Beyond Break-Fix Support
The clinic — a six-practitioner Brisbane general practice with onsite practice management software — had outgrown its IT support model. The previous MSP handled reactive tickets — printer issues, password resets, occasional server reboots — but never addressed the fundamentals: perimeter security, backup integrity, access control, or compliance documentation required under Australian Privacy Principles (APP) and RACGP IT standards.
Practice manager Helen described the frustration: "We paid a monthly retainer and still got surprise bills for 'after hours' server reboots. When I asked about backup testing for RACGP compliance, they sent a one-page PDF that was clearly a template. Our actual security posture? Nobody could tell me."
The clinic's aging onsite server ran practice management software without segmented network access, without tested disaster recovery, and without audit logging. A ransomware incident at a neighbouring practice sharpened focus on what they did not have.
What We Delivered
Network Perimeter Hardening
- Next-generation firewall with intrusion prevention and geo-blocking
- Segmented VLANs separating clinical systems from guest and admin traffic
- VPN access for remote staff with MFA enforcement
Access Controls
- Role-based permissions aligned to clinical and admin roles
- Privileged access management for server and backup console access
- Audit logging for all administrative actions
Immutable Cloud Backups
- Automated daily backups to offsite cloud storage with immutability flags
- 3-2-1 backup strategy: three copies, two media types, one offsite
- Quarterly restore testing documented for compliance records
Compliance Mapping
| Requirement | RACGP IT / APP area | Deliverable |
|---|---|---|
| Data backup and recovery | RACGP IT — backup procedures | Automated daily backups with immutability; quarterly restore tests documented |
| Access control | APP 11 — security of personal information | Role-based permissions, MFA on VPN and admin consoles |
| Audit trail | APP 11 — accountability | Administrative action logging with retention policy |
| Network segmentation | RACGP IT — network security | Clinical VLAN isolated from guest Wi-Fi and admin traffic |
| Incident readiness | RACGP IT — business continuity | Documented DR runbook; simulated outage exercise completed |
Helen used the compliance mapping table directly in the practice's privacy impact assessment update — replacing the generic MSP template with evidence-backed documentation.
Simulated Outage Validation
We ran a controlled disaster recovery exercise over a planned half-day closure:
- Hour 0 — Snapshot primary server state; verify latest immutable backup timestamp
- Hour 1 — Simulate ransomware: isolate primary server from network
- Hour 2 — Restore practice management database from immutable cloud backup to standby environment
- Hour 3 — Verify patient records, appointment data, and billing integrity against pre-exercise snapshot
- Hour 4 — Document recovery time, data integrity result, and lessons learned
Zero data loss. Recovery time met RACGP expectations for clinical continuity. The exercise report became part of the practice's compliance documentation for the annual review.
Results After Twelve Months
| Metric | Before | After 12 months |
|---|---|---|
| Annual IT spend (retainer + ad hoc) | ~$38,400 | ~$24,600 |
| RACGP IT compliance documentation | Generic MSP template | Evidence-backed, practice-specific |
| Backup restore tests documented | 0 | 4 (quarterly) |
| Simulated outage data integrity | Untested | 100% |
| Security incidents | 0 (but untested posture) | 0 (with validated controls) |
Helen: "We pay less and actually know our backups work. The DR exercise was the first time anyone proved we could recover — not just claimed we could."
Engagement Model
Unlike traditional MSP retainers, this clinic pays for defined project delivery plus hourly support on demand. No lock-in contract, no monthly minimum — they get architectural upgrades when needed, not printer jam tickets billed at premium rates.
Phased delivery over six weeks: security assessment (week 1), perimeter and VLAN deployment (weeks 2–3), backup and immutability configuration (week 4), access controls and audit logging (week 5), DR exercise and compliance documentation (week 6).
Medical practices with similar challenges can explore our Managed Technology services — cybersecurity, compliance-aligned infrastructure, and honest support without retainer bloat.