Security awareness training teaches home health staff to recognise suspicious emails. It almost never teaches them what to do in the fifteen minutes after they click on one anyway — because they were rushed, because the email looked convincing, because they were navigating to a patient home and confirmed the appointment link without thinking. Those fifteen minutes are the most consequential window in a phishing attack. The technical damage from a phishing click is rarely immediate — attackers typically need time to harvest credentials, establish persistence, and escalate access. Early, correct response in that window can contain an incident that would otherwise become a breach.
The six-step protocol below is written for distribution to home health staff — in plain language, without technical jargon, short enough to be read and remembered rather than filed and forgotten.
Step 1: Stop Everything You Are Doing on That Device
The moment you realise you may have clicked a malicious link or entered credentials on a suspicious page, stop using the device. Do not try to close the browser window. Do not try to delete the email. Do not restart the device. Do not try to find and remove whatever the link may have installed. Any action you take on the device — even well-intentioned action — can destroy the forensic evidence that your security team needs to understand what happened, and may trigger additional malicious activity that was waiting for user interaction to proceed.
Put the device down. Pick up your phone if it is a separate device. Move to Step 2.
Step 2: Do Not Try to Fix It Yourself
The instinct to fix the problem quietly — to undo what happened, to make it as if the click never occurred — is understandable and consistently makes situations worse. Staff who delete suspicious emails before reporting them destroy evidence. Staff who attempt to change their own passwords before contacting IT may trigger account lockouts that complicate the response. Staff who restart devices to "clear" whatever was installed lose forensic data that incident responders need.
You are not in trouble for clicking a suspicious link. Phishing emails are designed by professionals to be convincing. The only thing that creates a problem is not reporting it. The five minutes you spend trying to fix it quietly are five minutes the attacker has to deepen their access.
Step 3: Call Your Security Contact Immediately
Every home health staff member should have a single phone number memorised or saved in their personal phone: the IT security helpdesk or the managed security provider's direct line. Not the main office number. Not a colleague's email. The specific number that reaches someone who can act on a phishing report immediately. At ShieldForce-managed agencies, this is our 24/7 security operations line, answered by a human analyst who understands healthcare context.
Make the call from your personal phone if the incident occurred on your work device. Describe what happened: "I think I clicked a phishing link in an email that appeared to be from [sender]. I may have entered my [EHR/Microsoft 365/other] password on a page that appeared to be a login screen." Specific information — the sender, the link, and what you may have entered — is far more useful than "I think something bad happened."
Step 4: Write Down Everything You Remember, Right Now
Memory fades quickly under stress. While the security team is responding, write down: the sender's email address as it appeared; the subject line; the link you clicked (or the destination URL you were taken to); what the page looked like; what you entered on the page; and the approximate time the click occurred. This documentation is the forensic narrative that supports the incident investigation, the HIPAA four-factor breach risk assessment, and any subsequent OCR inquiry.
Step 5: Do Not Use That Device Until Released by Security
The device you clicked on should be treated as potentially compromised until the security team has assessed it and given clearance. Do not use it to access any work systems — the EHR, email, scheduling platforms — until you receive explicit confirmation that the device has been assessed and cleared, or has been re-imaged.
Step 6: Change Passwords on Any Other Accounts That Use the Same Password
If you entered a password on the suspicious page that you also use for any other account — any account, work or personal — change those other accounts' passwords now, from a clean device. Use your password manager to generate unique replacements for each. This step is the one most likely to have been compromised if your work credential was stolen: the attacker will try that same credential against other services immediately.
Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.
→ Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment
→ Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare
→ View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

