WellSky Security for Home Health Agencies: The HIPAA Layer WellSky Does Not Include
WellSky

WellSky Security for Home Health Agencies: The HIPAA Layer WellSky Does Not Include

WellSky secures its application — but your devices, email, and networks are outside that boundary. Here is what every WellSky-using home health agency must build around the platform.

WellSky is the home health and therapy platform that serves more large and mid-size agencies than any other in the country. Its clinical workflow depth, scheduling integration, and billing capability make it operationally strong. Its security posture at the application and infrastructure level is legitimate — WellSky maintains enterprise-grade cloud security and provides a Business Associate Agreement that covers the platform. The conversation I have with WellSky-using agencies consistently turns on the same misconception: that WellSky's BAA means WellSky is handling their HIPAA compliance. It does not. It means WellSky is handling HIPAA compliance for the WellSky application. The rest is the agency's responsibility.

The "rest" encompasses the majority of the attack surface where home health breaches actually occur. The WellSky application has never been the point of entry in a home health agency breach that I have investigated. The email accounts that receive WellSky notifications have been. The devices that field nurses use to access WellSky have been. The credentials that clinical staff chose for their WellSky logins, and reused across personal accounts that were subsequently breached on consumer websites, have been. Every home health agency using WellSky needs a security layer that protects the environment around the platform.

The WellSky Security Boundary: What the BAA Covers

WellSky's Business Associate Agreement covers the WellSky application and the cloud infrastructure that WellSky manages to run it. This includes: the servers and databases that store patient data within the WellSky environment; the network connections between WellSky's infrastructure components; the WellSky application's authentication mechanisms (username and password login, and MFA if configured through WellSky's native settings); the encryption of data stored within the WellSky database; and the WellSky audit logging of user activity within the platform. It does not cover anything that happens outside the WellSky application boundary — which is where most of the risk lives.

Layer 1: Device Security for Every WellSky Access Point

Every device that connects to WellSky — from clinical supervisor laptops to field nurse tablets to personal smartphones running the WellSky mobile app — is an ePHI access point that the agency must secure. The 2026 HIPAA mandatory requirements apply to each device: behavioral EDR must be installed and reporting, full disk encryption must be verified and documented, and MDM enrollment must be confirmed with compliance policies enforced.

WellSky's mobile application for iOS and Android is a particularly important focus area. Field nurses who use WellSky Mobile on personal smartphones are accessing patient care data in uncontrolled environments — patient homes, vehicles, public spaces — on devices the agency may never have inventoried. MDM container management for the WellSky mobile app isolates clinical data from personal apps on the device, enforces encryption for the container specifically, and enables remote wipe of clinical data without accessing personal content. Every device running WellSky Mobile should be enrolled in MDM with these controls active before clinical data access is permitted.

Layer 2: MFA Enforcement Beyond WellSky Native Authentication

WellSky supports MFA through its native authentication settings. However, MFA configured within the WellSky application protects only WellSky logins — it does not protect the Microsoft 365 or Google Workspace accounts that the same staff member uses for email, scheduling documents, and other clinical communication. The recommended approach: integrate WellSky with your organisation's identity provider (Microsoft Entra ID or Google Identity) through SSO, then enforce MFA at the identity provider level. This single MFA enforcement point covers WellSky access and every other cloud service the staff member accesses through the same identity provider.

SSO integration also provides a significant operational security benefit: when a staff member leaves the agency, deactivating their account in the identity provider immediately terminates their access to WellSky and every other integrated service simultaneously. Without SSO, separate deactivation actions are required in each system — and missed deactivations create the persistent access vulnerabilities that access control reviews repeatedly identify.

Layer 3: Email Security and the WellSky Notification Vector

WellSky generates automated notifications to clinical and administrative staff — visit assignments, schedule changes, billing alerts, clinical flags, and system messages. Attackers who have identified an agency's WellSky deployment can craft phishing emails that convincingly impersonate WellSky notifications, directing recipients to fake WellSky login pages that harvest credentials. The targeting is specific and effective: a WellSky notification email arrives in a clinical context that makes the user predisposed to respond quickly without scrutinising the sender.

DMARC configuration on your email domain prevents spoofing of your agency's domain in emails to your staff. Anti-impersonation protection in your email security platform flags emails that impersonate WellSky sender addresses, even when the email passes basic spam filters. Safe Links rewrites the URLs in WellSky impersonation phishing emails and checks the destination in real time — catching phishing pages that were not yet in reputation databases at delivery time.

Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.

Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment

Explore Home Healthcare Cybersecurity — shieldforce.io/home-healthcare

View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

Share this post

Topics

#WellSky#home health#HIPAA compliance#home health security#MDM#Technical Guide
Free Security Assessment

Ready to Secure Your Business?

Don't let cyber threats put your business at risk. Discover how ShieldForce protects organizations like yours — 24/7.