Managed IT Services for Healthcare & Medical Practices

Yes. Framework IT conducts annual third-party HIPAA compliance audits covering access controls, encryption, incident response, Business Associate Agreement (BAA) compliance, and employee training. Your virtual Chief Information Officer (vCIO) provides compliance guidance as part of your standard managed services engagement, including technology assessments, security policy development, technical controls implementation, audit trail maintenance, and Role-Based Access Control (RBAC) with least privilege enforcement. Framework IT also completes vendor security questionnaires for your compliance needs. Key partners, including ConnectWise and BlackPoint Cyber, hold SOC 2 Type 2 certifications, and the Axcient backup platform is HIPAA compliant.

Framework IT uses Axcient's comprehensive backup platform to protect servers, Microsoft 365, Google Workspace, and endpoint devices. Key capabilities include:

• Recovery Point Objective (RPO): As low as 15 minutes
• Recovery Time Objective (RTO): Under 1 hour in ideal conditions
• AirGap Anti-Ransomware Protection: Immutable backups that cannot be deleted or encrypted by ransomware
• AutoVerify: Automated daily or weekly backup testing with screenshot verification to confirm recoverability
• Virtual Office: Instant server virtualization in the cloud for temporary production during hardware failures
• Compliance: SOC 2 certified, HIPAA compliant, GDPR compliant
• Encryption: 256-bit AES at rest, 128-bit SSL in transit
• Flat-Fee Pooled Storage: Predictable monthly costs with no per-GB charges

Backup health is monitored daily by your Proactive Infrastructure Engineer (PIE), and your vCIO plans for long-term retention and compliance needs.

Yes. Approximately 70% of Framework IT's clients have no in-house IT staff. The managed services plan is designed to function as your complete IT department, covering daily help desk support, 24/7 proactive monitoring, strategic planning through a dedicated vCIO, comprehensive cybersecurity, infrastructure management, vendor coordination, user onboarding and offboarding, backup monitoring, and documentation. For the infrastructure, security, and support domains, approximately 95% of day-to-day IT execution is handled by Framework IT, with your involvement limited to business approvals, strategic participation, and Line of Business application administration.

Framework IT includes a comprehensive cybersecurity stack at no additional charge with all managed services agreements:

• Endpoint Detection & Response (EDR): SentinelOne with AI-powered threat detection and automated response
• 24/7 Managed Detection & Response (MDR): BlackPoint Cyber SOC (SOC 2 Type 2 certified) providing around-the-clock monitoring and immediate threat containment
• Advanced Email Security: Mimecast protection against phishing, spoofing, malware, and Business Email Compromise (BEC)
• Multi-Factor Authentication (MFA): Required across all supported systems
• Security Awareness Training: KnowBe4 with simulated phishing campaigns
• Dark Web Monitoring: Scanning for compromised credentials
• SIEM Logging: Aggregated security event analysis for compliance auditing and forensic investigation
• Managed Application Control: Restricts unauthorized applications from running
• Vulnerability Scanning: Continuous scanning for known vulnerabilities and misconfigurations
• Enterprise-Grade Backup: Axcient with AirGap immutable protection

Framework IT's standard cybersecurity package meets over 97% of cyber liability insurance requirements. Clients typically experience 20-40% lower premiums compared to organizations with inadequate controls. Beyond cost savings, Framework IT ensures you can collect on claims through:

• Comprehensive documentation proving security controls were active and enforced
• Employee policy attestation with documented proof of awareness
• Proactive remediation of the three most common claim denial scenarios: outdated operating systems, missing security policies without attestation, and inadequate backups
• vCIO support for completing pre-renewal technical security questionnaires approximately 3-6 months before renewal

Framework IT clients typically achieve claim approval in 4-8 weeks versus 6-12 months for organizations without proper documentation.

All client-facing support and project work is delivered by full-time, W2 Framework IT employees based in the United States, with two exceptions:

• Security Operations Center: Framework IT partners with BlackPoint Cyber (SOC 2 Type 2 certified) for 24/7/365 cybersecurity monitoring and threat response. You will not interact with this partner directly.
• Offshore Tier 1 Engineers: Two native English-speaking Tier 1 help desk engineers based in South Africa operate under strict security controls, including Azure Virtual Desktops hosted in the U.S. and fully controlled by Framework IT, screen recording blocked, MFA-required access, and locked-down data flow prevention between the virtual desktop and any local device. These resources are also insured.

Framework IT includes KnowBe4 Security Awareness Training at no additional cost, managed by your vCIO. This includes:

• Animated micro-learning episodes (3-4 minutes each) covering phishing recognition, password security, ransomware awareness, BEC prevention, HIPAA-specific modules, and more
• Simulated phishing campaigns using templates based on actual attacks, with real-time feedback for users who click
• Customized curriculum tailored to your industry and compliance needs
• Self-service reporting access for leadership to monitor training progress and phishing simulation results
• New content released every 30 days focused on current threats

Additionally, ClipTraining provides on-demand video training for Microsoft 365 applications and productivity tools.

Testing frequency is customized based on your business needs and compliance requirements:

• Included at no charge: Daily backup monitoring, Axcient AutoVerify automated testing (screenshot verification confirming bootability), proactive alerting for failures, PIE oversight, and ad-hoc file/folder restores
• Requires separate scoping: Full-scale disaster recovery drill testing, Virtual Office failover testing, and documented compliance testing for audits

For HIPAA-regulated healthcare organizations, your vCIO would typically recommend annual full-scale DR drills (compliance-mandated) plus quarterly file-level restore tests, with daily AutoVerify screenshot verification running continuously.

Framework IT follows a structured response process:

1. Continuous 24/7/365 monitoring by BlackPoint Cyber SOC across endpoints, network traffic, cloud platforms, and email
2. Immediate containment by the SOC, which isolates affected devices and terminates malicious processes
3. Framework IT response: Analyze threat scope, remove malicious access, remediate attack vectors, patch vulnerabilities, and communicate with your team
4. Post-incident review with recommendations discussed during your Strategic Business Review

Important for healthcare: You should notify your cyber insurance carrier first before requesting full breach remediation, as many policies require use of approved vendor networks. Framework IT coordinates with your insurance process to protect your coverage.

Each client receives a dedicated account team including a vCIO, Service Manager, Client Lead Engineer (CLE), Proactive Infrastructure Engineer (PIE), and a dedicated Help Desk Team/Pod. Strategic services include:

• Strategic Business Reviews (minimum twice per year, typically quarterly) covering technology performance, lifecycle reports, cybersecurity threat reports, technology roadmap updates, and expense forecasting
• Monthly Executive Management Reports with 15-20 KPIs including satisfaction scores, response times, ticket volume, and service delivery metrics
• Comprehensive technology assessments evaluating infrastructure, cybersecurity posture, compliance gaps, and AI opportunities
• Technology budgeting support with annual forecasts and phased replacement schedules
• Compliance consulting across HIPAA, SOC 2, and other frameworks at no additional cost

Framework IT does not pay sales commissions to vCIOs, so advice is unbiased and focused on your interests.

Framework IT follows a structured, auditable process for both:

• Onboarding: Standardized checklists customized to your organization, Rewst automation for consistent SOP execution, AI-powered audits that flag missed steps, and post-go-live QA checks. Recommended lead time is 10 business days (5 days can be accommodated).
• Offboarding: Account disablement and access revocation across all managed systems, data backup and transfer as directed, license reclamation, secure device wiping, and complete audit trail documentation. For platforms Framework IT manages (Microsoft 365, Google Workspace, Adobe), comprehensive offboarding is handled. For Line of Business applications, offboarding focuses on the authentication and identity layer (SSO, Entra ID, MFA).

All actions are logged to individual engineer accounts for accountability and forensic investigation capability.

Framework IT provides penetration testing directly when the objective is to assess security posture and identify improvement opportunities outside of formal audit requirements. For compliance or audit-related penetration testing (such as HIPAA audit requirements), Framework IT recommends engaging an independent third-party assessor. This follows sound governance principles: the party responsible for implementing security controls should not audit their own work. An independent assessment provides greater credibility to auditors, stakeholders, and regulatory bodies.

Your vCIO provides compliance guidance as part of standard managed services, and many SOC 2-relevant activities are included at no additional cost: technology assessments, security policy development, technical controls (EDR, MDR, MFA, SIEM, email security), comprehensive audit trails, and RBAC with least privilege enforcement. However, a formal structured SOC 2 readiness program (gap analysis against Trust Service Criteria, remediation roadmap, and readiness tracking) is not a standard inclusion and would be scoped as a separate project or virtual Chief Information Security Officer (vCISO) engagement. For formal SOC 2 audits, an independent third-party assessor is recommended.

Framework IT uses BitLocker Drive Encryption, which is built into Windows Pro and Enterprise editions. BitLocker encrypts the entire hard drive so that lost, stolen, or improperly disposed-of devices cannot be accessed without proper credentials. Encryption keys are securely stored in Microsoft Entra ID (Azure AD) for authorized administrator recovery. Full-disk encryption is required by most cyber liability insurance policies and is critical for HIPAA compliance. Your vCIO can assess your current encryption status and recommend a rollout plan if encryption is not yet enabled across your environment.

Framework IT provides tiered coverage:

• Standard Hours (Mon-Fri, 8 AM - 5 PM CT): Full help desk staffing with 30+ engineers, calls answered live by Service Coordinators, average response time under 5 minutes
• Extended Hours (Mon-Fri 5-9 PM CT; Weekends 8 AM - 5 PM CT): Help desk support continues for all priority levels
• 24/7/365 Emergency Support: Critical issues (company-wide outages, ransomware attacks, server failures) are covered around the clock at no additional charge. Call 312-564-4888 anytime for emergency response with acknowledgment as soon as possible and callback within 2 hours

SLA guarantees during business hours: Critical issues receive a 30-minute response; after hours, critical issues receive a 2-hour response. Framework IT's actual average response time across all priorities is under 5 minutes. Approximately 78% of all tickets are resolved on the same business day and on the first touch.