Close

See How Your Peers Are Moving Forward in the Cloud

New research from CDW can help you build on your success and take the next step.

Click Here to Read the Report
Feb 05 2025
Management

Managed IT Services for Healthcare: Choosing the Right Partner

When it comes to IT, health systems need a managed service provider (MSP) with deep healthcare experience.
Brian Eastwood
by

Brian Eastwood is a freelance writer with more than 15 years of experience covering healthcare IT, healthcare delivery, enterprise IT, consumer technology, IT leadership and higher education.

Healthcare is no stranger to managed service providers, as many health systems depend on temporary clinical staff, legal advisers and third-party partners for waste management, cleaning and food services. These professionals help organizations run smoothly without requiring them to hire and retain full-time staff.

Amid the increasing complexity of technology environments and growing resource constraints, the industry is turning its attention to managed service providers for IT. MSPs, in simple terms, offer personnel and resources to complement healthcare organizations’ internal IT teams.

These offerings can vary significantly from one organization to another, notes Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society (HIMSS).

“If you have a large physician practice, there may be an office manager, but there may not be anyone with technical expertise on staff. They may need a combination of general IT and cybersecurity support,” she says. “A large hospital may not need a general purpose, A-to-Z solution, so they may pick and choose what to address, like a gap in threat hunting.”

Click the banner below for expert guidance to help optimize your IT operations.

ht-itoperations-animated-2024-uncover-desktop ht-itoperations-animated-2024-uncover-mobile

 

Why Managed Services in Healthcare Matter

MSPs typically offer IT services such as network, server and storage monitoring and management, cloud migration and disaster recovery. These are valuable resources for organizations transitioning to modern IT infrastructure and managing technical debt, notes Philip Bradley, digital health strategist for validation and analytics services at HIMSS.

“CIOs and CTOs are finding their technology resources can’t keep up with the demands of the business. A lot of organizations lack the resources to manage 99.999% uptime infrastructure, or even 99.99%,” he says.

The appeal of the MSP is twofold, Bradley adds: It spreads out infrastructure costs over a longer period and it gets health systems out of the hardware upgrade cycle.

Along with infrastructure modernization, healthcare increasingly relies on third parties for managed IT security services. Kim points to managed detection and response services as a common example, as they essentially provide a 24-hour, remote security operations center to monitor against threats — a must-have for healthcare organizations facing more cyberthreats than ever.

Seven Key Features of MSPs Well Equipped to Serve Healthcare

Organizations benefit from working with MSPs that have industry experience. “The MSP needs a well-defined healthcare program,” Bradley says. “All MSPs understand the financial security requirements, but not all of them understand the nuances of protected health information. There’s a difference between running a bank and running a health system.”

MSPs need to do more than simply ensure HIPAA compliance or HITRUST awareness. “Good data governance is a matter of patient safety. It impacts the ability to keep clinical systems operational,” Lee says. “An MSP should have respect for patient data. It should be accessible and available, especially in an emergency.”

Six other characteristics of a leading MSP for healthcare organizations are:

  • New functionality embedded in existing workflows. Any new solution that’s built and deployed, whether for clinical, administrative or IT users, needs to be fully integrated into existing workflows. “It can’t be something you access in a different tab somewhere,” Bradley says.
  • Scalability, up and down. It’s common for MSPs to increase computing power at go-live or during a research initiative. The relationship shouldn’t change when an organization needs less horsepower, Bradley says, and operating expenses should decrease accordingly.
  • Support to match healthcare’s business model. Around-the-clock support should cover more than cybersecurity monitoring, Kim notes. That includes technical support and data replication services. “Whether you’re a community hospital, a rural hospital or a specialty clinic, you need to be able to rely on a vendor to be there for you at any time.”
  • Consistent governance and safeguard policies. For many MSPs, around-the-clock support means around-the-globe support. Healthcare organizations need an MSP that applies the same data privacy and security requirements to workers in all jurisdictions, Kim says. Safeguards should run the gamut from how data is handled to where employees work.
  • Transparency and frequent communication. Readily available governance policies should be table stakes for an MSP. Transparency should extend to communication about how the MSP operates. “It’s not which disk drive the new build is being saved to, but whether the build will affect production,” Bradley says. “It’s not just that a downtime window was missed. It’s what’s going to happen because they fell short of their guarantee.”
  • Robust tools for performance monitoring. Legacy workflows all too often consist of a team of analysts getting alerts from dozens of monitoring systems. Beyond using tools with a holistic view of enterprisewide performance, MSPs should be able to provide insights to health system leadership. “If there was an internal performance issue, they’d hear about it. They still want that level of detail,” even if the infrastructure is offsite, Bradley says.
Philip Bradley
A lot of organizations lack the resources to manage 99.999% uptime infrastructure, or even 99.99%.”

Philip Bradley Digital Health Strategist for Validation and Analytics Services, HIMSS

Choosing the Right MSP: It’s About the RFP and the SLA

The process of selecting the right MSP for healthcare begins with the request for proposal, which should include technical and business safeguards. Organizations will want written policies in areas such as data security and governance, technical support and data breach notification. Kim strongly recommends legal review while drafting the RFP.

Technical requirements and expectations should be as explicit as possible. Bradley recommends a well-defined scope of work and cost of services that indicates which applications the MSP will be responsible for managing. Any new services the MSP implements need to at least be in production, he adds: “You don’t want to fall victim to, ‘Well, it was in beta.’”

DIVE DEEPER: Find out why co-managed security services matter for healthcare.

Part of the RFP due diligence process is getting to know the MSP as a company. This means finding out who owns the company, where it operates and how long it’s likely to be in business, Kim says. It doesn’t hurt to ask for the opportunity to audit the company, she adds.

After choosing an MSP, Bradley and Kim say, it’s critical to write a service-level agreement  with teeth. For example, the SLA should state the implications for the MSP falling short of a downtime guarantee or experiencing a breach. A credit alone may not suffice if an incident impacts downstream revenue or patient outcomes.

The organization and MSP also should discuss what will happen when the partnership ends. The SLA should spell out the MSP’s responsibilities as a contract winds down, Bradley says — with particular attention paid to how patient data gets migrated from the MSP to the health system.

“You need to make sure you can get the data back in a format that you can actually use,” Kim says.

gorodenkoff/Getty Images

More On

Related Articles