I'm not comfortable with an MSP being able to remote into computers with private information. How is that access controlled?
This concern deserves a real answer, not reassurance - remote access IS powerful, and you should expect specific controls around it. Professional remote-management platforms provide them: every technician authenticates individually (no shared logins), every session is logged - which tech, which machine, when, for how long - and those logs are auditable by you. Access follows least privilege: technicians get the access their role requires, and departing employees are removed immediately.
For machines handling especially sensitive information, additional controls are reasonable to request: consent prompts so a remote session requires someone at the machine to approve it, restricted access lists for specific systems, and screen-recording of sessions on regulated equipment. In healthcare settings, the MSP should sign a business associate agreement, making its data obligations legally explicit. None of this is exotic - a mature provider offers it before you ask.
Two more things worth knowing. First, ask any prospective provider: 'Show me the audit trail from one of your remote sessions.' The speed of that answer tells you everything. Second, remember the counterfactual - the alternative to controlled, logged professional access is usually uncontrolled access: shared passwords, an ex-employee who still knows them, or remote tools installed ad hoc with no logging at all. The goal isn't avoiding remote access; it's making it accountable.
Want a straight answer about your setup?
Asheville Computer Company is a local managed IT provider based in Arden, minutes from most of Asheville.
Call (828) 290-9092 or visit ashevillecomputercompany.com for a free, no-pressure consultation.