Won’t Fix Misalignment in Healthcare, It Will Expose It
AI Won’t Fix Misalignment in Healthcare, It Will Expose It Artificial intelligence has become impossible for healthcare leaders to ignore. Not because every organization is ready for it, but because the conversation has shifted from curiosity to expectation. Boards are asking how it fits into long-term plans. Vendors are framing it as easy-peasy and sure-fire from an ROI standpoint, plus easy integrations. One hears of peer organizations that are experimenting, usually successfully, but perhaps sometimes not? For physician-owned practices, this moment carries a unique kind of pressure. AI promises relief in areas that matter deeply: administrative burden, efficiency,cost takeout, seamless access to information, etc. At the same time, it introduces a level of complexity that can either stabilize an organization or strain it further, depending on how decisions are made. The result is definitely a combination of excitement mixed with skepticism, leading to hesitation. And we would view that hesitation as a sign of good leadership, not fear. Why AI Feels Different Than Past Technology Waves Healthcare leaders have lived through countless technology cycles and vendor-driven upsell. New EHR features. New analytics platforms. New operational tools, each positioned as the solution to growing complexity. And yet each one, in its own way, seems to have created new problems and added to the complexity. As AI becomes part of the decision process and data flows, it starts influencing judgment: what information is surfaced, what options are prioritized, and how confident people feel in the outcome. When results don’t align with expectations, responsibility becomes less clear, is it the clinician, the operator, or the system that shaped the recommendation? That’s why AI conversations don’t stay confined to technology teams. They move quickly into leadership territory, touching clinical autonomy, organizational risk, and long-term strategy. The discomfort many leaders feel isn’t about the technology itself, it’s about introducing something that adapts and evolves faster than most governance models were designed to handle. AI forces organizations to confront questions that can no longer be deferred: how aligned leadership truly is, how decisions are made across clinical and operational lines, and whether technology is serving the mission or quietly reshaping it. Where AI Creates Pressure and Where Leadership Makes the Difference AI introduces a new kind of pressure in healthcare, one that shows up most clearly in clinical workflows. When tools lack context and boundaries, they disrupt rather than support care delivery. The underlying concern isn’t automation, but whether clinical judgement and autonomy remain central as AI becomes more embedded in daily decisions. Strong leadership resolves this tension by being explicit. Clear about where AI fits. Clear about what it informs. Clear about where human judgment remains final. When physicians are involved early in shaping how AI is introduced, technology shifts from feeling imposed to feeling purposeful. At the executive level, the pressure looks different but is just as real. AI promises efficiency and predictability in an environment that demands both, while simultaneously introducing new categories of risk. Governance, regulatory exposure, and long-term dependency on rapidly evolving tools become harder to manage once AI is embedded into workflows. Here, leadership clarity matters more than speed. When ownership, accountability, and guardrails are defined upfront, AI becomes an extension of strategy rather than a source of uncertainty. Or to put it another way, practice leadership would benefit greatly from turning down the external vendor noise of the latest thing that might be available, and focus internally on what is needed in the practice. AI as a Mirror: What It Reveals About Your Organization One of the least discussed aspects of AI adoption is how clearly it reflects the state of an organization. AI doesn’t operate in isolation. It depends on data quality, process maturity, and alignment across teams. In organizations with strong governance and shared clarity, AI often feels like a natural extension quietly improving efficiency and insight. In organizations already struggling with fragmentation or unclear ownership, AI magnifies those issues. Confusion accelerates. Misalignment becomes more visible. Decision-making grows noisier instead of sharper. Change becomes difficult and disruptive. In this way, AI doesn’t create chaos. It reveals it. For leadership teams willing to engage with that reflection, this moment becomes an opportunity not to rush forward, but to strengthen the foundation before adding complexity that’s harder to manage later. Why Governance Determines Whether AI Delivers Value The most effective AI initiatives aren’t driven by enthusiasm alone. They’re anchored in governance that is shared, intentional, and understood across leadership and clinical teams. This doesn’t mean overanalysis or paralysis. It means defining boundaries before capabilities expand. When ownership is clear, accountability is shared, and expectations are aligned, AI serves strategy rather than steering it. When governance is treated as an afterthought, adoption becomes reactive and difficult to sustain. In other words, just speeding up bad processes. The difference isn’t the latest tool – in this case AI – it’s the discipline around approaching what currently exists and what is possible. Choosing Deliberate Progress Over Speed There’s a growing assumption in healthcare that moving quickly on AI is synonymous with being forward-thinking. In practice, speed without alignment often leads to rework, resistance, and regret. The organizations successfully navigating this moment well will take a more deliberate approach. They focus first on clarity on what problems are worth solving, where AI genuinely reduces burden, and how success will be measured. Physicians are involved as partners, not afterthoughts. Trust and process review is built before product selection and implementation. This approach rarely generates headlines. But it does generate progress that lasts. Where This Leaves Healthcare Leaders AI will continue to advance whether organizations feel ready or not. That part is inevitable. What isn’t inevitable is how it shows up inside a practice. The real differentiator won’t be who adopts artificial intelligence first. It will be who adopts it with intention, grounded in leadership alignment, clinical partnership, and long-term strategy. In healthcare, technology rarely fails because it doesn’t work. It fails because it’s introduced into environments that aren’t prepared to properly adopt it.
Optimize Before You Automate: AI Won’t Fix Broken Processes
Every week, another vendor shows up promising a new AI product that will revolutionize your practice. Smarter scheduling. Automated billing. Documentation and coding handled at the click of a button. You’ve heard the pitches. You’ve sat through the demos. You may have already signed the contracts. How is this different from before? How many products have you already bought that were supposed to fix these problems, and yet they still persist? In some cases not only did they not solve the problem, or improve costs, they’ve actually gotten worse, and your costs have risen. Because here’s the truth: automation doesn’t magically fix broken processes. If anything it amplifies them. There is no question that AI holds the promise of revolutionizing healthcare. However AI, like automation, needs to be applied to well-optimized processes; it is not a substitute for bad processes. Automating Chaos Is Still Chaos Healthcare doesn’t suffer from a lack of technology. You already have EHRs, scheduling systems, revenue cycle platforms, CRMs, patient engagement and a dozen other “solutions.” If pain points remain, layering AI on top won’t solve them. It just means: Speed without proper direction isn’t progress, it’s recklessness. It’s like putting a Ferrari engine on a Model T. A Cautionary Tale: Salesforce’s AI Layoffs This isn’t a healthcare problem alone, it’s a management problem. And nowhere is that clearer than at Salesforce, whose AI strategies have come under scrutiny recently. In 2025, CEO Marc Benioff announced that Salesforce had cut 4,000 support jobs shrinking the team from 9,000 to 5,000 and replaced much of the work with its AI system, Agentforce.. He proudly pointed to AI handling 1.5 million customer conversations, saying it reduced the need for “heads.” Here’s what really happened: The result? Salesforce became the case study in what happens when leaders reach for automation instead of fixing what’s broken. They didn’t solve inefficiencies. They amplified them. Why Healthcare Should Pay Attention If Salesforce with its money, talent, and tech pedigree can get this wrong, what happens when a physician practice bets on AI to fix scheduling, billing, or documentation without fixing workflows first? The stakes in healthcare are even higher than in tech customer service. Here, the cost isn’t just lost revenue or market trust. It’s physician time. Staff morale. Patient care. Optimize Before You Automate Executives already know this, deep down. The problem usually isn’t the technology. The problem is misaligned team goals, unclear processes, and dysfunction that no algorithm can clean up. Yet vendors keep selling magic dust. Leaders keep buying it. And everyone acts shocked when the “solution” doesn’t solve the problem. The uncomfortable truth: if your house is out of order, AI won’t straighten it up. It will just make the mess permanent. AI is not a cure for dysfunction. It’s an amplifier. After you’ve optimized your processes, automation can be transformative through better scale and improved efficiency. If you haven’t, it just makes the eros happen faster, cause more damage, and become harder to undo. Salesforce is a cautionary tale. Don’t make the same mistake in healthcare. Optimize before you automate or you’ll pay more to make your problems even more permanent…and happen faster… and probably at higher cost.
Stop Healthcare Data Breaches: 4×4 HIPAA & Cybersecurity Plan
In healthcare, compliance with HIPAA regulations is non-negotiable. But here’s the reality: being compliant doesn’t always mean you’re secure. Many practices check the boxes but still face major vulnerabilities that put electronic Protected Health Information (ePHI) at risk. In 2023 alone healthcare data breaches reached an all time high when 725 breaches were reported to the OCR exposing more than 133 million records. These numbers underscore why every clinic needs to address cybersecurity gaps before it’s too late. Here’s what your clinic can’t afford to ignore about cybersecurity. Between 2018 and late 2023, hacking-related healthcare breaches surged by over 230%, with ransomware incidents climbing nearly 280%. Back in 2019, hacking was behind about half of all breaches. And, by 2023, it drove nearly 80% of reported incidents. In this post, we’ll break down: Four Compliance Activities That Won’t Significantly Reduce Risk These are the tasks that regulators require or strongly recommend. They matter, but don’t assume they’ll stop a cyberattack: Four Measures That Actually Reduce Risk in Healthcare If you want real protection, focus here: Four Components of an Effective Security Program in Healthcare Think of these as your security foundation: Four Hidden Threats Inside Your Practice Hackers are a huge threat, but the biggest threat are actually staff inside your own practice.Some of your biggest risks are lurking in plain sight: HIPAA said Easy “HIPAA basically says you must protect ePHI from 4 things: theft, loss, destruction or improper access; from internal and/or external sources, whether by intentional or accidental means.” Bottom line: Compliance is important, but real security requires visibility, preparedness, training, and proactive controls. By focusing on these practical measures, you’ll do more than check a box – you’ll protect your patients, your reputation, and your business.
How Bad Technology Makes Healthcare Worse
Technology was supposed to make healthcare faster, safer, and more efficient. But in too many clinics the opposite is true. Bad technology makes healthcare worse. Technology has become one of the biggest pain points for many practices. Patients come in for care, not to wait while their provider battles systems. And when technology slows workflows, causes errors, or forces workarounds, it’s the patient who feels it first. But here’s the hard truth for you as a clinic leader: every delay, every outage, every clunky system doesn’t just frustrate patients – it drains your staff, drives up turnover, increases compliance risk, and quietly bleeds revenue. What affects the patient first ultimately affects your entire practice. When technology systems are slow or completely unavailable in a healthcare environment, the ripple effects are immediate and costly. One way to think about it: the cost of an hour of downtime is roughly a clinic’s annual revenue divided by 2,000. For a $50 million practice, that equates to $25,000 for each hour of downtime. And that’s just the first dimension. Add in overtime pay, delayed billing, duplicative processes and compliance risk and we see that the true cost scales fast. But the dollars only tell part of the story. Poorly designed systems and the downtime they cause create ripple effects that drain morale, increase turnover, and make patients question their quality of care. And yet, numerous practices assume a traditional healthcare managed service provider (MSP) is the solution. In reality, most MSPs only treat symptoms and not the root cause. Taking an anti-MSP approach prevents the issue from the start by focusing on fixing poor infrastructure design, organizational alignment, and long term strategy rather than quick fixes. 1. Bad Technology, Broken Care Flow For physicians, downtime is more than an inconvenience, it’s a direct barrier to care. When systems fail, you can’t access the chart you need, order the test on time, or update the care plan while the patient is in front of you. Every delay forces difficult choices: On paper, downtime looks like $25,000 an hour for a $50M practice. But in reality, it looks like a clinic full of waiting patients, a physician running behind, and a staff forced to reschedule visits that may never return. The patient sees a provider distracted by screens, apologizing for “system issues.” Trust erodes. Clinical risk rises. Delays in healthcare aren’t measured in minutes, they’re measured in outcomes. 2. The Financial Drain Adds Up Fast The physician’s frustration has a financial cost, too. Every lost appointment slot, every delayed billing cycle, every hour wasted fighting the system bleeds money from your practice. Hidden costs physicians feel daily: Vendors love to promise ‘one additional appointment per doctor per month’ as proof their system pays for itself. But what if it’s actually costing you that extra appointment a month? That could be thousands of dollars of lost revenue a month. 3. Burnout and Frustration Go Through the Roof When technology fails, the weight falls hardest on providers and staff. Physician frustrations sound like this: Each glitch is more than an annoyance – it chips away at professional satisfaction. Providers didn’t train for years to wrestle with software. They trained to care for patients. When technology becomes an obstacle instead of a tool, frustration builds, burnout accelerates, and eventually, good clinicians leave. Surveys consistently rank frustration with technology among the top five causes of physician burnout. 4. Downtime = Cost + Compliance + Clinical Risk When systems are down, your responsibility to document and protect patient data doesn’t go away. Workarounds – like jotting notes on paper to enter later, create compliance gaps and clinical risk. For physicians, these aren’t abstract risks, they’re real patient safety concerns. And one breach or missed result can have lasting consequences for both patients and the practice. One analysis puts the cost of a breach at roughly $1.9 million per day. 5. Patients Notice Patients may not understand your technology struggles, but they notice the effects: rushed visits, delayed test results, providers who seem distracted or behind schedule. How many times have you as a patient gotten an apology from your care provider about their “computers being slow”? Patients don’t log reviews, they remember experiences. They notice when you’re constantly fighting the system instead of focusing on them. One delayed test result or distracted visit can be the moment they leave and with each patient who walks away, physicians feel the impact: disrupted schedules, lost continuity, and the frustration of knowing your care is judged not by your expertise, but by the systems you’re forced to work around. The Importance of an Anti-MSP Model An anti-MSP model is about more than keeping the lights on – it’s about building technology that works with your practice instead of against it. By addressing root causes and designing systems that align with your clinical and business goals, technology stops being a liability and starts being a lever for better care, stronger teams, and long-term growth.
When MSP Strategy Becomes Sales Strategy
At first glance, your Managed Services Provider (MSP) might seem strategic. They arrive with polished slide decks, talk about “aligning technology to business goals,” and present dashboards filled with colorful metrics. It all sounds helpful – until you realize the strategy always ends in a sales pitch. Let’s call it what it is: strategy theater designed to drive vendor sales, often with little regard for what actually moves your clinic forward. There’s a better way. And it begins with understanding how traditional MSPs often blur the line between strategic guidance and sales tactics, then rethinking what real technology partnership should look like. Learn how our MSP services provide true strategic alignment for mid-sized clinics. 1. When MSP Quarterly Business Reviews Are Just Quotas in Disguise Quarterly Business Reviews (QBRs) are intended to evaluate performance and plan for the future. But in many traditional MSP setups, they become thinly veiled opportunities to upsell, anchored not in your goals, but in vendor ecosystems and sales quotas. Signs to watch for: What’s missing: objectivity, context, and actual stewardship. Your QBR should align stakeholders, clarify priorities, and create accountability for progress, not act as a preloaded sales script. 2. MSP Regulatory Updates as a Sales Trojan Horse Yes, cybersecurity and compliance requirements are evolving. But rather than offer guidance tailored to your clinic’s real-world needs, many MSPs use regulatory changes as scare tactics pushing you toward expensive, cookie-cutter “solutions.” What’s missing: a thoughtful conversation about your risk tolerance, operating environment, and how to meet obligations without overengineering your technology footprint. Without that perspective, smaller and mid-sized clinics often find themselves implementing large-enterprise tools that don’t match their scale, complexity, or workflows resulting in bloated costs and stressed-out staff. Real strategic guidance evaluates actual exposure, context, and consequence offering sustainable recommendations, not blanket reactions. 3. MSP Dashboards Typically That Tell You What They Want You to See Dashboards have become a staple in MSP engagements. They’re sleek. They’re data-rich. But here’s the question: are they designed to help you lead, or just justify the next spend? Many MSP dashboards: What you should be seeing: a single version of truth that connects infrastructure, performance, and priorities supporting decisions based on clarity, not complexity. Dashboards should help you see patterns, track progress, and focus your time not leave you wondering why everything seems “green” but still feels broken. 4. Selling Without Stewardship Is Not Strategy A true strategic partner doesn’t just show up to sell. They embed. They listen. They understand your clinic’s values, constraints, and ambitions and act as an internal advocate for what will actually work. Unfortunately, most MSPs operate in a transactional loop: support tickets, product quotes, installation, and invoicing. There’s little space for long-term vision, let alone adaptive, clinic-centered strategy. What’s missing is something more aligned to how a tenant representative works during a construction project: not just advising, but actively representing the client’s best interests managing competing demands, translating technical options into operational realities, and helping control costs while maximizing outcomes. That’s the model mid-sized practices need. Especially those that don’t have the luxury of redundant internal teams or sprawling IT departments. Don’t Mistake Sales for Strategy If your so-called strategic partner is always selling and rarely listening, it might be time for a reset. Mid-enterprise clinics deserve better than out-of-the-box enterprise solutions and vendor-driven “strategy.” They need guidance that adapts to their size, staff, systems, and specialties. They need someone who isn’t beholden to back-end reseller incentives. Someone who’s flexible, embedded, and focused on alignment not just uptime. Because true strategy isn’t what you buy. It’s what helps you build.
The Cost of Insecurity: How Weak Cybersecurity Defenses Drain Your Bottom Line
Your patients trust you with their health. Cybercriminals trust you won’t be ready. Independent and physician-owned practices have become one of the easiest targets for attackers precisely because you’re focused on patient care, not chasing down security gaps. Security isn’t just a technology concern, it’s a business imperative. With the rise in cyber threats targeting physician-owned practices, the cost of weak cybersecurity defenses extends far beyond compliance fines. It impacts operational efficiency, patient trust, and ultimately, profitability. The question isn’t whether your practice can afford to invest in cybersecurity; it’s whether you can afford not to. The Hidden Financial Toll of Cyber Insecurity A reactive approach to cybersecurity often leads to costly consequences. Here’s how inadequate defenses can silently drain your bottom line: 1. Data Breaches and Regulatory Fines The average cost of a healthcare data breach exceeds $10 million per incident, according to IBM. When protected health information (PHI) is exposed, practices face hefty HIPAA fines, legal fees, and the long-term financial burden of remediation efforts. Without proactive security measures, the risk compounds with every patient record stored. 2. Operational Disruptions and Downtime Ransomware attacks are on the rise, often bringing entire systems to a halt. A single incident can shut down clinic operations for days, delaying patient care and leading to lost revenue. Even minor security breaches can disrupt workflows, forcing staff to spend valuable hours mitigating issues instead of focusing on patient care. 3. Loss of Patient Trust and Reputation Damage Trust is everything in healthcare. A security breach erodes patient confidence, leading to higher attrition rates and lower patient acquisition. Once trust is lost, rebuilding it takes time and significant investment in public relations and reputation management. 4. Higher Cyber Insurance Premiums Insurance providers assess risk based on your security posture. Weak defenses result in higher premiums or worse, denied coverage. Implementing proactive cybersecurity measures not only reduces your risk exposure but also helps secure more favorable insurance terms. 5. Inefficiencies and Increased Technology Costs A poorly secured infrastructure leads to ongoing technology maintenance issues. Without a strong cybersecurity foundation, clinics face frequent system vulnerabilities, requiring constant patching, troubleshooting, and reactive fixes driving up technology costs unnecessarily. Securing Your Bottom Line with Proactive Cybersecurity Security should be a seamless part of any practice’s digital ecosystem, not an afterthought. Adopting an approach that protects physician-owned practices without compromising efficiency or patient care is essential. Invest in Security, Protect Your Future Weak cybersecurity isn’t just a technical issue, it’s a financial drain that can undermine the stability of any practice. Proactive security measures are not simply expenses; they are safeguards that support long-term growth and sustainability.
Rx for Technology Overload: A Smarter Way to Prioritize Technology Decisions
What if I Told You Your HIPAA SRA is Worthless?
Every year, clinics face the same scenario: technology and security vendors urging you to spend thousands on a HIPAA Security Risk Assessment (SRA). Vendors use the SRA in pitches that often rely on Fear, Uncertainty, and Doubt (FUD) to upsell additional products and services. Here’s the reality: the annual HIPAA SRA is required, but it’s almost worthless. Worse, the real threats your clinic faces may not even be addressed by the SRA. The SRA: Required but almost worthless The HIPAA Security Risk Assessment is a compliance necessity. Failure to complete it can: The SRA is just the first step, but it is nowhere near sufficient. It may help identify some risks to the practice, but it does very little to inform HOW to mitigate those risks. Therefore vendors often oversell its importance or overcomplicate the process, and/or use HIPAA as a stick to convince you to buy expensive products and services that may not be necessary. Vendor Claims The fact is, the only way to actually fail your SRA is to not complete it in the first place. And there is no such thing as a security product being “HIPAA-Certified”. HIPAA’s actual terms around protecting ePHI (electronic patient health information) are notoriously vague, leaving covered entities with more questions than answers. The Security Rule mandates that practices must safeguard ePHI against theft, loss, destruction, and improper access, whether accidental or intentional, and from both internal and external sources. However, it doesn’t prescribe specific methods or technologies to achieve these protections. This lack of clarity can lead to confusion, over-interpretation, or, worse, a reliance on vendor-driven solutions that promise compliance without addressing real risks. The result is that many practices focus on checking the compliance box and buying expensive products and services rather than implementing practical, effective safeguards tailored to their unique vulnerabilities. As further evidence of the HIPAA SRA’s uselessness in actually preventing a breach, pretty much every practice who appears on HHS’ HIPAA “Wall of Shame” had actually completed their SRAs – some of them every year prior to a breach. The Real Risk Factor: Internal Staff While there is a big focus on expensive technology tools and services, they often fail to address the largest risk: internal staff, and they don’t always come from malicious intent. According to the FBI, insider threats are the leading cause of security breaches over 95% of the time in healthcare. These include: Even the best technology team and the most advanced security tools can’t fully protect against insider risks without proactive measures and education. Why Clinics Feel Trapped Clinics often overspend on SRAs or security solutions due to: Take Ownership of Your Security The SRA is a compliance requirement, but its true value depends on how your clinic uses it. By focusing on education, internal vigilance, and practical solutions, you can strengthen your practice without falling for vendor hype. HIPAA Security is not an IT issue. So it should not be solely delegated to IT staff or outside vendors. It is also not a once-a-year issue like the SRA. It is a practice-wide issue, requiring the ongoing focus and attention from all departments and staff at all levels. The 4 P’s of an Effective Security Program The Bottom Line: Security Starts Beyond the SRA At the end of the day, the HIPAA SRA is required – but let’s face it, it’s almost worthless on its own. It’s a compliance checkbox that won’t protect your clinic from real-world threats, especially the ones that matter most, like internal risks from untrained or negligent staff. Vendors love to oversell the SRA’s importance, but the truth is, it’s just a starting point – and you should not fall for the vendor’s upselling tactics. The real work happens when you focus on what actually keeps your practice secure: clear policies, repeatable processes, ongoing staff training, and tools that make those things easier and more automated. Security isn’t just an IT issue – it’s a practice-wide responsibility. So, don’t stop at the SRA. Take ownership, focus on what really matters, and build a security program that works for your clinic, not for the vendors.
HIPAA Compliance Made Simple: Your Essential Checklist
The Need for a Strategic Technology Service Provider
In healthcare today, a technology service provider has a role that goes far beyond keeping systems up and running, or ensuring email and Wi-Fi is working. It’s more about keeping pace with constant change both in how practices operate and how technology evolves. With AI and other advancements rapidly reshaping the healthcare landscape, and an ever-changing regulatory environment, technology needs to be constantly evaluated, adapted, and seamlessly integrated to reduce obstacles for physicians and staff. This is where strategic technology service providers come in. It’s not just about support; it’s about guiding practices through change, helping them stay current with emerging tools and innovations, and ensuring technology continually enhances patient care and operational efficiency. Traditional support models fall short. Today, practices need a partner who can help them navigate complexity and make smarter technology decisions, not just keep the lights on. The Limitations of Typical Technology Service Providers Typical technology service providers can be useful in providing extra hands or needed expertise for certain specific projects. However, their focus is primarily reactive – fixing what’s broken and maintaining what exists. They may be great at break-fixing and troubleshooting, but when it comes to strategy, alignment, and forward-thinking guidance, most technology providers fall short. Here’s where that becomes a problem: What a Strategic Technology Partner Brings At Healthspaces, we believe physician-owned and PE-backed practices deserve more than break-fix solutions. You need a partner who sits at the decision-making table, helping you: Be Adaptive, Not Just Reactive In healthcare, standing still is falling behind. New regulations, patient expectations, and technological advances are constantly reshaping the way clinics must operate to keep them and their patients safe and organized. A purely reactive approach leaves you scrambling to catch up; solving yesterday’s problems instead of preparing for tomorrow’s opportunities. Adaptability means proactively assessing where your practice is headed and evolving your technology alongside it. It’s really about asking, What’s next? and being ready before it arrives. An adaptive partner helps you anticipate shifts, pivot quickly, and maintain sustained progress, so you never lose ground to competitors or compromise patient care. Why It Matters for Healthcare Practices Your technology environment shouldn’t just support your operations, it should empower your growth. The right strategic partner will: The Bottom Line If you feel stuck reacting to technology issues, it’s time for a reset. Traditional technology service providers can be part of the solution but not the whole solution. A strategic technology partner brings clarity, structure, and momentum to your practice. At Healthspaces, we help physician practices go beyond the break-fix cycle and build technology environments that support long-term success.
Things Your Clinic Can’t Afford to Ignore Regarding Cybersecurity
Budgeting for Cybersecurity: What Clinics Can’t Afford to Ignore Cybersecurity is not optional in healthcare – it is essential. With increasing threats targeting provider groups and clinics, from ransomware attacks to data breaches, failing to invest in security can have devastating financial and reputational consequences. Yet, many physician-owned practices struggle to determine how to budget for cybersecurity and where to allocate those funds effectively. And, unfortunately, cybersecurity is used as a stick by vendors to sell expensive products that frequently don’t provide real protection, plus oftentimes they make life more difficult for end users, especially patients and providers. At HealthSpaces, we take a strategic and rational approach to cybersecurity, as part of our Virtual CIO process – aligning security investments with business goals to ensure clinics remain compliant, operational and protected. Here’s how clinics should approach cybersecurity budgeting and why they can’t afford to ignore it. The Cost of Inaction Many clinics operate under the illusion that they are too small to be targeted or that their existing security measures are sufficient. However, data shows that healthcare remains one of the most targeted industries for cyberattacks, and yesterday’s solutions are no longer sufficient. The cost of a data breach in healthcare is the highest of any industry, averaging $10.93 million per breach in 2023, according to this IBM Data Breach Report. Beyond financial losses, a breach can lead to: Patient trust erosion – Patients may leave if they feel their data is unsafe. Regulatory fines – Non-compliance with HIPAA and other regulations can result in hefty penalties from the Feds. Civil penalties – In virtually every case, after HHS/OCR comes calling, State Attorneys General and even private law firms join the bandwagon to come after you. Operational downtime – Ransomware attacks can bring clinic operations to a halt. Distraction to the management team – Dealing with all the fallout and recovery efforts detracts from taking care of patients and running the practice. Ignoring cybersecurity isn’t just a risk – it’s a liability. How to Budget for Cybersecurity Effectively A strong cybersecurity strategy isn’t just about spending more money; it’s about investing strategically to maximize protection where it matters most. Here’s how clinics can take a structured approach to cybersecurity budgeting: 1. Align Cybersecurity with Business Objectives Security shouldn’t be a standalone technology function, or an after-the-fact add-on – it should be integrated into the clinic’s overall technology and operational strategy. Our vCIO approach focuses on aligning cybersecurity investments with key business goals, ensuring that security measures support patient care, compliance, and operational efficiency. 2. Prioritize Risks and Allocate Resources Accordingly Not all risks are equal. Start by assessing vulnerabilities in areas like: User vulnerabilities – Are users properly trained on an ongoing basis to detect and respond to phishing attacks? According to CISA.gov, over 90% of all breaches begin with a phishing attack on end users. Network security – Are systems properly segmented and monitored? Endpoint protection – Are all devices secured and regularly updated? Authentication and access control – Are staff following best practices for login credentials, including multi-factor authentication (MFA) and single sign-on (SSO)? Provisioning – Is this automated across the practice, with end users segmented by job role, to prevent inappropriate access? By conducting a risk assessment, including likelihood and impact of different threats, clinics can allocate their budget where it will have the most impact. 3. Reduce Phishing by Rethinking Communication Your employees can unintentionally be your biggest threat when it comes to data breaches, Phishing remains one of the biggest cybersecurity threats to clinics, with attackers often targeting staff via very sophisticated but fraudulent emails. Instead of relying on traditional email, which is inherently vulnerable, clinics can eliminate phishing threats altogether by using internal communication platforms like Slack, Microsoft Teams, or similar secure collaboration tools. Internal communication platforms are not exposed to the outside – Phishing attacks typically occur via email, but platforms like Slack keep communication within a controlled, encrypted environment. By shifting communication to a secure, internal system, clinics can dramatically reduce the risk of phishing attacks while improving workflow efficiency. 4. Invest in People, Not Just Technology Most breaches occur due to human error, or at least human enablement. While tools such as firewalls and antivirus software are critical, so is training staff to recognize scams and follow security protocols. Allocating part of the cybersecurity budget to ongoing security awareness training can prevent costly episodes. And fortunately these solutions are relatively inexpensive, especially compared to expensive monitoring and reporting tools and services that frequently give more appearance of compliance than actual protection. 5. Implement Proactive Security Measures Preventative security investments cost far less than responding to a breach. In addition, in the fire drill that usually follows a breach, there is precious little time to unravel the problem and look for the root cause. To be better prepared for when – not if – a security event happens, clinics should focus on: Extended endpoint detection and response (XDR) solutions Security Incident and Event Monitoring (SIEM) systems Ongoing penetration testing and reporting Application white-listing Business Continuity, and Disaster Recovery (BCDR) planning, including redundant systems where feasible. A proactive approach minimizes both risks and costs in the long run. And just by doing the planning exercise, the practice can frequently identify hidden risks and take appropriate action. 6. Consider Compliance as a Cost-Saving Strategy Regulatory compliance isn’t just about avoiding fines – it’s about ensuring best practices that inherently strengthen security. Our vCIO process helps clinics align cybersecurity with HIPAA and other regulatory requirements, reducing exposure to compliance-related penalties. Making Cybersecurity a Business Priority Cybersecurity isn’t just a tech issue – it’s a critical business function that directly impacts patient care, reputation, and financial health. By adopting a strategic vCIO-driven approach, clinics can make smart investments that balance security, compliance, and operational needs. Ignoring cybersecurity is far more expensive than budgeting for it wisely. The question isn’t “Can we afford to invest in cybersecurity?” – it’s “Can we afford not to?” Need
Security Theater vs. Security Protection: Avoiding the Illusion of Safety
In today’s healthcare environment, security is not optional. Yet, many organizations fall victim to “security theater”- implementing measures that provide more appearance of safety than actual protection. It’s tempting to tick off compliance checkboxes with standardized assessments, fancy reports and a few expensive tools. However the result is often a fragmented, overly costly, and ultimately ineffective security posture, one that leaves the practice with way less protection than they probably think they have. What Is a Security Theater? Security theater refers to measures designed to make people feel safe without necessarily improving real security. It’s like locking the front door while leaving the back door wide open. In healthcare, this often manifests as: The Hidden Downside of High Cost Piece-Part Solutions You’re spending a ton of money with a big-name tech vendor, so you MUST be protected, right? (Remember the old adage, “No one ever got fired for picking IBM”). Fragmented security investments with big-name companies often leave organizations with significant blind spots. Consider the following pitfalls: Moving from Theater to Real Protection True security requires a shift in mindset from reactive compliance to proactive risk management. Here’s how to bridge the gap: From Illusion to Impact Security in healthcare should not be an illusion designed to satisfy auditors or impress stakeholders. It should be a genuine effort, focused on the major risks, and designed to actually protect patient data, ensure continuity of care, and build trust. By moving beyond the flashy tools and shallow assessments of security theater, organizations can build robust, cost-effective defenses that truly safeguard what matters most. Are you ready to stop playing to the audience and start building real protection? Reach out to learn how you can transform your approach to real security protection.
Why Is Tech Support in Healthcare So Frustrating?
When Traditional Healthcare IT Support Falls Short Healthcare organizations, especially mid-enterprise physician-owned practices, face constant change and unique challenges with technology support. Users tell us repeatedly that traditional help desk ticketing systems often feel like a black hole – issues are submitted but seem to vanish into the void, leading staff wondering if their concerns are being addressed. Other problems with old-fashioned ticketing systems: Healthcare users need support systems tailored to their environment: quick, intuitive, and capable of understanding the criticality of issues in real-time. Until then, old fashioned ticketing systems will continue to be a square peg in a round hole. Real-Time Collaboration Beats Ticketing Systems Newer collaboration tools like Slack transform the user experience by fostering real-time help and collaboration. Unlike ticketing, which is one-directional and opaque, tools like Slack enable everyone in a group to see issues as they arise, collaborate on solutions, and ensure things get done. This visibility builds trust with your technology systems, creates alignment and transparency, and empowers teams to tackle challenges together. Our customers have told us how these real-time support models can make a difference: Example: During a new system rollout, staff in a particular clinic voiced concerns about system usability through their dedicated Slack channel. The IT team quickly addressed the issue, shared the resolution in the channel, and ensured everyone understood the solution. This transparent approach kept the rollout on track and minimized disruptions while fostering a stronger sense of collaboration across departments. By breaking down barriers and prioritizing communication, healthcare organizations can achieve more than just successful technology rollouts. They can build cohesive, resilient teams that are ready to embrace change and drive innovation. The Big Picture Technology in healthcare is as much about people as it is about systems. Empowering leaders, embracing agile tools, and fostering transparent communication allows healthcare teams to turn challenges into opportunities for growth and innovation. Success starts with a conversation. By choosing tools that prioritize collaboration, healthcare organizations can not only enhance their technology initiatives but also create resilient, forward-thinking teams prepared to meet the future with confidence.