There is a specific kind of paralysis that strikes home health agency administrators in the first hour of a cybersecurity incident. Systems are down or behaving strangely. Staff are calling with questions. It is unclear what is happening, who to call, or what to do first.
That paralysis is not a character failing. It is the predictable result of having no pre-written incident response plan and no prior experience with what a serious cybersecurity incident feels like from inside an organization experiencing one.
The agencies that navigate cybersecurity incidents well are not the ones with better IT staff or more sophisticated technology. They are the ones that made decisions — about who to call, what to do, and in what order — before the incident occurred.
This is that plan.
Before the Incident: The Two Documents You Need Ready
Document 1: Incident Response Contact List
A single page with:
- Your managed security provider's 24/7 emergency line (ShieldForce SOC: [your SOC number])
- Your healthcare privacy attorney's direct cell
- Your cyber insurance carrier's claims line (and your policy number)
- Your IT vendor's emergency contact
- Your board chair's phone number
- Your HIPAA Security Officer's name and phone
- Your clinical operations director's phone (who manages field staff communication)
Print this and post it in the administrator's office. Save it in every leader's phone contacts labeled "CYBER INCIDENT." It should be accessible when email and the computer are both unavailable.
Document 2: Incident Response Decision Tree
A one-page flowchart covering: Is this a potential ransomware incident or a system failure? Who makes the determination? What do you do in the first 30 minutes?
Hour 0–1: Identify and Isolate
Minute 1–10: Determine if this is a security incident or a system failure
System failures (power outage, internet outage, cloud platform outage) look similar to security incidents at first glance — systems are down, staff can't access records. The distinguishing signs of a security incident:
- Ransom note on screen(s)
- Files with unfamiliar extensions (ransomware renames encrypted files)
- Unexpected account lockouts across multiple users simultaneously
- Antivirus alerts firing across multiple machines
- Systems accessing unusual internet addresses
If you see any of these signs, treat it as a security incident. You can revise this assessment later. You cannot un-ring the bell of a delayed response.
Minute 10–30: Call your managed security provider or IT contact immediately
Do not attempt to investigate or remediate yourself. Do not restart compromised systems — this can destroy forensic evidence. Do not disconnect your internet router — this can prevent remote investigation by your security team.
Call ShieldForce's 24/7 emergency line. Describe what you are seeing. The SOC team will remotely investigate, isolate affected systems, and begin triage. Your job at this stage is to be on the phone and available — not to be the IT person.
Minute 30–60: Isolate what you can without destroying evidence
If your security provider instructs you to disconnect specific devices — a specific workstation, a specific server — follow their instructions precisely. Do not take broader action than instructed.
Document everything you observe: what time you first noticed a problem, what systems are affected, what messages appeared on screen. Photographs of ransom notes or error messages on screens are useful forensic documentation.
Hour 1–4: Assess and Activate
Notify clinical leadership first
Before calling the board, before calling attorneys, before calling anyone else: notify your clinical operations director or director of patient care. She needs to know that systems are potentially unavailable so she can activate downtime procedures and ensure field nurses are safe and can continue providing care.
Care delivery continues during a cybersecurity incident. Patients don't pause. Your clinical communication chain must be activated immediately and independently of the IT response.
Activate downtime procedures
Your downtime procedures — the pre-written plan for how the agency functions when EHR and scheduling systems are unavailable — are now active. Field nurses switch to paper documentation. Scheduling coordinators manage via phone. Priority patients (those with time-sensitive medication needs or complex conditions) are identified and assigned supervisory check-ins.
Notify your cyber insurance carrier
Call the claims line on your policy card. Give them your policy number and a brief description of the incident. This call starts the clock on their involvement and activates any coverage for forensic investigation, legal counsel, and business interruption. Many policies require prompt notification as a condition of coverage — delay can create coverage complications.
Notify your healthcare privacy attorney
Brief your attorney on what has happened. They will advise on breach notification obligations, communication with OCR, and any regulatory reporting timelines. They will also guide communication with affected parties — what to say, what not to say, and when.
Hour 4–24: Investigate and Contain
By hour four, your managed security provider's forensic team is actively investigating. You will begin receiving preliminary findings:
What systems were affected? Which endpoints were compromised, which systems were encrypted or accessed, and which were untouched?
Was data exfiltrated? Network traffic analysis may show data being sent to external servers in the hours or days before the encryption event. This is the difference between a ransomware incident and a reportable HIPAA breach.
What was the entry point? Phishing email? Credential theft? VPN vulnerability? The entry point determines the immediate remediation actions — password resets, VPN patches, email security adjustments.
What is the scope of patient impact? Which patients' data was potentially accessed or exfiltrated? This determination drives the breach notification decision.
The Breach Notification Decision
By the end of the first 24 hours, you and your attorney will be making a preliminary determination on the breach notification question: does this incident trigger HIPAA's Breach Notification Rule?
The rule creates a presumption of breach unless you can demonstrate low probability of PHI compromise based on a four-factor risk assessment. If data was exfiltrated — if an attacker removed patient records from your environment — the presumption is very difficult to overcome. Breach notification is almost certainly required.
If no data exfiltration occurred and systems were encrypted but not accessed — which behavioral EDR and network monitoring can confirm — there may be a defensible argument that breach notification is not required. This is a legal determination made by your attorney, informed by the forensic findings.
Never face the first 24 hours alone. ShieldForce provides 24/7 incident response support — our SOC team is the first call when something goes wrong, and we stay with you through investigation, containment, and recovery.
Explore Home Healthcare Cybersecurity →
Build your incident response plan before you need it.