From HIPAA-aligned network architecture and encrypted EMR access to email security, off-site backups, and HIPAA awareness training for your staff — we run the IT and security program your medical practice or clinic actually needs, with the Business Associate Agreement and documentation discipline an HHS OCR risk assessor expects to see. CISSP-led. BAA-friendly. Real Arkansas team on call.
Three things. We sign Business Associate Agreements with our medical clients — most generic MSPs refuse because the BAA puts them on the hook for breach liability. We understand the HIPAA Security Rule and what HHS OCR risk assessors look for, from working in it daily — not from a vendor PDF. And the founder is CISSP-credentialed and the author of Cyber Fortresses (published on Amazon), with Beyond the Prompt: The Business Owner's Guide to Understanding AI as his recently completed second book — plus more titles in the pipeline.
If any of these describe your current IT situation, the gap isn't generic capability — it's healthcare-specific depth. We close that gap.
92% of healthcare organizations hit by ransomware report direct disruption to patient care, with average recovery time exceeding five days and average ransom payment topping $1.5M. Healthcare leads every other sector tracked for both attack frequency and recovery duration. Source: Sophos State of Ransomware in Healthcare.
You asked your IT vendor to sign a BAA — the formal HIPAA paperwork required for any service provider with access to PHI. They refused, hedged, or handed back something so watered down it doesn't satisfy your privacy officer or your risk assessor. Now you're either non-compliant on a documented vendor or scrambling to find a healthcare-comfortable replacement.
The internet hiccupped, an authentication token expired, a server certificate lapsed, a firewall rule blocked the EMR cloud endpoint — and overnight your providers were standing in exam rooms unable to pull up charts, write orders, or document encounters. Patient volume cratered. Front-desk scrambled to reschedule. Nobody could give you a straight answer on what broke or how to prevent it.
A patient complaint triggered an OCR letter. Your privacy officer asked for access logs, BAA register, incident records, training proof, encryption status, risk assessment dates. Some of it lives on one server. Some of it is in a binder somewhere. Some of it nobody has updated in three years. The deadline to respond is short. You suddenly realize you've been treating HIPAA documentation as an annual checkbox, not a living record.
Ransomware groups have publicly named healthcare a priority target because they know clinics will pay fast to keep patient care running. The typical attack pattern: EMR encryption, billing-system lockout, imaging-system disruption, scheduling failure — all simultaneously. Recovery now averages over five days. Cyber-insurance carriers are scrutinizing healthcare renewals harder than any other sector, and small practices without documented controls are seeing premiums double or coverage decline.
Built around what HHS OCR risk assessors and cyber-insurance underwriters actually look for on the IT side — not generic "cybersecurity" deliverables.
Network, server, endpoint, and cloud setup designed around the HIPAA Security Rule's administrative, physical, and technical safeguards. Documented access controls, audit logging, encryption in transit and at rest, MFA on every PHI-touching account, role-based permissions, and the technical-safeguard evidence your risk assessor expects to see in writing.
Email is the #1 attack vector against healthcare — phishing, BEC, fake EMR password resets, fake patient-record requests. We deploy advanced threat protection, encrypted-email enforcement for outbound PHI, endpoint detection and response on every workstation and server, web filtering, and the layered defenses that match the threat profile of a clinic, not a generic office.
Single sign-on, MFA, and conditional-access policies for Epic, Athena, eClinicalWorks, NextGen, AdvancedMD, Dentrix, Eaglesoft, and others. Off-site encrypted backups with documented retention that meets HIPAA's 6-year minimum. Tested restore procedures (not just "the green dashboard says OK") so you know your data comes back when you need it.
We sign a Business Associate Agreement with you (most generic MSPs refuse). We also help you track BAAs with your other vendors — EMR, billing service, transcription, imaging, cloud-storage, marketing tools — so you have a complete BAA register and aren't accidentally sharing PHI with a vendor who never signed one. The BAA paperwork your risk assessor wants to see, kept current.
Documented incident-response plan with named roles, escalation paths, and the technical playbook for the first four hours of a suspected breach: isolate, preserve forensic evidence, identify scope of PHI access, build the timeline your privacy officer and outside counsel need to make the HIPAA-reportable-or-not call within HHS's 60-day window. We're the technical first-responders; you and your privacy officer make the legal call.
Annual HIPAA awareness training (required by 45 CFR §164.308(a)(5)) delivered through monthly micro-modules and quarterly phishing simulations built around healthcare scenarios — fake EMR resets, fake patient-record requests, fake billing-portal logins. Training records documented and accessible for risk assessments. Phishing-simulation reports show measurable improvement in detection rate over time.
The four bodies of guidance Arkansas medical practices, clinics, and dental offices answer to — and where we plug in alongside your privacy officer or outside HIPAA consultant to keep the IT side of the program aligned.
Generic MSPs do the IT work but won't sign a BAA. Healthcare-IT consultancies write the report and disappear. Mansour's is the middle path — and the only one of the three that's locally based in Arkansas.
| Mansour's | Generic MSP | Healthcare-IT Consultancy | |
|---|---|---|---|
| Signs Business Associate Agreements with medical clients | Standard practice | Often refuses | N/A — doesn't operate IT |
| Familiar with HIPAA Security Rule from medical engagements | Yes · working alongside Arkansas clinics | Vendor PDFs at best | Yes — but only the paperwork |
| CISSP on staff (the practitioner credential) | Founder-held | Rare | Yes — at consulting rates |
| Configures EMR/EHR access security (Epic, Athena, eCW, others) | Yes — IT side alongside the EMR team | Limited | Advises · doesn't implement |
| Documents technical safeguards for HIPAA risk assessments | Yes · evidence binder kept current | Generic dashboard exports | Yes — at $300+/hr |
| Tracks cyber-insurance underwriting requirements for healthcare | Yes · questionnaire-ready | Reactive | Sometimes |
| Delivers HIPAA awareness training + phishing simulations | Yes · monthly micro · quarterly sim | Maybe — generic content | One-time training only |
| Single Arkansas phone number for HIPAA + IT | Yes | IT only | Paperwork only |
| Local Arkansas presence · same-day on-site response | Little Rock · 10 counties | Varies | Out-of-state · remote-only |
| Founder is an Amazon-published cybersecurity author | Yes · two books · more in pipeline | No | Sometimes |
No 90-day discovery decks. No five-figure retainer before we'll take your call.
A quick conversation to understand your current state — what EMR you run, what your last risk assessment flagged, what your IT staffing looks like, what your privacy officer is hearing from compliance, and what's keeping you up at night. You leave with a clear sense of whether a deeper conversation makes sense. No pressure if it's not a fit.
If we're a fit, we run a high-level assessment of your current IT and security posture against the kinds of technical safeguards HIPAA risk assessors and cyber-insurance underwriters pay attention to. Output is a prioritized plan with the work scoped, the fee fixed, and a Business Associate Agreement ready to sign. You see the math before you commit.
We implement the plan, sign the BAA, and stay on as your ongoing IT and security partner — with continuous monitoring, encrypted off-site backups, HIPAA staff training and phishing simulations, BAA register maintenance, periodic restore testing, and the documentation your privacy officer or outside HIPAA consultant needs at risk-assessment time. One team. Institutional knowledge stays in one place.
Lead testimonial from a UAMS physician — plus two reviews from clients across our regulated-industry portfolio.
"I needed a workstation that could keep up with my demanding schedule — clinical research, telehealth, and data security — all while working between home and the hospital. Mansour delivered exactly what I needed right here in Little Rock. His team built me a custom machine with the power of a gaming rig and the protection of an enterprise system."
"When we experienced an email breach, their team responded the same day, resolved the issue promptly, and gave us the confidence to entrust them with all our IT needs. We had never worked with an IT firm before, and now we can't imagine needing anyone else."
"Our accounting firm in Little Rock chose Mansour's Computer Solutions to handle our cybersecurity onboarding, and the experience was outstanding. They took the time to understand how we store and access sensitive client tax data, then implemented multiple layers of protection to keep our systems safe from hackers."
Yes — that's standard practice for every medical client we sign. The HIPAA Security Rule requires any service provider with access to Protected Health Information (PHI) to execute a written BAA with the covered entity. Many generic MSPs refuse because the BAA puts them on the hook for breach liability. We sign because doing IT for healthcare without one is doing it wrong — both for HIPAA compliance and for our own E&O posture.
Yes. We support a range of Arkansas healthcare clients — solo physician offices, multi-provider clinics, dental practices, mental-health practices, and specialty groups. We build the IT and security side around HIPAA from the start: documented access controls, encrypted email and storage, MFA on every account with PHI access, logged file activity, off-site encrypted backups, and the technical safeguards the HIPAA Security Rule actually names. We're not the auditor of record — we're the team that gets the technical environment ready for one.
On the IT and security side: Epic, Athena Health, eClinicalWorks, NextGen, AdvancedMD, Practice Fusion, Dentrix, Eaglesoft, and a handful of others. We don't replace your EMR vendor's implementation team — we work alongside them on the IT plumbing: network and bandwidth sizing, firewall rules, MFA enrollment, single sign-on, certificate management, off-site backup integration, endpoint security, and the documentation HIPAA risk assessments expect to see for any system processing PHI.
Backups: encrypted in transit and at rest, stored off-site with documented retention that meets HIPAA's 6-year minimum for records of compliance activities. Email: TLS in transit, advanced threat protection on inbound (the #1 attack vector for healthcare), encrypted-email enforcement for outbound messages containing PHI, and email retention policies that align with your record-keeping obligations. Every configuration is documented so it shows up on your risk assessment without scrambling.
We're the technical first-responders. On suspected breach: contain the scope (isolate affected systems, preserve forensic evidence, change credentials), identify what PHI was accessed and by whom, document the timeline, and provide the technical record your privacy officer and outside legal counsel need to determine whether it's a HIPAA-reportable breach. We don't make the breach-notification call — that's your privacy officer and attorney — but we make sure they have what they need to make it correctly within HHS's 60-day window.
Yes, on the IT and security side. We produce the documentation an OCR investigator or HIPAA risk assessor expects from your technical environment: access control inventories, audit logs, encryption status, BAA register, incident log, training records, backup-and-recovery proof, and the configuration evidence behind your administrative, physical, and technical safeguards. We work alongside your compliance officer or outside HIPAA consultant — they make the legal and policy calls; we keep the technical evidence current and accessible.
Yes. Annual HIPAA awareness training is a HIPAA Security Rule requirement (45 CFR §164.308(a)(5)). We deliver it through monthly micro-training modules and quarterly phishing simulations specifically built around healthcare scenarios — fake EMR password reset emails, fake billing-portal logins, fake patient-record request scams. Each module is short, the training records are documented (so they're available for a risk assessment), and the phishing-simulation reports show measurable improvement in your team's detection rate over time.
Most healthcare-IT consultancies deliver a written report and an invoice, then leave you to find someone who'll actually implement the controls. Most generic MSPs configure controls without understanding why HIPAA requires a particular configuration. We do both — the gap assessment AND the implementation AND the ongoing operational work — so your documentation, your controls, and the institutional knowledge stay in one place. Plus we're locally based in Arkansas with same-day on-site response across 10 counties, not a national consultancy billing $300+/hour out of a different time zone.
In one quick call you'll walk away with: (1) where your current IT is leaking time, money, or risk, (2) what a fix looks like for a business your size, and (3) whether Mansour's is the right fit. Real Arkansas technician on the call — not a salesperson.
