IT Health Check: 10 Questions to Ask

You do not need to be a technical expert to evaluate whether your IT environment is healthy. These ten questions are designed for business owners, office managers, and practice administrators who want an honest assessment of their technology infrastructure. If you cannot answer several of these questions confidently, that itself is a finding worth addressing.

1. When was the last time you tested a backup restore?

Having backups is not the same as having working backups. Many organizations discover their backups are corrupted, incomplete, or too slow to restore only after a disaster has already struck. A backup that has never been tested is an assumption, not a safety net.

Why it matters: If your EHR database crashes tomorrow morning, you need to know exactly how long it will take to restore and how much data you will lose. If you cannot answer that question today, your backup strategy has a critical gap.

2. How old are your workstations and servers?

Hardware has a useful life. Workstations older than four to five years and servers older than five to six years are increasingly unreliable and may not support current operating systems and security updates. Running outdated hardware is not just a performance issue; it is a security risk.

Why it matters: A single server failure can take your entire practice offline. Older machines are also more expensive to maintain, and replacement parts may no longer be available. Planned replacements are always cheaper and less disruptive than emergency replacements.

3. Is Multi-Factor Authentication enabled on all critical systems?

MFA requires users to verify their identity with something beyond just a password, typically a code sent to their phone or generated by an authenticator app. It is the single most effective control against unauthorized access, and every major compliance framework now expects it.

Why it matters: Over 80% of hacking-related breaches involve stolen or weak passwords. MFA stops most of these attacks cold, even if an employee falls for a phishing email and gives away their password.

4. Who has admin access to your systems, and why?

Administrative accounts have the power to install software, change configurations, and access any data on a system. Every person with admin access represents a potential point of compromise. Many organizations have far more admin accounts than they need.

Why it matters: If a user with admin privileges clicks a malicious link, the malware inherits those elevated privileges. Limiting admin access reduces the blast radius of any security incident. Conduct a quarterly review of who has elevated access and whether they still need it.

5. Are all your systems running supported operating systems?

When Microsoft or Apple stops supporting an operating system, it stops receiving security patches. Any vulnerability discovered after that date remains permanently unpatched. Windows 10, for example, reaches end of support in October 2025.

Why it matters: Unsupported operating systems are low-hanging fruit for attackers and a red flag in any compliance audit. If you have machines running Windows 8.1, Windows 7, or Windows Server 2012, they need to be upgraded or isolated immediately.

6. Do you have a documented network diagram?

A network diagram shows every device, connection, and segment in your IT environment. It does not need to be fancy, but it needs to exist and be current. Without one, troubleshooting takes longer, security gaps go unnoticed, and new technology is deployed without understanding the full picture.

Why it matters: You cannot secure what you cannot see. A network diagram is also a requirement for HIPAA compliance and is the first thing any IT professional or auditor will ask for when evaluating your environment.

7. How quickly can you detect and respond to a security incident?

The average time to detect a breach in healthcare is over 200 days. Every day an attacker has access to your systems, they can steal more data, install more backdoors, and cause more damage. Detection speed directly correlates with breach severity.

Why it matters: If your only detection mechanism is an employee noticing something strange, you are relying on luck. Security monitoring tools, log analysis, and alerting systems dramatically reduce detection time.

8. What happens to an employee's IT access when they leave?

When someone resigns, is terminated, or changes roles, their access to email, systems, and data should be modified immediately. Delayed deprovisioning is one of the most common compliance findings and one of the easiest to fix.

Why it matters: A disgruntled former employee with active credentials is a serious threat. Even without malicious intent, orphaned accounts are targets for attackers who know they are less likely to be monitored.

9. Is your Wi-Fi network segmented?

Your guest Wi-Fi, employee devices, medical equipment, and servers should not all share the same network. Network segmentation isolates different types of traffic so that a compromise in one area does not automatically spread to others.

Why it matters: If a patient connects to your guest Wi-Fi with a malware-infected phone and your clinical systems are on the same network, those clinical systems are now at risk. Proper segmentation eliminates this attack path.

10. Do you have a written IT budget and replacement plan?

Technology is not a one-time purchase. Hardware ages out, software subscriptions renew, and security threats evolve. Organizations without an IT budget tend to underspend until a crisis forces emergency spending at premium prices.

Why it matters: A planned $1,200 workstation replacement is always cheaper than an emergency replacement that includes rush shipping, lost productivity, and data recovery. An IT budget lets you spread costs predictably and avoid the cycle of neglect and crisis.

How to Use These Results

Count how many of these questions you can answer with confidence:

• 8-10 confident answers: Your IT foundation is solid. Focus on continuous improvement and make sure your documentation stays current.
• 5-7 confident answers: You have meaningful gaps that should be addressed in the next quarter. Prioritize MFA, backup testing, and access reviews.
• Fewer than 5 confident answers: Your IT environment has significant risk exposure. A professional IT review will help you prioritize remediation and build a roadmap to a healthier state.