Back to Blog
Repairs 12 May 2026 9 min read

Managed IT Services for Medical Practices in Johannesburg: A Six-Layer Defensible Stack

A GP partner in Parkhurst rang us last winter at 06:40. Reception had opened the doors, the receptionist could not log in, the scripting software refused to launch, and a queue was already forming out.

That morning is why we keep telling practice managers across Hyde Park Johannesburg, Rosebank, Sandton and Parkmore the same thing: managed IT for a medical practice is not the same product as managed IT for an accounting firm. The regulatory load is heavier, the downtime tolerance is lower, and the data you hold is, in the eyes of the Information Regulator, special personal information under section 26 of POPIA. A generic reseller selling you Microsoft 365 Business Standard and an antivirus subscription is not buying you compliance. It is buying you a paper trail when something goes wrong.

What follows is the six-layer stack we deploy and maintain for medical practices, and the specific failure each layer prevents. Read it as a checklist for whatever provider you are currently paying.

Why Medical IT Is a Different Discipline

Two regulations shape everything. POPIA section 19 obliges you, as the responsible party, to secure the integrity and confidentiality of personal information through appropriate technical and organisational measures. HPCSA Booklet 9 then layers on record-retention rules β€” six years for adults, longer for minors and oncology β€” and demands that records remain legible and accessible for that period. Add the practical reality that a script printer, a claims gateway and a Vericlaim or GoodX session all share the same network, and a single unsegmented switch becomes a clinical risk rather than just an IT one.

A generic managed service provider will rarely register your Information Officer with the Regulator, will not know that Discovery Health's claims endpoint sometimes blocks traffic from cloud-hosted VMs without a static IP, and will almost never have a written incident-response playbook that distinguishes a ransomware event from a hardware failure. We have rebuilt enough practice networks over the years β€” and serviced well over 18,000 devices through our Hyde Park workshop β€” to know where the cracks tend to open.

Layer One: Identity and Email β€” Microsoft 365 Business Premium, Not Standard

The single most common mistake we see is a practice running Business Standard or, worse, a mix of personal Outlook accounts and a shared Gmail. Business Premium is the floor, not the ceiling. It gives you Conditional Access, so a doctor logging in from a holiday in Mauritius gets challenged for MFA, while the receptionist logging in from the practice IP does not. It gives you Defender for Office 365, which catches the spear-phishing emails that impersonate medical aids. It gives you Intune for mobile device management on the practice's phones and tablets, and it gives you BitLocker enforcement on every Windows endpoint.

What it prevents: a stolen practice manager's laptop becoming a POPIA notifiable breach. With BitLocker enforced and Conditional Access in place, a lost device is a hardware loss, not a data loss. Without it, you are writing a letter to every patient on your books.

Layer Two: Endpoint Management for Apple Fleets

Most practices we work with run a mix β€” Windows at reception for the practice management software, Macs and iPads for the doctors. Apple Business Manager paired with Jamf Pro (or Jamf School for smaller practices) lets us enrol every iPad and MacBook into a supervised state. We push the email profile, the VPN config, the Defender for Endpoint agent and the disk-encryption policy without the doctor ever touching a settings menu. If a device is lost, we wipe it remotely. If a doctor leaves the practice, their access dies at the identity layer and the device returns to the pool clean.

What it prevents: the classic scenario where a retiring partner walks out with an iPad full of patient correspondence because nobody knows the Apple ID password. For practices that prefer to extend hardware life rather than replace, our logic board repair service has kept a number of older MacBooks in clinical use well past their expected lifespan, and every device we touch carries up to 3-year warranty on the work performed. Apple's own guidance on supervised enrolment, available at Apple Support, is worth reading if you want to understand what the platform is capable of.

Layer Three: Network Segmentation with UniFi VLANs

A flat network is a clinical hazard. In our standard medical deployment we run at minimum four VLANs on UniFi hardware: a clinical VLAN for the practice management server and scripting workstations, a staff VLAN for general administrative use, a guest VLAN for patient Wi-Fi in the waiting room, and an IoT VLAN for the printers, the EFTpos terminals and the access control. Inter-VLAN traffic is filtered, the guest VLAN cannot see anything else, and the clinical VLAN cannot reach the internet except through whitelisted destinations.

What it prevents: a patient in the waiting room scanning the network and finding the unpatched Windows Server 2012 box that still runs the legacy radiology viewer. We have walked into practices where exactly that was possible.

Layer Four: Backup and Continuity β€” Veeam plus Synology, Offsite

A backup that has not been tested in the last quarter is not a backup. We run Veeam Backup and Replication writing to an on-premises Synology, with a second copy replicated to an offsite Synology in a different suburb, and a third immutable copy in Backblaze B2. Recovery point objective for the practice database is one hour. Recovery time objective for a full server rebuild is four hours. We test restores monthly and document the result.

What it prevents: the ransomware morning. We have recovered three practices from full encryption events in the last two years, and in every case the offsite immutable copy was what saved them. Load shedding aggravates everything here β€” a UPS that lets the server shut down cleanly is part of the same layer, not an afterthought. The same principle applies to physical hazards: a burst geyser above a server cupboard is depressingly common, and our liquid damage recovery work on individual machines has taught us to insist on raised server platforms in every practice we onboard.

Layer Five: POPIA Governance, Not Just POPIA Tech

This is where almost every generic provider falls short. POPIA compliance is not a firewall setting. It is a registered Information Officer, a documented Personal Information Impact Assessment, a written incident-response plan with notification timelines, an operator agreement with every third party that touches patient data (including your IT provider), and a staff training record. We register your Information Officer with the Regulator as part of onboarding, we draft the PAIA manual, and we sit with the principal partner to walk through the impact assessment. None of that is technical work, but without it the technical work is window dressing.

What it prevents: a Regulator enquiry following a complaint becoming an enforcement notice. The fine ceiling is R10 million; the reputational cost is higher.

Layer Six: Monitoring, Patching and Human Response

The final layer is the boring one that actually keeps the other five working. We run RMM monitoring on every endpoint and server, with patching windows scheduled around clinical hours, vulnerability scans monthly, and a real human reviewing the alerts every morning. Practices on our managed plan get a named technician, a quarterly review with the practice manager, and a 24-hour response on critical tickets. Our after-hours number reaches a person, not a queue.

What This Costs, Honestly

We charge a once-off onboarding assessment from R599 for a single-doctor practice, scaling with site complexity. Monthly managed fees run between roughly R450 and R900 per user depending on the layers you take, with hardware (UniFi, Synology, UPS) costed separately and transparently. We do not mark up Microsoft licences beyond what Microsoft charges us. We do not lock you into multi-year contracts. If you want to leave, we hand over the documentation and the admin credentials in writing, which is a clause we insist on putting in our own contract because we have seen what the alternative looks like.

To start, book online at zasupport.com/book or contact us for a site walk-through. You can also WhatsApp us on 064 529 5863 and we will arrange a visit to your practice, usually within the same week.

Frequently Asked Questions

Q: Can we keep our current IT provider and just add the medical-specific layers?

In principle yes, but in practice it rarely works. The layers are interdependent β€” Conditional Access policies must align with Jamf enrolment, VLAN rules must align with the backup network paths, and incident response must have a single owner. We have done co-managed arrangements where the existing provider handles day-to-day support and we own the compliance stack, but it requires a clear written split of responsibilities.

Q: How long does onboarding a medium-sized practice take?

For a four-doctor, twelve-staff practice the typical timeline is six to eight weeks. Week one is assessment and documentation. Weeks two and three are identity migration and Microsoft 365 hardening. Weeks four and five are network re-cabling and VLAN deployment. Weeks six and seven are backup commissioning and restore testing. Week eight is POPIA documentation sign-off and staff training. We do not rush this, because shortcuts in onboarding are the cracks that open later.

Q: What happens during load shedding?

Every server and network rack we install includes a UPS sized for graceful shutdown plus a window for stage-four shedding. Larger practices add an inverter and battery bank β€” typically lithium, sized for four to six hours β€” so reception can continue to book and bill. Cloud-hosted practice management software helps here too, because the doctors can keep working from a 4G hotspot even if the building has no power.

Q: Are Apple devices safe for clinical use, or should we standardise on Windows?

Both work. We run mixed fleets in most practices. Apple devices with Jamf enrolment and FileVault are arguably easier to keep compliant than Windows endpoints, but the practice management software usually dictates the choice. iPads work well for clinical notes at the bedside. The decision should be driven by clinical workflow, not by IT preference.

Q: Who owns the data if we leave you?

You do, always, and the contract says so explicitly. On exit we provide a full export of Microsoft 365 mailboxes and SharePoint sites, the last good Veeam backup of any on-premises servers, all Jamf and UniFi configurations, and the admin credentials for every system. We allow a thirty-day overlap with your incoming provider at no extra charge.

Q: Do you service the hardware as well, or only the software side?

Both. Our Hyde Park workshop has handled more than 22,000 device repairs over the years, ranging from MacBook logic boards to iMac displays to iPad screen replacements. Practices on our managed plan get priority turnaround on hardware faults, loan devices where we have stock, and the same up to 3-year warranty on every repair. Keeping the same team responsible for software and hardware shortens the diagnostic loop when something odd happens.

Courtney Bentley, Apple Certified Expert Consultant at ZA Support

Written by

Courtney Bentley

Apple Certified Expert Consultant

Former Apple South Africa Manager (2007-2009). Founded ZA Support at age 19 in 2009. Forbes Africa 30 Under 30 (2019). Has personally overseen more than 25,000 Mac repairs at ZA Support's Hyde Park workshop. Specialises in component-level logic board repair, liquid damage recovery, and medical practice IT. BSc Informatics (UNISA). Member of the Apple Developer Program.

View all articles by Courtney β†’

Need a repair? Assessment from R599.

Hyde Park, Johannesburg. Same-day diagnostics available.

WhatsAppBook a Repair

ZA Support Services

Logic Board RepairLiquid Damage RepairBattery ReplacementMacBook RepairiPhone Screen RepairAll Blog Posts
All posts