Most home health agencies eventually recognize they need help with cybersecurity. The harder problem is knowing what to look for — and what questions separate a provider that understands healthcare from one that will give you a generic IT security product with a HIPAA sticker on it.
This guide gives you ten questions to ask any cybersecurity provider before signing a contract. The answers will tell you whether the provider has real experience with home health compliance, distributed care environments, and the regulatory frameworks your agency operates under.
The 10 Questions
1. Do you specialize in home health and home-based care environments?
General managed security service providers (MSSPs) serve everyone from law firms to manufacturing companies. A cybersecurity provider that serves home health agencies exclusively — or as a defined specialty — understands the specific compliance framework (HIPAA Security Rule, SHIN-NY if you're in New York, CMS Conditions of Participation for hospice, Massachusetts Data Security Law 201 CMR 17.00, etc.), the operational reality of distributed field teams, and the care delivery constraints that affect how security controls are deployed.
A generic MSSP will treat your agency like any small business. A healthcare-specialized provider will recognize that your field nurses can't spend 20 minutes configuring a VPN at a patient's bedside.
What to listen for: Specific experience with HIPAA compliance programs, not just general cybersecurity. References from other home health agencies or healthcare organizations. Knowledge of SHIN-NY, CMS CoP, and HRSA requirements.
2. Do you provide a signed Business Associate Agreement?
Under HIPAA, any vendor with access to your ePHI is a business associate and must sign a BAA. A BAA establishes the vendor's responsibilities for protecting your patient data and defines breach notification obligations.
A provider unwilling or unable to sign a BAA is not a compliant partner for a HIPAA covered entity. This is a disqualifying issue, not a negotiating point.
What to listen for: "Yes, we provide a BAA and it's signed on day one." Any hesitation or redirection is a red flag.
3. Is your SOC monitoring available 24/7, including nights and weekends?
Ransomware attacks are timed for nights and weekends. A SOC that operates 8am–5pm Monday through Friday provides no protection during the hours when attacks most commonly execute. Healthcare environments require around-the-clock monitoring.
What to listen for: "24/7/365 monitoring with documented response procedures." Ask specifically what happens at 2am on a Sunday — who is watching, what is their response time, and what do they do when an alert fires?
4. How do you handle deployment for organizations without IT staff?
Most home health agencies don't have a dedicated IT department. Your executive director and compliance officer should not need to become IT project managers to implement cybersecurity. Ask about onboarding timelines, what the provider handles versus what you are expected to do, and whether there is a dedicated implementation team.
What to listen for: "We manage the full deployment, including remote agent installation on field devices." A realistic onboarding timeline (ShieldForce completes most deployments within 72 hours).
5. What does your pricing model look like, and are there hidden costs?
Healthcare cybersecurity pricing varies widely. Per-user-per-month pricing is the most transparent model for home health agencies, where headcount is predictable. Watch for providers who quote low base prices and then add implementation fees, support tiers, incident response charges, or annual true-up adjustments.
What to listen for: Flat per-user pricing that includes onboarding, support, and incident response. ShieldForce starts at $35/user/month with no hidden fees.
6. Can you provide the compliance documentation my agency needs for HIPAA and audits?
Your cybersecurity provider should generate the audit-ready documentation that HIPAA requires — risk assessment documentation, security policy templates, staff training completion records, incident response plans, and monthly compliance reports. This documentation is what OCR investigators and cyber insurance carriers request first.
What to listen for: "We provide HIPAA-aligned security policies, risk assessment documentation, and monthly compliance reports as a standard part of our service." If documentation is an add-on or requires additional engagement, that's a yellow flag.
7. What is your approach to field device security and BYOD?
If a provider's answer to field device security is "make sure your nurses only use agency devices," they don't understand the operational reality of home health. Ask specifically about MDM for personal devices, BYOD policy support, and how they handle the range of devices a distributed field team uses.
What to listen for: A specific MDM approach, a discussion of BYOD frameworks, and experience managing personal devices in HIPAA-compliant settings.
8. Have you worked with agencies facing SHIN-NY compliance requirements?
If your agency operates in New York, SHIN-NY is a specific compliance obligation that requires a provider familiar with the framework — CSPP documentation, MFA enforcement, audit logging, and the specific requirements of the NYeHealth statewide health information network.
What to listen for: Direct experience with SHIN-NY. Knowledge of CSPP and SCPA requirements. Familiarity with the Home Care Alliance of Massachusetts and equivalent NY organizations.
9. What is your incident response process if we are breached?
Before you sign, understand exactly what happens if your agency experiences a ransomware attack or data breach while under the provider's service. Who do you call? What is the response time? What forensic capabilities does the provider have? What is their relationship with your cyber insurance carrier?
What to listen for: A documented incident response process, a defined escalation path, and experience managing healthcare breach response. If the answer is vague, the process doesn't exist.
10. Can you provide references from home health agencies similar to ours?
Ask for references — agencies of similar size, similar geography, and similar compliance obligations. A cybersecurity provider confident in their healthcare vertical experience will have references to offer. A provider without home health-specific references is selling you a general product.
The Decision Framework
After these ten questions, you should be able to categorize providers into three buckets:
Healthcare-specialized with home health experience: Signs BAA, has 24/7 SOC, handles full deployment, provides compliance documentation, has SHIN-NY familiarity, has home health references. This is what your agency needs.
General healthcare-adjacent: Knows HIPAA broadly, willing to sign BAA, but doesn't have home health-specific experience or distribution-model expertise. May be adequate with significant customization.
General MSSP: No healthcare specialization, uncertain on BAA, no 24/7 SOC, no compliance documentation. Not appropriate for a HIPAA covered entity in home healthcare.
ShieldForce answers yes to all ten questions. We are purpose-built for home health agencies and community health centers — HIPAA-ready, BAA included, 24/7 SOC, full deployment management. Schedule a 15-Minute Consultation →
Compare ShieldForce to your current provider using these ten questions. View Our Home Healthcare Solutions → | See Plans and Pricing →