Netsmart myUnity is one of the most widely used EHR platforms in hospice and post-acute care. Its integration capabilities, care coordination tools, and clinical documentation features make it a strong operational platform for hospice agencies. Its security architecture — as a hosted, cloud-based application — includes meaningful protections at the application and infrastructure level.
What it does not include is security for the devices, networks, and user behaviors through which your staff access it. That responsibility belongs to your agency — and understanding exactly where Netsmart's security responsibilities end and yours begins is the starting point for a complete hospice cybersecurity program.
What Netsmart Provides (and What It Doesn't)
What Netsmart's security covers:
- Infrastructure security for the hosted myUnity application
- Encryption of data in transit between Netsmart's servers and your devices
- Application-level access controls within myUnity (user roles and permissions)
- Netsmart's own Business Associate Agreement, which covers their handling of your patients' ePHI
- Audit logging within the application — who accessed which patient record, when
What Netsmart's security does NOT cover:
- The device your nurse uses to access myUnity
- The network your administrator connects from (home Wi-Fi, hotel Wi-Fi, the patient's home network)
- The email account that receives myUnity notifications or clinical communications
- The behavior of your staff — whether they click phishing emails, share passwords, or use MFA
- Your agency's Microsoft 365 or Google Workspace environment
- Your backup and disaster recovery capability if myUnity data is inaccessible
- The physical security of devices containing cached myUnity data
This gap — between what the EHR vendor provides and what a complete HIPAA-compliant security program requires — is where hospice cybersecurity incidents originate.
The Device Layer: Protecting What Accesses myUnity
Every device used to access Netsmart myUnity is a potential entry point for an attacker — and a potential HIPAA breach if it is lost, stolen, or compromised.
Encryption: Every device must be encrypted. If a nurse's tablet used to access myUnity patient records is stolen from her car, device encryption prevents the records from being accessed by whoever finds it.
MDM (Mobile Device Management): MDM provides remote wipe capability — the ability to erase agency data from a device that is lost or stolen. For BYOD personal devices, MDM manages a secure container holding agency data, which can be wiped independently of the personal device without affecting personal photos or apps.
EDR (Endpoint Detection and Response): Behavioral threat detection on every device that accesses myUnity. If malware on a device attempts to steal credentials used to log into myUnity, EDR detects and stops it.
Patch management: Devices must run current operating system and software versions. An unpatched device accessing myUnity is a vulnerable device. Automated patch management ensures updates are applied without requiring staff action.
The Access Layer: Securing myUnity Authentication
MFA on myUnity access: Netsmart myUnity supports MFA integration via SAML 2.0 with identity providers like Microsoft Entra ID. Configuring this integration means every myUnity login requires MFA — a stolen password alone cannot access patient records.
If your agency uses Microsoft 365, the MFA configuration for myUnity and M365 can be unified under Conditional Access policies, so staff experience a single seamless authentication flow that satisfies MFA requirements for both platforms.
Access reviews: Netsmart's application-level role management ensures that clinical staff see the records relevant to their role. But the account review process — confirming that former employees are deactivated and current staff have appropriate permissions — is your agency's responsibility. Conduct quarterly access reviews and immediately deactivate accounts when staff leave.
The Email Layer: Protecting myUnity Notifications
Netsmart myUnity sends email notifications — care plan reminders, system alerts, clinical documentation prompts. These emails target your staff's email addresses. Attackers impersonate these notifications in phishing campaigns, knowing that hospice staff who routinely receive myUnity emails will be less suspicious of a convincing fake.
Advanced email security — specifically anti-impersonation protection that detects domain spoofing — protects your staff from myUnity-branded phishing. DMARC configuration on your domain prevents attackers from sending email that appears to come from your agency's domain.
The Backup Layer: What Happens if myUnity Is Inaccessible
Netsmart myUnity is a cloud-hosted platform — Netsmart maintains its own infrastructure redundancy. If Netsmart experiences an outage, your access to myUnity is disrupted but the data itself is not at risk.
However, if your agency's network or devices are compromised — if a ransomware attack encrypts the devices used to access myUnity — you may lose access to critical clinical data that you have stored locally, in email, or in documents derived from myUnity exports. Additionally, if your agency has data that resides outside of myUnity (historical records, documents, email), that data needs its own backup.
Your disaster recovery plan should include downtime procedures for myUnity access disruption, backup of all clinical data not hosted in myUnity, and clear documentation of what to do if the primary myUnity connection is unavailable.
Complete the security picture around your Netsmart myUnity deployment. ShieldForce secures the devices, networks, email, and access layer that myUnity doesn't cover — for fully HIPAA-compliant hospice operations.
Explore Hospice Cybersecurity Solutions →
Get a free assessment of your myUnity security posture.