← All posts

Healthcare Clinic Remote Access for MSPs: PACS, PMS, and Medical Devices Without Port Forwarding

How MSPs remotely access clinic PMS servers, PACS, and imaging systems — one WireGuard router tunnel, no agents on medical equipment, GDPR-compliant.

Medical practices are one of the most demanding MSP environments. A mid-size clinic runs a practice management system, an EHR server, a PACS workstation handling radiology images, VoIP phones, and a network that stores GDPR-regulated patient data. Most of those systems — the PACS server, the digital imaging equipment, the clinical workstations — run proprietary or locked-down operating systems that cannot accept a remote access agent without voiding the vendor support contract.

The traditional fallback is port forwarding the practice management server's RDP port and accepting the risk. That fails on two levels: CGNAT and dynamic IPs make forwarding unreliable at many small practices, and exposing a medical records server directly to the internet is incompatible with GDPR Article 32, which requires appropriate technical security measures for systems processing personal data.

What Clinic IT Actually Looks Like

A small-to-mid-size medical practice typically runs:

  • Practice Management System (PMS) — scheduling, billing, and patient records on a Windows server. Often a regional EU platform or a legacy Windows application serving the front desk and clinical staff.
  • PACS server — dedicated Windows Server running vendor-specific DICOM archiving software. Receives images from X-ray, CT, and ultrasound equipment. Vendor support contracts prohibit third-party agent installation.
  • Digital imaging equipment — X-ray machines and ultrasound stations with embedded web interfaces on port 80 or 443 for configuration and firmware updates.
  • VoIP PBX — Yeastar, Grandstream, or a hosted SIP system with a web admin panel on the clinic network.
  • Managed switches — Cisco or TP-Link Omada, sometimes with separate VLANs for the administrative network and the medical device segment.

The PACS server and imaging equipment cannot run TeamViewer or AnyDesk. When those systems fail before clinic opens, the MSP needs access without modifying device configurations or touching vendor support agreements.

GDPR and Remote Access Requirements

GDPR Article 32 requires appropriate technical measures to secure systems processing personal data — access controls, MFA where feasible, and logging who accessed what and when. Exposing a PMS server's RDP port to the internet satisfies none of these. TeamViewer and AnyDesk route session traffic through their own relay infrastructure, which raises a data processing question under GDPR supply chain rules — and both platforms were breached in 2024.

The controls that satisfy Article 32 are: EU-hosted infrastructure, authenticated access with MFA, and per-session audit logging. An outbound WireGuard tunnel on the clinic router delivers all three without requiring agents on clinical devices.

One Tunnel, Every Device on the Clinic Network

Install one WireGuard tunnel on the clinic's router — MikroTik, pfSense, OPNsense, or any Linux gateway. The router dials outbound to ProxyLink's relay server and holds the connection with persistent keepalive. Once up, the relay routes to any IP on any subnet behind that router — including devices running no software at all. CGNAT and dynamic IPs are irrelevant; the tunnel initiates outbound from the router, so whatever IP the ISP assigns at any given moment does not affect access.

What Engineers Access

After configuring the tunnel, create a proxy link in ProxyLink for each device:

  • PMS server (port 3389) — browser RDP to the Windows practice management server. Software updates, user management, and troubleshooting in a browser tab — no VPN client or mstsc.exe on the engineer's laptop.
  • PACS server (port 3389 or 443) — browser RDP for full desktop access, or an HTTPS proxy link to the PACS web viewer. Full access without modifying PACS software or voiding the vendor support contract.
  • Imaging equipment (port 80 or 443) — HTTP or HTTPS proxy link to the device's embedded web interface. Firmware updates and configuration without a site visit.
  • VoIP PBX (port 80 or 443) — HTTP proxy link to the admin panel. Extension management and SIP trunk diagnostics from anywhere.
  • Managed switches (port 22) — browser SSH for VLAN changes and network troubleshooting. No PuTTY, no local VPN client.

Multi-VLAN Clinic Networks

Clinics that segment their networks — an administrative LAN alongside a medical devices VLAN — need exactly one WireGuard peer. Add each subnet under Additional Subnets when creating the tunnel in ProxyLink. All declared subnets become reachable through the same peer with no separate tunnels and no changes on individual devices:

LAN subnet:        192.168.1.0/24   (admin — PMS, EHR workstations)
Additional subnet: 192.168.20.0/24  (medical devices — PACS, imaging equipment)

On MikroTik, add mangle rules to exempt ProxyLink traffic from load-balancing marks for each VLAN subnet. On pfSense or OPNsense, add pass rules on the WireGuard interface for each subnet. One router, one peer, all VLANs reachable.

Audit Log for GDPR Compliance

Every ProxyLink session is logged automatically on paid plans: engineer identity, target IP and port, connection start time, and session duration. RDP sessions to the PMS server and SSH sessions to managed switches can be recorded per proxy link. For a GDPR audit or breach investigation, this is the access record that shows who reached patient data systems, when, and for how long — the per-session evidence that Article 32 technical controls were active.

ProxyLink's relay runs on Hetzner infrastructure in Germany. Session traffic stays within EU territory throughout. No US-based vendor is in the remote access path, which simplifies the GDPR data processing agreement stack for MSPs managing healthcare clients.

Deployment

A single-VLAN clinic on MikroTik or pfSense takes 20–30 minutes to configure. With ProxyLink's MikroTik auto-configuration — which connects to the router via SSH and deploys WireGuard automatically — setup takes under ten minutes. After that, every device at the clinic is accessible indefinitely with no open inbound ports on the clinic network and no agent maintenance on medical equipment.

Try ProxyLink free at app.proxylink.dev — no card required, free during early access. Setup guides for MikroTik, pfSense, OPNsense, and OpenWRT are in the docs.

ProxyLink is free during Early Access

One WireGuard tunnel on a router gives you browser RDP, VNC, and SSH to every device on the LAN. No agent on the target. No credit card. No trial countdown.

Get free access →
← Back to all posts