Six Years: Lessons from Growing a Healthcare IT Business
September 10, 2017. Six years since we started Robell Technologies in Arizona. This past year has been our busiest and most challenging yet, which means we learned a lot.
Here's what year six taught us about serving dental practices, medical offices, law firms, and accounting firms.
2017: The Year of Ransomware
WannaCry in May. NotPetya in June. Countless smaller ransomware incidents throughout the year. 2017 was defined by ransomware attacks.
We helped multiple practices recover from ransomware this year. Some had good backups and recovered quickly. Others learned the hard way that backups they thought existed didn't actually work.
What we learned:
Isolated Backups Are Essential
Ransomware actively seeks out and encrypts backup files. If your backup drives are connected to your network, they're vulnerable. We now insist on isolated backups, cloud backups with versioning, and regular testing.
Speed Matters
The faster you can restore from backup, the less downtime you suffer. Practices that recovered in hours had recent, tested backups and documented restoration procedures. Practices down for days had to figure everything out during the crisis.
Prevention Is Cheaper Than Recovery
Email filtering, staff training, and proper security configuration cost a few hundred dollars per month. Ransomware recovery costs thousands to tens of thousands. Prevention is the better investment.
Cloud Migration Matured
This year, we helped more practices move to cloud-based systems than any previous year. Email to Office 365. File storage to cloud services. Some practice management systems moving to hosted solutions.
What we learned about cloud migrations:
Plan for Longer Than Vendors Say
Vendors quote 2-4 week migrations. Reality is usually 6-12 weeks for smooth transitions. Data migration takes time. Staff training takes time. Parallel operations take time.
Rushing creates problems. Taking time creates successful transitions.
Internet Becomes Critical Infrastructure
Once you're cloud-based, internet outages mean you can't work. We now recommend backup internet connections for practices heavily dependent on cloud services.
Cellular failover or dual ISPs cost money, but they prevent complete shutdown when primary internet fails.
Not Everything Should Move to Cloud
Cloud works great for many things. But some systems (imaging systems with large files, legacy practice management software) work better on-premise.
Hybrid approaches are often optimal: email and file storage in cloud, clinical systems on local servers.
HIPAA Enforcement Got Real
We saw our first client face OCR investigation this year. Not because of a breach, but because a disgruntled employee filed a complaint about lax security.
The investigation was stressful and expensive. It ended with no fine, but required extensive documentation, policy updates, and risk analysis.
Lessons learned:
Documentation Matters
You need documented security policies, risk analyses, and evidence of compliance efforts. "We do HIPAA stuff" isn't sufficient. You need written proof.
Risk Analysis Can't Be Superficial
Generic risk analysis templates don't satisfy OCR. You need actual analysis of your specific systems, threats, and controls.
Employee Training Must Be Documented
You need records of who was trained, when, on what topics. Sign-in sheets, completion certificates, test results. OCR asks for this evidence.
Multi-Factor Authentication Adoption
This year, we successfully pushed more clients to implement MFA on critical systems. Email, remote access, financial systems.
Initially, staff resisted MFA as inconvenient. Within weeks of adoption, it became routine. And we saw dramatic decreases in account compromise attempts.
MFA is one of the highest-impact security improvements we can make. Getting past initial resistance is worth the effort.
What's Working Well
Proactive Monitoring
Automated monitoring of servers, network equipment, and security systems lets us catch problems before clients notice them. Hard drives fail gracefully instead of catastrophically. Security issues get addressed before they become breaches.
Quarterly Check-Ins
We started scheduling quarterly reviews with clients. Not just "everything working okay?" but actual reviews of backup status, security updates, upcoming needs, and technology planning.
These check-ins catch small problems early and help practices plan technology investments instead of making panic decisions during crises.
Specialized Expertise
Focusing on healthcare and professional services has made us better at what we do. We know HIPAA inside and out. We understand dental practice workflows. We know what law firms need for ethical compliance.
Specialization serves our clients better than trying to be everything to everyone.
What We're Still Working On
Getting Practices to Budget for IT
Many practices still view IT as an expense to minimize rather than an investment in business infrastructure. This leads to deferred maintenance, aging equipment, and emergency spending.
We're working on helping practices understand total cost of ownership and plan multi-year technology investments.
Balancing Security and Usability
Strong security can create friction in workflows. We're constantly balancing security requirements against practical usability for busy clinical staff.
The best security is security that people actually use consistently, not theoretically perfect security that gets bypassed because it's too cumbersome.
Keeping Up with Threats
Cybersecurity threats evolve constantly. Keeping current on new attack vectors, emerging vulnerabilities, and effective defenses requires ongoing education and attention.
Looking Ahead
Year seven will likely bring:
- More ransomware (it's too profitable for criminals to stop)
- Continued cloud adoption
- Increasing focus on mobile device security
- More HIPAA enforcement
- Growing importance of cyber insurance
We're preparing by investing in advanced security tools, expanding our monitoring capabilities, and developing better training programs for practice staff.
Thank You
Six years in business means six years of Arizona practices trusting us with their technology infrastructure and data security. Some clients have been with us since day one. Others joined recently. All of them make this work meaningful.
To our clients: thank you for your business, your feedback, and your patience when we're learning new technologies alongside you.
To practices considering working with us: we'd welcome the opportunity to help you navigate the increasingly complex world of healthcare and professional services IT.
Here's to year seven. Let's make it even better than year six.