Case Study: Family Doctor’s Office in New Hampshire (Podcast)
Dave Hodgdon talks about a case study involving a family doctor’s office in New Hampshire that PCG does Managed IT and security work for.
John Maher: Hi, I’m John Maher and I’m here today with Dave Hodgdon, CEO and founder of PCG, a managed services and security provider with headquarters in Portsmouth, New Hampshire. Today we’re doing a case study on a family doctor’s office in New Hampshire. Welcome Dave.
Dave Hodgdon: Good morning, John. How are you today?
Background of the Client
John: Good, thanks. So Dave, tell me a little bit more about this medical office and what it is that they do.
Dave: Our sales team found this opportunity through some of our cold canvassing. The client had been a little bit frustrated with their current managed service provider who was managing their IT. And like anything, making a change, whether it’s your accountant, your attorney, or your IT, it’s always tough. But after a couple of visits from our sales team, they realized that they wanted to have a meeting.
They weren’t getting the guidance they wanted, they weren’t getting the response times for their help desk. Again, in the medical industry, your time is limited when you’re trying to give patients care. If you can’t access what you want or get the information you need or get on a line, life becomes very frustrating.
We also knew from their end that they thought their equipment was a little bit aging. They didn’t really have a roadmap in place to address some of those concerns. So, we originally determined those three key issues of having better response time, addressing the aging network, and coming up with some form of security plan were the key things to help out.
Initial Strategies Implemented to Help the Client
John: So, then what was your strategy and what were some of the initial things that you implemented?
Dave: Everything must start, John, with a network assessment, getting a baseline, similar to why you, if you’re not feeling well, go to the doctor and they check all your vitals. So, we had to determine the vitals and start at the infrastructure, the switch, the wireless, the firewall, check the server health, check the performance, understand if their applications are local or in the cloud. Are the PCs up to snuff? It’s amazing how many machines, John, we see out there that are still running Windows 7 and up to Windows 10. And then during that network audit, we also speak to some of the key people to get their feedback of what’s right, what’s missing, what’s confusing, and how technology can help them.
After hearing that, we were able to listen to their specific needs. And a big push for what they wanted, they wanted not to have a server on-premises. They wanted to get to the cloud. But there are many steps to have that happen first and you just can’t go to the cloud without having more of that discovery. So, the strategy was, let’s understand your network first, let’s get you to a baseline that we’re happy with, and then we can understand more about the applications that you’re using and how to get that to the cloud with your vendors.
The Network Assessment
John: So, tell me a little bit more about the network assessment and what’s involved in that and what you discovered when you did that.
Dave: Well, many areas of the audit are like checking your vitals, John. We wanted to see how the wireless coverage was in the exam rooms. They had mentioned to us that it was spotty in certain rooms. Well, we determined right away why it was spotty. Their email was not on 365, it was on POP accounts. So from our end, as well as from a compliance and HIPAA standpoint, they weren’t meeting the requirements of keeping the email, having it backed up, having email encryption, the security in place.
The server, we knew right away when we looked at it, it was six, seven years old. So, to me, no warranty. No known outcome if something went wrong if you had to replace something. If there was an unknown, that could be downfall. And they’re running their key line of business for all their scheduling and their medical notes through this server.
The backup was… I don’t even want to call it a backup. It was terrible. And there was really, there was no known turnaround time to when that was going to be recovered.
They weren’t satisfied with the line of business that was there. So, we knew it was time for them to start searching for what’s available for a family doctor’s office. And there are many options out there. Once they think they have found the two or three they like, we confirm the setup requirements for on-premises equipment, the internet connection, and the backup, and we make sure that we’re asking all the technical questions, moving the data from the old to the new. There were definitely many security gaps during the original assessment, but after all of that, we were able to come up with a great plan for them.
Tactics to Improve the Client’s IT Environment
John: Okay. So, tell me then, what were your tactics? Once you did that network assessment and you figured out what was wrong and how you needed to move forward, what tactics did you implement in order to really get them back up to speed and where they needed to be?
Dave: Well, like a doctor… after they do their assessment, their tests, they come back to you with what the plan should be. So, we kind of took the same approach… Basically, you can’t get to the top of the mountain without taking your slow steps to get up there. So, we came up with the main things to address, the infrastructure had to be addressed. They weren’t ready to get to the cloud yet, so we put a temporary server in place of one of ours. We call that hardware as a service. That’s a great gap, John. There’s no reason for them to invest into a server when they can just pay a monthly fee instead. Think of it as buying a car, I’m leasing something until I’m ready to commit to that.
We were able to work with their new cloud provider, and they quoted an exorbitant amount of money to export the patient data to the cloud because the client needed, for compliance, to have access to the data for seven years. And after speaking to the cloud provider about what they wanted to charge, I was able to get on the phone with them and negotiate and get a much better price to export the data and have it available to the client for historical reasons. The client needed to have that seven year look back on the patient’s data. Moving forward, that data is live, but they still needed access to the old system, which was sitting on an old server, which wasn’t supported by the software vendor. So, we had to get that data out so that we could at least view it.
We wanted to retire the server. We wanted to get the email away from the POPs. We did an email system. We wanted to make sure based on HIPAA guidelines that we were giving them the necessary steps in their email. John, MFA is probably one of the hottest things right now… that stands for multi-factor authentication. In other words, it uses multiple factors to authenticate that I’m the user of that email. We had to do the email encryption. We also wanted to do a certain amount of security training with the staff, so the staff knew what to look for, so they weren’t going to be hit by one of these phishing attacks. So, there are many moving pieces, but we just took it one at a time, got through it and went to the next one. And within six, seven months, we pretty much hit most of the major buttons that we had to get to for this doctor practice.
Outcomes of Working With PCG
John: So how long have you been working with them now and what have been the results and the outcomes of the project?
Dave: We’re in our fourth year right now… so one of the outcomes was that they wanted to have no server on-premises. So, we helped them with the loaner server, got everything in place to export that data to the cloud. Once they were working in the cloud environment and they saw access to their whole program, we were able to retire the server. The one last thing we had to do was to retire in the server, what’s known as an active directory. That’s kind of like the keys to the kingdom, who has permissions to do what. We were able to move those services to the 365 platform under the premium.
At this point, there is no more server on-premises, which is happy, they’re totally cloud based. They needed better wireless coverage in the office, so we were able to put better wireless in place, so they had public and private Wi-Fi. You never want people coming into your office ever to be on your private network. And you as an employee should not be on your private network with your cell phone. Your cell phone now is one of the more susceptible devices, John, for the bad actor to get in. You always want to be on the public Wi-Fi.
Why Businesses Need Public and Private Wi-Fi Networks
John: And especially in a doctor’s office like that, you have a lot of people coming into the office on a regular basis. They maybe want to sit in the lobby and use their phones while they’re waiting or something like that, so you can provide that access to them without it interfering with your network.
Dave: Correct. You want to give your customers, your patients, your clients, the ability to access the internet. So, if they’re sitting, waiting for you, you can allow them to work on their notebook, their tablet, or their phone, but they’re not on your private network. You always need a public network, and you should keep it in a totally different bucket than your private network.
They had many PCs, John, still running Windows 7. So, like anything, we had to get those up to the Windows 10 and confirm everything was working properly up in the cloud. We were able to write up a statement of work for each one of those. They got approved and now their ticket noise has gone down dramatically. Their client satisfaction is up. Their tablets are running. They know when they call for help, we’re there to assist them. We’ve assisted them over the last six to eight months with just constantly following the HIPAA guidelines of what needs to be in place for security.
And security is, it’s a different bucket than IT services, John. I think most clients think that IT is managed, and that security is part of that. It is part of it, but it’s its own bucket. Fixing or running the updates is different from having a security plan and the necessary security services to keep your particular industry up to compliance. Unfortunately, there are additional fees in the security world to protect your data, to protect your employees. It’s one of those necessary evils that none of us were planning five, six, seven years ago that you’d have to be spending recurring money on security.
That’s the nature of the beast and unfortunately, when we all are living on the internet and we’re constantly doing things online and a lot of these bad actors have found ways to wreak havoc on us, we need to pay attention to security. And at PCG, a big part of our expenses are to make sure we’re secure. So, it’s one of those discussions we have with clients so that they understand why they need it. We’re not forcing clients to do this, it’s the industry, it’s the HIPAA in place to have a safe environment for their patients and their employees.
How Managed Services Help Clients Prepare for the Future
John: Any final thoughts on this doctor’s office and your managed services and security that you do for them? Where they’re going maybe in the future?
Dave: Well, I think the best thing we liked about them was that when they knew that there was a problem, they didn’t want to just keep on putting the dirt under the mat. They knew they had to fix things. So, they were proactive, they were a little forward-thinking. They wanted to get to the cloud. They understood that having their email on POP accounts was outdated, they understood where some of the security vulnerabilities were. They take our advice, and each year, when we have our VCIO meeting, we kind of let them know, here’s the current baseline. These are the two or three things that we see as an issue to address.
But like anyone, John, we need to hear from them what their goals are, what their issues are. And then at that point, we can help them with how technology can help. And that allows them to understand why they’re spending the money and the value to the practice, to the employees, and to the patients. We just don’t want people to spend money to spend money. There must be a legitimate reason for that to happen.
Contact PCG About Managed Services and Security Today
John: Absolutely. All right. Well, that’s really great information, Dave. Thanks again for speaking with me today.
Dave: My pleasure.
John: And for more information, visit the PCG website at pcgit.com or call 603-431-4121.
