Brightree is a cloud-based hospice EHR and billing platform used by thousands of hospice agencies across the United States. Its hospice-specific clinical documentation, billing, and care management tools are purpose-built for the hospice workflow. Like all major EHR platforms, Brightree maintains a Business Associate Agreement with your agency and provides security at the application and infrastructure level.
And like all EHR platforms, the security Brightree provides stops at the application boundary. What your nurses access Brightree on, where they access it from, how their credentials are protected, and what happens to Brightree-exported data in your broader environment — all of that is your agency's security responsibility, not Brightree's.
Understanding the Brightree Security Boundary
Brightree's responsibility (covered by their BAA):
- Hosted infrastructure security (physical security of data centers, network security of Brightree's cloud environment)
- Encryption of data in transit between Brightree's servers and your browser or application
- Application-level user authentication and role-based access within Brightree
- Audit logging within Brightree — access records, clinical documentation events
- Brightree's own incident response and breach notification obligations as a business associate
Your agency's responsibility (not covered by Brightree):
- Device security for every device used to access Brightree
- Network security for the environments from which Brightree is accessed
- Email security for communications related to Brightree workflows
- MFA configuration at the identity provider level (Brightree supports SSO/SAML integration)
- Backup of clinical and billing data exported from or supplementary to Brightree
- Physical security of devices containing Brightree data
- Staff training and behavior
The Five Security Layers Your Agency Must Add
Layer 1: Device Security
Brightree is accessed from laptops, tablets, and smartphones across your agency — from office workstations to field nurses' personal phones. Every device in that set is an attack surface.
Required controls:
- Encryption at rest on all devices (BitLocker for Windows, FileVault for Mac, verified encryption for iOS/Android)
- MDM deployment enabling remote wipe if a device is lost or stolen
- EDR (behavioral threat detection) on all endpoints
- Automated patch management ensuring current OS and browser versions
A hospice aide using an unencrypted personal tablet to access Brightree from a patient's home is a HIPAA compliance risk. An encrypted, MDM-managed device with EDR is not.
Layer 2: Authentication and MFA
Brightree supports integration with SAML 2.0 identity providers for single sign-on (SSO), enabling your agency to enforce MFA at the identity provider level — meaning every Brightree login is protected by your agency's MFA policy.
Configuring Brightree with Microsoft Entra ID or Okta SSO integration is the recommended approach. This provides:
- MFA enforced for every Brightree login
- Conditional Access policies that can block access from non-compliant devices
- Centralized access management — deactivating a staff member's identity provider account simultaneously revokes Brightree access
Layer 3: Email Security
Brightree generates email notifications — billing alerts, clinical reminders, system notifications. Attackers impersonate these in phishing campaigns. An email spoofing a Brightree alert that directs a billing staff member to "verify account credentials" is a realistic attack vector.
Advanced email security with anti-impersonation protection, DMARC enforcement, and malicious link scanning stops these attacks before they reach your staff.
Layer 4: Backup Outside Brightree
Brightree maintains its own data redundancy. But if your agency has data outside of Brightree — billing spreadsheets, exported reports, historical records, email correspondence containing clinical information — that data needs its own backup and disaster recovery program.
Immutable backups in cloud storage isolated from your primary network ensure that a ransomware attack does not destroy supplementary clinical and billing data.
Layer 5: Audit Log Review
Brightree's audit logging records access events within the application. Your HIPAA compliance program requires that these logs are reviewed periodically — at minimum quarterly — and reviewed immediately following any suspected security incident. The review, and its findings, must be documented.
If a suspicious Brightree access event occurs — access at an unusual time, access to a large number of records by a single user, access from an unexpected geographic location — your audit log review process is how you catch it.
When Brightree Access Is Targeted
The most common attack scenario against a Brightree deployment involves credential theft: a phishing email targeting a billing staff member, capturing their Brightree username and password. Without MFA, those credentials provide direct access to patient records, billing data, and clinical documentation.
With MFA enforced at the identity provider level, stolen credentials alone do not access Brightree — the attacker also needs the MFA device. This single control eliminates the most common attack path.
The second most common scenario is a ransomware attack that locks the devices used to access Brightree. Even though Brightree itself (cloud-hosted) is unaffected, the agency cannot operate clinical workflows if every device is encrypted. Device security (EDR) and backup (immutable, isolated) are the defenses.
Secure your Brightree deployment with the controls the platform doesn't include. ShieldForce provides device security, MFA integration, email security, and backup for Brightree-based hospice agencies.
Explore Hospice Cybersecurity Solutions →
Get a free hospice security assessment — including a review of your EHR access controls.