PGH Networks is a Pittsburgh-based managed services provider delivering HIPAA-compliant managed cybersecurity for medical practices, clinics, and mid-market healthcare organizations across the Pittsburgh metro. This anonymized case study walks through how we approach healthcare cybersecurity in Pittsburgh for a real client engagement — what the practice looked like before, what we changed, and what the security and compliance posture looked like ninety days later.
The client: a specialty medical group with roughly 70 staff across four offices in Allegheny and Washington counties, running a cloud-hosted EHR, an on-prem imaging system, and the usual constellation of front-desk PCs, billing workstations, and clinician laptops moving between sites and home.
The buyer scenario
The practice administrator called us after a peer clinic in the region was hit with ransomware that took their schedule offline for nine days. Their cyber liability carrier had just sent a renewal questionnaire asking pointed questions about MFA coverage, EDR, offline backups, email filtering, and whether a HIPAA Security Risk Analysis had been completed in the last twelve months. They could not confidently answer "yes" to most of them.
They also had a more uncomfortable problem: they had never inventoried which vendors actually touched ePHI, and the Business Associate Agreement (BAA) folder in their shared drive had not been updated since 2019.
The carrier questionnaire was the forcing function, but the real risk had been quietly accumulating for years.
The challenge
A two-week discovery phase surfaced the gaps you would expect from a clinical environment that had grown faster than its IT controls. The HIPAA Security Risk Analysis was effectively absent — there was a template document, but no asset inventory, no threat analysis, and no remediation tracking tied to the addressable and required implementation specs in 45 CFR §164.308. ePHI was flowing through at least eleven external services (EHR, e-fax, transcription, patient reminders, a marketing CRM, two referral portals, payroll, a credentialing tool, and three imaging-related vendors), and only four had executed BAAs on file.
On the technical side: MFA was enabled for Microsoft 365 administrators but not for clinical staff; the EHR vendor's recommended hardening guide had never been applied; local admin rights were broadly distributed on workstations; backups ran nightly but had never been test-restored; and there was no 24/7 monitoring — alerts from the existing antivirus went to an inbox nobody read after 5 p.m.
How it was solved
TL;DR: We treated HIPAA as the scaffolding and modern detection-and-response as the load-bearing structure — compliance documents alone do not stop ransomware.
We sequenced the engagement in three waves so the clinic could keep seeing patients while we worked.
Wave one — risk assessment and quick wins (weeks 1–3). We completed a documented HIPAA Security Risk Analysis covering administrative, physical, and technical safeguards, with a prioritized remediation register. In parallel we enforced MFA across all 70 user accounts, removed standing local admin rights, deployed an EDR agent with 24/7 SOC monitoring, and turned on advanced phishing protection with impersonation rules tuned for healthcare (fake referral PDFs, fake portal password resets, payroll-diversion lures targeting the practice administrator).
Wave two — ePHI and vendor governance (weeks 3–7). We mapped every system and integration that creates, receives, maintains, or transmits ePHI, then rebuilt the BAA program against that map. Eleven vendors were contacted; nine signed updated BAAs, one was replaced, and one was retired. We hardened the EHR following the vendor's security guide plus our own healthcare baseline — session timeouts, role-based access reviews, audit-log forwarding into our SIEM, and conditional access tying EHR sign-in to compliant devices.
Wave three — resilience and rehearsal (weeks 7–12). We moved backups to an immutable, off-site target with documented quarterly test restores, segmented the imaging network from the clinical and guest VLANs, and ran a two-hour ransomware tabletop exercise with the owners, the practice administrator, the EHR vendor's contact, and outside counsel. The tabletop produced a written incident response plan with named roles, breach-notification decision trees aligned to the HIPAA Breach Notification Rule, and a contact card laminated at every front desk.
Outcomes
Ninety days in, the cyber liability renewal questionnaire came back fully answerable, and the carrier reduced the deductible at renewal. The Security Risk Analysis and remediation register gave the practice a defensible artifact for any future OCR inquiry. Mean time to detect on simulated threats dropped from "next business day, maybe" to under 12 minutes via the SOC. Phishing click-through on internal simulations fell from 22% to 4% over two training cycles. Eleven ePHI-touching vendors were brought under signed BAAs, and the EHR audit logs were finally being reviewed — by us, weekly, with exceptions escalated to the administrator.
Importantly, none of this required ripping out the EHR or replacing the clinical staff's workflows. The clinicians noticed MFA prompts and slightly stricter laptop policies; they did not notice the SOC, the SIEM, the segmentation, or the immutable backups, which is exactly the point.
Good healthcare cybersecurity is invisible to clinicians and obvious to auditors.
Takeaway for Pittsburgh healthcare leaders
If you run a practice, clinic, surgery center, or mid-market healthcare organization in Pittsburgh, Cranberry, Monroeville, Washington, Greensburg, or anywhere inside the metro, the pattern above is almost certainly closer to your environment than you would like. The good news: healthcare cybersecurity in Pittsburgh does not require a hospital-scale budget. It requires a sequenced program — risk analysis, ePHI and BAA governance, EHR hardening, MFA and EDR everywhere, 24/7 monitoring, immutable backups, and a rehearsed incident response plan — delivered by a team that understands both HIPAA and how clinical operations actually run.
That is the work we do. If your carrier questionnaire, your board, or your own gut is telling you the gap is wider than it should be, we can scope a HIPAA Security Risk Analysis and a 90-day remediation plan tailored to your practice.