PGH Networks is a Pittsburgh-based managed services provider that delivers healthcare cybersecurity and HIPAA IT to medical practices, behavioral health clinics, dental groups, and specialty providers across the Pittsburgh metro and within 75 miles of 15220. Our healthcare practice is built specifically around the Security Rule, PHI protection, EHR platform hardening, and the HITRUST-aligned controls that hospital systems and payers increasingly push down to their referral networks and contracted providers.
The case studies below are anonymized composites drawn from real engagements with healthcare clients in Allegheny, Washington, Westmoreland, Butler, and Beaver counties. Names and identifying details have been changed; the technical work, regulations, and outcomes are accurate.
The buyer scenario: a multi-location medical practice under pressure
A 60-provider, four-location specialty medical practice headquartered near Pittsburgh contacted us after a phishing email led to a brief unauthorized login on a billing manager's Microsoft 365 account. No PHI was confirmed exfiltrated, but the practice's compliance officer could not answer the obvious next questions: what did the attacker see, what was logged, and was this a reportable breach under the HIPAA Breach Notification Rule? Their prior IT vendor was a generalist break-fix shop with no healthcare cybersecurity experience.
When a practice cannot answer "was PHI accessed?" with evidence, the regulatory question answers itself — and not in your favor.
The challenge
The practice ran a cloud-hosted EHR, a separate practice management system, an on-prem imaging server, and Microsoft 365 across roughly 110 users. There was no documented HIPAA Security Risk Analysis, MFA was inconsistently enforced, audit logging in M365 was at the default 90-day retention, and the imaging server sat on the same flat VLAN as front-desk workstations. Cyber liability renewal was 70 days out and the carrier had issued a supplemental questionnaire asking about EDR coverage, privileged access controls, and offline backups — none of which the practice could attest to truthfully.
How it was solved
We began with a HIPAA Security Risk Analysis mapped to the NIST 800-66 framework, producing a documented register of administrative, physical, and technical safeguard gaps tied to specific 45 CFR §164.308–312 citations. From there the work split into three tracks running in parallel.
On the identity track, we enforced conditional access and phishing-resistant MFA across all M365 accounts, separated clinical and administrative privilege tiers, and extended unified audit log retention to one year so future incident questions would have evidence behind them. On the network track, we segmented the imaging server and any device touching ePHI onto isolated VLANs with east-west firewalling, and deployed managed EDR with 24/7 monitoring across every endpoint and server. On the resilience track, we rebuilt backups to an immutable, offline-capable target with documented restore testing, then ran a tabletop exercise against a ransomware scenario with the practice's leadership, billing lead, and outside counsel.
TL;DR: Healthcare cybersecurity in Pittsburgh is not an antivirus problem — it is an evidence problem, and the providers who win audits and cyber renewals are the ones who can produce documented controls, logs, and tested recovery on demand.
A second engagement: behavioral health clinic ransomware recovery
A behavioral health clinic with three Pittsburgh-area offices and around 35 staff was hit with ransomware that encrypted their on-prem file server, including intake documents and supervision notes that had not yet been migrated into their EHR. They engaged us mid-incident. We coordinated with their breach counsel and cyber carrier, contained the affected segment, restored from a clean backup that predated the encryptor's dwell time, and produced a forensic timeline that supported a determination of low probability of PHI compromise under the four-factor risk assessment. Post-incident, we replaced the legacy file server with a access-controlled, logged, and DLP-monitored Microsoft 365 environment, and instituted quarterly phishing simulations because clinicians were the primary initial-access vector.
A third engagement: dental group HITRUST readiness
A 12-location dental group with PPO and Medicaid contracts was told by a major payer that contracted providers would need to demonstrate HITRUST-aligned controls within 18 months. The group did not need full HITRUST certification, but it did need defensible mapping. We performed a control-by-control gap assessment against the HITRUST CSF healthcare overlay, prioritized remediation by risk and payer materiality, and stood up the documentation, policies, and technical controls — encryption at rest on imaging workstations, role-based access on the practice management system, vendor risk reviews of their third-party billing service — that the group's compliance lead now uses as their working evidence binder.
Outcomes across the healthcare cybersecurity practice
Across these and similar engagements, the patterns are consistent. Cyber insurance renewals get approved without exclusions or PHI sublimits. Security Risk Analyses produce a defensible artifact dated within the current calendar year, which is the single most common OCR audit request. Mean time to detect on EDR-monitored endpoints drops to minutes rather than the weeks typical of unmanaged environments. And when something does go wrong — because in healthcare it eventually does — the practice can answer the breach-notification questions with logs and forensics, not guesses.
Takeaway for Pittsburgh healthcare leaders
If you run a medical practice, behavioral health clinic, dental group, or specialty provider in the Pittsburgh region, the healthcare cybersecurity and HIPAA IT bar has moved. Cyber carriers, hospital affiliates, and payers are all asking the same evidence questions, and a generalist IT provider — even a competent one — usually cannot produce HIPAA-mapped artifacts, HITRUST-aligned control documentation, or PHI-aware incident response on demand. PGH Networks built this practice because our Pittsburgh healthcare clients needed it. If you are facing a cyber renewal, a payer questionnaire, a Security Risk Analysis gap, or the aftermath of an incident, that is exactly the conversation we are set up to have.