Most home health agency administrators who need to address cybersecurity face the same problem: they know it is important, they are not sure where to start, and they have no IT staff to implement whatever they decide.
This 90-day roadmap is designed for exactly that situation. It is sequenced by priority — highest-impact items first — and clearly distinguishes between what a managed cybersecurity provider handles on your behalf and what requires your direct action as agency leadership.
By the end of 90 days, a home health agency that follows this roadmap will have the technical safeguards, documentation, and operational procedures required by the 2026 HIPAA Security Rule — and a defensible posture against ransomware, phishing, and BEC attacks.
Before Day 1: Choose a Healthcare-Specialized Managed Security Provider
The single most important decision in this roadmap comes before it starts: choose a managed cybersecurity provider that specializes in healthcare and specifically in home health.
A healthcare-specialized MSSP handles the technical implementation — EDR deployment, email security configuration, MFA enforcement, backup setup, vulnerability scanning — so you do not need IT staff to do it. They also provide the compliance documentation templates HIPAA requires and the 24/7 SOC monitoring your agency needs.
ShieldForce is built specifically for this scenario: home health agencies without IT departments that need HIPAA-ready cybersecurity without the complexity of enterprise security programs.
Week 1–2: Foundation and Triage
Day 1–3: HIPAA Risk Assessment
The starting point for every HIPAA compliance program is a risk analysis. This is not optional — it is the first thing OCR investigators request, and it is the document that defines what controls you need.
Your managed security provider conducts the risk assessment in collaboration with your operations leadership. The output is a prioritized list of risks with recommended controls. This document also serves as the foundation for your HIPAA Security Rule compliance program.
Action for agency leadership: Provide access to the systems and documentation the provider needs for the assessment. Designate a point of contact (this does not need to be a technical person — the compliance officer or operations director is appropriate).
Day 3–7: MFA Enforcement
MFA is the single highest-impact security control for stopping ransomware and BEC attacks. It is also required by the 2026 HIPAA Security Rule.
Your managed security provider configures MFA enforcement across Microsoft 365 or Google Workspace — all user accounts, no exceptions. This typically takes less than a day of technical work.
Action for agency leadership: Communicate to staff that MFA will be required. Staff will receive prompts to register their MFA method (typically Microsoft Authenticator or Google Authenticator on their phone). Plan for a brief help desk period as staff register.
Day 7–14: EDR Deployment
Behavioral endpoint detection and response is deployed on all agency-owned and field-staff personal devices (via MDM). This is a background agent that monitors device behavior for signs of malware, ransomware, and credential theft.
Action for agency leadership: Provide the device inventory. For BYOD personal devices, communicate to field staff that a lightweight security agent will be installed in a managed container — and that it does not monitor personal apps or data.
Week 3–4: Email Security and Data Protection
Email Security Configuration
Advanced email security — anti-phishing, anti-impersonation, Safe Links, Safe Attachments — is configured across your email platform. DMARC, DKIM, and SPF are set up to prevent domain spoofing.
Action for agency leadership: None required — this is managed by your provider. You may notice a brief delay in email delivery as the new filtering layers are activated.
Backup Activation
Automated daily backups are configured for your critical systems: EHR data exports, email (via Microsoft 365 backup), and cloud document storage. Backups are stored in immutable storage isolated from your production environment.
Action for agency leadership: Confirm what systems and data need to be included in backups. Your provider configures the backup jobs.
Week 5–6: Documentation
Incident Response Plan
Your managed security provider provides an incident response plan template tailored to home health agency operations. This covers: what to do in the first 30 minutes of a suspected breach, who to call (including the IR firm, legal counsel, and cyber insurance carrier), how to document the incident, and the HIPAA 72-hour notification procedure.
Action for agency leadership: Review and sign off on the plan. Identify the internal roles assigned to each step (who is the designated point of contact? Who contacts legal? Who communicates to staff?). Distribute to relevant staff.
Written Information Security Program (WISP)
Your managed security provider provides a WISP template that documents your security policies: acceptable use, access control, BYOD, incident response, data retention, and workforce training. This document is required by HIPAA and requested by OCR, cyber insurance carriers, and hospital contracting departments.
Action for agency leadership: Review, customize to reflect your specific policies, and execute as an official agency document.
Business Associate Agreements
Your managed security provider signs your BAA. Your compliance officer reviews all vendor relationships that involve ePHI access and ensures BAAs are in place with each.
Action for agency leadership: Provide a list of vendors with ePHI access. Your managed provider can help identify which relationships require BAAs.
Week 7–8: Staff Training and BYOD
Security Awareness Training — Round 1
The managed security provider deploys role-specific security awareness training — covering phishing recognition, mobile device security, BEC awareness, and HIPAA basics — to all staff. Completion is tracked and documented.
Action for agency leadership: Communicate to staff that training is required and HIPAA-mandated. Set a completion deadline.
Phishing Simulation — Baseline
A simulated phishing campaign is run against all staff to establish a baseline click rate. Results are used to focus ongoing training and to demonstrate to cyber insurance carriers that phishing risk is being actively managed.
Week 9–12: Testing, Scanning, and Refinement
Vulnerability Scan — Round 1
Your managed security provider conducts the first automated vulnerability scan of your environment, identifying unpatched software, misconfigured systems, and exposed services. Results are documented and used to prioritize remediation.
Review and Gap Close
The final two weeks are used to close any remaining gaps identified in the risk assessment or vulnerability scan, complete any outstanding documentation, and confirm that all required controls are operational.
After Day 90: Ongoing Management
The 90-day roadmap delivers the initial compliance posture. Maintenance is ongoing:
- Monthly: Security reports, alert review, backup verification
- Quarterly: Staff training reinforcement, phishing simulation
- Biannually: Vulnerability scanning (required by 2026 HIPAA update)
- Annually: Full risk assessment refresh, penetration test, WISP review, insurance renewal documentation
With a managed security provider, all of this is handled by the provider. Your team's ongoing involvement is limited to reviewing monthly reports and completing annual documentation signoffs.
Ready to start your 90-day HIPAA cybersecurity roadmap? ShieldForce handles the full implementation — risk assessment through ongoing monitoring — with no IT staff required on your side. Schedule a Free 15-Minute Consultation →
See how ShieldForce fits into your agency's operations and budget. View Pricing Plans → | Explore Home Healthcare Solutions →