A hospice nurse finishes a patient visit. She documents the visit on her iPad in the patient's driveway before driving to her next stop. The iPad — which she also uses personally — contains her agency's EHR access, several weeks of clinical documentation, and email correspondence about patient care. She sets it on the passenger seat.
At the next stop, she leaves the car briefly. When she returns, the passenger window is broken. The iPad is gone.
This scenario is not hypothetical. It is a routine occurrence across hospice and home health settings — and in every case, the response of the hospice agency determines whether this is a manageable security incident or a reportable HIPAA breach.
For hospice agencies whose field staff routinely work with devices in patient homes, community settings, parking lots, and personal vehicles, device security policy is not abstract. It is the practical infrastructure that determines the outcome when the inevitable happens.
The Device Inventory: What's Out There
Before building a device policy, a hospice agency needs to know what devices exist in its environment. This requires an honest inventory:
Agency-owned devices: Laptops, tablets, smartphones provided by the agency to clinical staff. These are easier to manage because the agency has full control — MDM, encryption, remote wipe, patching, app management.
Personal devices used for work (BYOD): Staff members' personal phones, tablets, or laptops used to access the EHR, email, or any agency system. These exist in nearly every hospice agency regardless of whether the policy acknowledges them. The question is whether they are managed.
Shared devices: In some hospice offices, tablets or workstations are shared between multiple staff members. Shared devices require individual user accounts and session management to prevent unauthorized access to other users' records.
Vendor devices: IT vendors, EHR implementation consultants, or billing contractors who connect devices to your network. These are third-party devices that may or may not meet your security standards.
The Three Foundational Device Controls
Control 1: Encryption
Every device that stores or accesses ePHI must be encrypted. For the lost iPad in the scenario above, if device encryption is enabled, the attacker who stole it cannot access the patient data it contains without the device PIN or passcode — even if they connect the iPad to a computer.
- iOS (iPhone, iPad): Encryption is automatic when a passcode is set. Verify that all iOS devices used for work have a passcode set.
- Android: Encryption must be verified in device settings. Modern Android devices (Android 6+) are typically encrypted by default, but this should be confirmed.
- Windows laptops: Enable BitLocker Drive Encryption. Confirm with IT or your MDM platform.
- Mac laptops: Enable FileVault. Confirm with IT or your MDM platform.
Control 2: MDM and Remote Wipe
Mobile Device Management software allows your agency (or your managed security provider) to remotely wipe a device that is lost or stolen — erasing all data before an unauthorized person can access it.
For agency-owned devices, MDM manages the entire device. For personal BYOD devices, MDM manages a secure work container — all agency data, email, and apps live inside the container, which can be wiped independently of the personal device. The nurse's personal photos, contacts, and apps remain untouched; the agency data is erased.
Remote wipe only works if:
- MDM is installed on the device before it is lost
- The device is connected to the internet when the wipe command is issued
- Someone in your agency knows to initiate the wipe
Your incident response procedure for lost or stolen devices must include a clear instruction: "Contact [specific person] immediately. Provide the device type, approximate time of loss, and last known location. Remote wipe will be initiated."
Control 3: Screen Lock and PIN
Every device used for work must have a PIN or biometric lock that activates after a short period of inactivity. For field staff, the recommended timeout is 5 minutes — short enough to prevent casual access if a device is left unattended, long enough to not interfere with care documentation workflows.
The BYOD Policy: Making Personal Devices Safe for Work
A BYOD policy does not mean a free-for-all. It is a written agreement between the agency and staff members who use personal devices for work, covering:
What the agency manages on your device: The MDM container (separate from personal data). The agency can see the container's security status and wipe the container. The agency cannot see personal photos, contacts, apps, or communications outside the container.
What you must do: Keep the device OS updated. Use a PIN or biometric lock. Report lost or stolen devices immediately. Do not jailbreak or root the device.
What the agency does if your device is lost: Remotely wipe the work container. Issue you a new work container setup when you have a replacement device.
What happens when you leave the agency: The work container is wiped remotely. Your personal data is unaffected.
This policy must be signed by every staff member using a personal device for work — before they are granted access to agency systems on that device.
The Lost Device Protocol
Every hospice agency needs a documented, tested protocol for lost and stolen devices:
- Staff member realizes device is lost or stolen
- Staff member immediately contacts the designated security contact (name and number in the protocol)
- Security contact initiates remote wipe via MDM console
- Security contact documents the incident: device type, last known access, data accessible, wipe status
- Compliance officer conducts risk assessment: was ePHI accessible? Was device encrypted? Was wipe successful?
- If risk assessment indicates potential breach: HIPAA breach notification process begins
This protocol should be rehearsed at least annually — not just documented. Staff should know exactly what to do, who to call, and what information to have ready.
Build a practical device security program for your hospice field team. ShieldForce deploys MDM, remote wipe, EDR, and device policies designed for hospice agencies with distributed field staff.
Explore Hospice Cybersecurity Solutions →
Get a free assessment of your current device security posture.