Managed IT services for hospitals means outsourcing IT infrastructure, cybersecurity, and HIPAA compliance operations to a third-party provider under a formal service-level agreement. When evaluating providers, hospitals should ask specific questions across four risk categories: HIPAA documentation and audit readiness, managed detection and response for clinical networks, ransomware resilience and backup recovery, and subcontractor HIPAA accountability. Providers who answer in specific, verifiable detail are worth evaluating further. Providers who generalize are telling you the same thing.
No managed IT provider has ever told a hospital they were not HIPAA compliant, and that is exactly the problem.
The sales pitch is uniform: HIPAA-compliant infrastructure, 24/7 monitoring, proven security protocols. Vendors repeat it so reliably that it no longer carries information. The words tell you nothing about whether a provider can actually protect your patients, survive an OCR audit, or keep your EHR running at 2 a.m. when a ransomware event hits a trauma bay.
What separates providers who can from providers who just say they can is what happens when you stop accepting the pitch and start asking specific questions.
The questions below are organized by risk category: HIPAA documentation, cybersecurity, ransomware resilience, and subcontractor accountability. For each one, we have described what a strong answer looks like versus a rehearsed one, so you can evaluate responses in real time, not in hindsight.
What Do Standard Hospital RFPs Miss When Evaluating Managed IT Providers?
Standard RFPs ask providers to confirm capabilities they already know how to confirm: 24/7 support, BAA signing, and prior healthcare experience. None of those answers reveal whether a provider understands clinical operating reality. A better evaluation asks about specific incident experience, documented runbooks, healthcare-segmented performance metrics, and audit history with OCR. Those questions surface operational knowledge that checkbox RFPs miss entirely.
The typical RFP process asks providers to confirm capabilities they already know how to confirm. Do you offer 24/7 support? Yes. Do you sign Business Associate Agreements? Of course. Have you worked with healthcare clients before? We have a whole vertical.
None of those answers tell you whether the provider understands the operating reality of a hospital: the difference between scheduled downtime and a clinical emergency, the way EHR access patterns differ from standard enterprise traffic, or what a ransomware event actually costs a facility that diverts ambulances for days.
According to a 2022 study published in JAMA Health Forum (Neprash et al.), ransomware attacks on U.S. healthcare delivery organizations more than doubled between 2016 and 2021, exposing the personal health information of nearly 42 million patients. The same research found that 44% of attacks caused care delivery disruptions including ambulance diversion, delayed procedures, and extended EHR downtime. The scale of that exposure makes vendor selection a patient safety decision, not just an IT procurement one.
The questions that follow surface specific, operational knowledge. Providers who have it answer in detail. Providers who do not generalize.
HIPAA Compliance and Documentation
1. Walk me through what a Business Associate Agreement means operationally for your team, not just legally.
This question separates providers who understand BAA obligations from those who treat them as a contract checkbox. Under 45 CFR Section 164.308(b), covered entities must obtain satisfactory assurances from business associates, and those assurances must translate into actual data handling procedures, not just a signature. A strong answer addresses how the BAA shapes their access controls, what happens when a subcontractor also touches PHI, and how they track downstream vendor compliance on your behalf. If the answer stops at “we sign BAAs with all our clients,” push harder.
Note: The Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA liability directly to business associates, meaning your MSP can be held independently liable for breaches, not just your organization. Providers who understand this speak to it without prompting.
2. How do you conduct your HIPAA Security Risk Assessments, and what does the deliverable actually look like?
A HIPAA Security Risk Assessment is an explicit regulatory requirement under 45 CFR Section 164.308(a)(1), not a differentiating service. Strong providers describe a structured methodology that maps ePHI flows across systems including cloud environments, remote access points, and EHR integrations such as Epic, Oracle Health, or MEDITECH. They identify threats and vulnerabilities, assign risk levels, and deliver a remediation roadmap with prioritized findings. A vague answer about “ongoing monitoring” tells you the assessment work is not happening with the rigor OCR expects. Ask to see a sample deliverable from a comparable client.
3. How do you document compliance controls over time, and what does your audit support actually look like?
HHS Office for Civil Rights does not assess intentions. It reviews documentation. Specifically, it looks for written policies and procedures, audit logs, workforce training records, risk assessment history, and evidence of remediation follow-through. Ask what the provider maintains, how it is organized, and whether they have walked a client through an actual OCR investigation. Ask for a reference. Providers who have done it will give you one without hesitating.
Get a Gap Assessment, Not a Sales Pitch
Cybersecurity and Threat Detection
4. What does your managed detection and response capability look like specifically in a healthcare environment?
Generic MDR and healthcare MDR are not interchangeable. Healthcare networks carry HL7 and DICOM protocol traffic from clinical devices, legacy imaging systems operating on end-of-life operating systems, and EHR authentication patterns that look nothing like standard enterprise traffic. Ask whether detection rules are written to baseline and flag anomalies in those specific protocols, how the provider handles passive monitoring of unmanaged medical devices that cannot run endpoint agents, and whether SOC analysts carry actual healthcare sector experience. A strong answer names the SIEM platform, such as Microsoft Sentinel or Splunk, explains how healthcare-specific detection content gets maintained, and describes the escalation path to clinical leadership rather than just the IT team.
5. What was your mean time to detect and mean time to respond across healthcare clients in the last twelve months?
If a provider cannot give you a number, or gives you a blended figure across all industries, treat that as a signal. A compromise that lingers for six hours in a logistics company is painful. The same event in a hospital affects care decisions built on incomplete or corrupted data. Healthcare-specific MTTD and MTTR metrics are a basic performance accountability measure. Ask whether those metrics are segmented by client type in their reporting, and whether they benchmark against the NIST Cybersecurity Framework’s Identify-Protect-Detect-Respond-Recover model. Providers without industry-segmented data either do not track by vertical or do not want you to see the numbers.
6. How do you handle security for connected medical devices and IoT infrastructure on the clinical network?
Legacy infusion pumps, imaging systems, and patient monitoring equipment run on operating systems that manufacturers will not patch and hospitals cannot replace on a security timeline. A capable healthcare IT security partner discusses network segmentation architecture that isolates clinical device VLANs from administrative workstations, a control explicitly required under the proposed 2026 HIPAA Security Rule updates. They should also describe passive traffic monitoring using purpose-built medical device security platforms such as Claroty, Medigate, or Armis for behavioral anomaly detection on unmanaged devices, and explain how they coordinate with biomedical engineering teams during incidents. Providers who talk only about CrowdStrike or traditional endpoint protection are describing a different network than yours.
Healthcare networks carry HL7 and DICOM protocol traffic, unmanageable medical IoT devices, and EHR authentication patterns that look nothing like standard enterprise traffic. A managed IT provider that cannot describe how their detection rules account for those differences is not protecting a hospital network. They are protecting a generic one.
What Should Hospitals Ask About Ransomware Resilience Before Hiring a Managed IT Provider?
Hospitals should ask managed IT providers to show the ransomware response runbook rather than describe it, specify immutable off-network backup architecture with documented recovery time objectives for each tier of clinical systems, confirm quarterly restoration testing with shareable results, and provide a real incident reference from a healthcare client. Providers who cannot produce documentation on any of these points carry significant recovery risk.
Ransomware attacks on hospitals do not stay in the server room. According to the JAMA Health Forum study cited earlier, attacks caused EHR downtime, ambulance diversions, and procedure cancellations across hundreds of healthcare facilities over a five-year period. Ask questions that test whether a provider has a real clinical-context playbook for that scenario or a reassuring slide deck about one.
In a typical remediation engagement following a healthcare ransomware event, the first thing we see is not a technology failure. It is a documentation gap. The affected organization cannot show auditors which systems hold ePHI, cannot produce a tested recovery playbook, and often discovers that backup jobs were completing successfully but restoration had never been verified. The technology is usually recoverable. The missing documentation is what extends downtime from hours to days and turns an incident into a regulatory event.
7. Show me your ransomware response runbook. What are the first six steps your team takes when an incident is declared?
Asking to see the runbook rather than hear about it changes the dynamic immediately. Strong providers produce a documented, rehearsed incident response procedure covering: (1) initial network isolation protocols, (2) preservation of forensic evidence per NIST SP 800-86 guidelines, (3) notification to the patient care leadership chain, (4) activation of downtime procedures for clinical operations, (5) engagement of cyber insurance and legal counsel, and (6) regulatory notification timeline tracking. The proposed 2026 HIPAA Security Rule update, expected to finalize in May 2026 per HHS OCR, requires covered entities to restore critical electronic information systems within 72 hours. See
For more detail on what the proposed rule requires, see Meriplex’s overview of the proposed HIPAA 2025 Security Rule update. Providers who cannot show you the runbook do not have one worth showing.
8. How do you architect backups, and how do you verify they are actually recoverable?
“We do nightly backups” ends the conversation in the wrong direction. Push for specifics: are backups immutable and stored in an air-gapped or logically isolated environment? What is the documented recovery point objective? The proposed HIPAA rule sets a 48-hour RPO for ePHI backups. What is the recovery time objective for each tier of clinical systems? How often do restoration tests actually run, and can you see the test results? Research published in the JAMA Health Forum found that only 20% of ransomware-attacked healthcare organizations successfully recovered from their own backups. Providers who test quarterly and share documentation have earned that confidence. Providers who describe backup frequency without mentioning recovery testing have not asked themselves the right question.
9. Have any of your healthcare clients experienced a ransomware event? What happened, and how did you respond?
This is not a trap. It is a reference check. Providers with real healthcare depth have almost certainly managed an active incident. The goal is to hear how they performed under operational pressure, what decisions they made in the first hour, and what they changed afterward. Providers who pivot immediately to prevention messaging have not been tested, or are not being straight with you.
The first thing we see in a post-ransomware healthcare engagement is not a technology failure. It is a documentation gap. The missing documentation is what extends downtime from hours to days and turns an operational incident into a regulatory event.
Find Out If Your Backup Architecture Survives a Real Ransomware Event
How Do You Verify That a Managed IT Provider's Subcontractors Are Also HIPAA-Compliant?
To verify subcontractor HIPAA compliance, ask the managed IT provider to show the full Business Associate Agreement chain including all downstream vendors, provide the subcontractor list identifying which services each delivers, and confirm written annual verification under the proposed 2026 HIPAA rule. For cloud and data center subcontractors, ask specifically for SOC 2 Type II certification. A 2025 HHS audit found that only 17% of business associates were substantially fulfilling their ePHI safeguard obligations.
10. Who specifically handles HIPAA compliance oversight on my account, and what are their qualifications?
Senior staff win managed IT contracts. Junior staff service them. Ask who owns your compliance program at the provider level, what their credentials are, such as CISSP, CISA, CHPS, or equivalent, and what happens to that accountability when account teams turn over. For mid-market hospital systems without a dedicated compliance officer, the provider’s internal ownership of this function is not a nice-to-have. It is the function itself.
11. Which of your services do subcontractors deliver, and how do you confirm they meet HIPAA requirements?
This is among the most underexamined vulnerabilities in hospital IT outsourcing. A managed IT provider can maintain strong internal controls while routing your PHI through a third-party NOC, data center, or cloud platform that does not. Under 45 CFR Section 164.314(a), business associates must ensure their own subcontractors protect ePHI with equivalent safeguards, and the proposed 2026 HIPAA rule adds a requirement for written annual verification. For cloud hosting and data center subcontractors, ask specifically whether they hold SOC 2 Type II certification, as this independently validates security controls. Ask to see the full subcontractor list and the complete BAA chain. A 2025 HHS audit of 166 covered entities and 41 business associates found that only 17% of business associates were substantially fulfilling their regulatory responsibilities to safeguard ePHI. Providers who treat the subcontractor question as unusual are telling you something about their downstream accountability.
12. How do your SLAs define and address downtime that affects clinical operations, not just general uptime?
Standard uptime SLAs are not written for clinical environments where a one-hour EHR outage means staff reverting to paper processes, delayed medication administration documentation, and disrupted care coordination. Ask how the SLA defines a clinical impact event separately from a standard IT outage, what the response protocol specifies for each tier, and what financial or service remedies exist when the provider misses the commitment. Then ask what they expect to happen to patient care during an outage, because providers who have thought through that question understand your environment. Providers who have not are running a generic IT contract with healthcare branding on it.
What Happens After You Ask These Questions
Hospital CIOs and compliance officers who bring this level of specificity into vendor evaluations find the same dynamic: the conversations get shorter and the decisions get clearer. Providers who answer in detail, with documentation, real incident references, and specific metrics, are worth continuing to evaluate. Providers who generalize, deflect, or redirect toward product demos when the questions get operational have answered the most important question already.
The goal is not to disqualify vendors. It is to find a managed IT services for hospitals partner who has genuinely earned access to patient data and who understands that in a hospital, an IT failure is a clinical event.
In a hospital, an IT failure is a clinical event. The managed IT provider that understands this difference will answer questions about ransomware response, subcontractor accountability, and audit documentation without hesitation. The one that does not will redirect you to a product demo.
One More Question That Tells You Everything
After you have covered the list above, close every vendor conversation with this:
“What would you want to know about our environment before committing to a compliance and security program for us?”
Providers who have done this work will ask about your EHR platform, your medical device inventory, your backup architecture, your incident history, and your internal IT staffing model. They want to understand the environment before they make a promise about it.
Providers who start answering before you finish the sentence, who already know what they are going to recommend regardless of what they learn, have told you what kind of partner they will be.
