Two years ago, I made the deliberate decision to not hire an IT company to manage my practice technology. My reasoning was simple: I was already paying for cloud-based everything, the tools I chose were designed to be managed by non-technical users, and the managed IT services I priced out wanted $500-800/month to essentially monitor things that mostly monitor themselves. So I became my own IT department. Here is an honest accounting of how that went.
What Actually Broke
In 24 months, I had four incidents that required real troubleshooting rather than "turn it off and back on."
Incident 1: The Comcast Outage (Month 3). My primary internet went down at 9:15 AM on a Tuesday with a full schedule. This was before I had a backup connection. I spent twenty minutes on the phone with Comcast being told there was a "known outage in my area" with no ETA. I ended up tethering to my phone's hotspot for the rest of the morning. Three patients had to be rescheduled because the hotspot was too slow for telehealth visits. Total cost: roughly $450 in lost revenue plus the cost of my dignity while explaining to patients that my internet was down like it was 2005. This incident is what made me get T-Mobile Home Internet as a backup the following week. Cost of the backup: $50/month. Cost of not having it: one terrible day and ongoing anxiety.
Incident 2: The Phishing Email (Month 8). Sarah, my front desk person at the time, clicked a link in an email that looked like it was from our fax service. Nothing happened, meaning no obvious malware, no ransomware screen, no alerts. But I spent the next four hours in a controlled panic: changing every password on every system, reviewing login logs, running malware scans on her workstation, and reading about incident response procedures on the HHS website. I found no evidence of compromise. But I also could not prove there was no compromise, which is a distinctly uncomfortable feeling when you are responsible for hundreds of patients' protected health information. This incident is what made me implement mandatory phishing training and move to hardware security keys for critical systems. The training costs nothing. The security keys cost $25 each. The peace of mind: still in progress.
Incident 3: The Printer Rebellion (Month 14). My label printer stopped communicating with my workstation after a Windows update. I spent two hours troubleshooting drivers before discovering that the update had changed a USB power management setting. The fix took thirty seconds once I found it. The finding-it took two hours of increasingly creative search queries. This is the kind of problem that an IT company would have solved in fifteen minutes, and I will admit that in the middle of it, while manually writing labels with a Sharpie between patients, I questioned every life choice that led me to this moment.
Incident 4: The SSL Certificate (Month 19). My practice website went down because the SSL certificate expired. Squarespace is supposed to auto-renew these, but something went wrong with the domain verification. Patients trying to book appointments saw a scary "Your connection is not private" warning. I did not notice for two days because I never visit my own website. A patient texted me about it. Fix time: twenty minutes. Embarrassment duration: ongoing.
What I Actually Spend Time On
Outside of those four incidents, my weekly IT time averages about 45 minutes. That breaks down roughly as follows: reviewing security alerts and login logs (10 minutes), updating software when prompted (10 minutes), backing up non-cloud data like local documents and financial records (5 minutes, mostly automated), and dealing with whatever minor annoyance has surfaced that week (20 minutes). The minor annoyances are things like: printer needs new labels, a browser extension broke something, Comcast sent another email about upgrading my plan, or I need to look up how to do something I have done before but forgotten.
Over 24 months, that is roughly 78 hours of total IT work, including the four incidents. At the $500-800/month a managed IT service would have charged, I have saved between $12,000 and $19,200. Even valuing my time at my clinical hourly rate, the self-management approach has been significantly cheaper. But the math only works because my stack is simple. Cloud EMR, cloud email, cloud accounting, and a couple of local devices. If I were running an on-premises server or managing my own backup infrastructure, the calculus would be completely different.
What I Would Do Differently
Start with the backup internet on day one. Do not wait for an outage to prove you need it. Fifty dollars a month is cheap insurance against a day of lost revenue and patient inconvenience.
Set up security monitoring before you need it. I did not implement proper login monitoring until after the phishing incident. I should have done it from the start. Cloud-based services usually have audit logs built in. Turn them on. Review them weekly. It takes ten minutes and it is the only way to know if someone is accessing your systems who should not be.
Document everything. When you fix something, write down what the problem was and how you fixed it. I keep a simple text file called "IT Notes" where I log every issue and resolution. This has saved me hours of re-troubleshooting problems I already solved once. Past-me has bailed out present-me more times than I can count.
Invest in physical security keys. Passwords plus an authenticator app is good. Passwords plus a hardware security key is better. At $25-50 per key, this is the highest-ROI security investment a solo practice can make. I use YubiKeys for my EMR, email, and banking. The phishing email incident would have been a non-event if we had been using them from the start.
Accept that some problems are not worth solving yourself. I still do not know how to configure advanced firewall rules or set up a VPN properly. For those things, I pay a consultant $150/hour for the occasional session rather than pretending I can learn network engineering between patients. Knowing what you do not know is the most important IT skill a solo doc can develop.
The Verdict After Two Years
Managing my own IT has been worth it, but only because I invested the time to set things up correctly at the start and I chose tools that are designed for non-technical users. If you are considering the same approach, my honest advice is this: if your stack is cloud-based and simple, you can absolutely do this yourself. If you are running anything on-premises, dealing with complex networking, or managing more than a handful of devices, hire someone. The savings are not worth the risk of a security incident you are not equipped to handle.
And for the love of everything, get a backup internet connection.