Skip to content
HomeCase StudiesMulti-Site Medical Practice
HIPAA

Multi-Site Medical Practice

Seven locations, aging servers, and HIPAA on the line. New infrastructure, secure interconnectivity, and tested recovery brought the practice to a clean audit.

IndustryHealthcare (multi-site practice)
Scale7 locations · 200+ staff
RegionLower Hudson Valley, NY
Timeline12 weeks · ongoing management
The Challenge

Older IT infrastructure had become a hard constraint for this well-established, rapidly expanding medical practice. Undersized servers on an end-of-life OS ran the EHR; imaging archives filled whatever disk was nearest; and each new location bolted on another one-off network.

Two requirements were non-negotiable: HIPAA compliance across every site, and real-time connection among all offices so clinicians could work from any location.

Clinicians move between offices all week — now the systems move with them. And when the auditors asked about recovery testing, we handed them the logs.

Practice Administrator
What NetSys Did

The approach

1

Compliance-first assessment

Gap analysis against the HIPAA Security Rule: access controls, audit logging, encryption at rest and in transit, and — the biggest finding — recovery objectives that existed on paper only.

2

Platform refresh

New server hardware running the latest Windows Server OS with Hyper-V, sized for the EHR and imaging workloads with headroom for two more locations.

3

Secure site interconnect

Business-grade firewalls at all seven locations joined in a secure site-to-site VPN mesh, giving every office encrypted, real-time access to central systems — with per-role access controls.

4

Protect, back up, verify

Cloud-based server protection, HIPAA-appropriate encrypted backups with offsite copies, documented RTO/RPO per system, and scheduled restore tests. NetSys provides ongoing management for all servers and workstation hardware.

Deployed Stack
  • Windows Server 2022 + Hyper-V
  • EHR & PACS workload hosting
  • Firewalls at all 7 sites
  • Site-to-site VPN mesh
  • Role-based access control
  • Encryption in transit & at rest
  • Cloud server protection
  • Encrypted offsite backups
  • Scheduled restore testing
  • Workstation lifecycle management
Measured Outcomes

The results

7
Locations connected in real time over an encrypted VPN mesh
92%
Reduction in worst-case recovery time for clinical systems
0
Findings on the infrastructure portion of the next compliance review
Recovery time objective by system (hours)
Before After
0255075100EHRImagingEmailFile shares

RTOs are contractual targets validated by scheduled restore tests, not estimates.

View data table
Before (hours)After (hours)
EHR484
Imaging728
Email241
File shares482
Want results like these?

Start with a free assessment — or the pen test.

Every engagement above began the same way: an honest look at where things stood. Take a scored assessment online, or book a free on-site penetration test and see your environment the way an attacker does.