SHIN-NY › Readiness Checklist
SHIN-NY Readiness Checklist
7 security domains. 43 control items. Use this checklist to assess your agency's compliance posture and identify gaps before your next SHIN-NY review.
This checklist covers all 7 SHIN-NY cybersecurity domains aligned to the NIST CSF framework. Each item maps to a specific NYS DOH requirement.
See how ShieldForce covers every item →Network Security & Infrastructure
- Business-grade firewall installed, configured, and regularly updated
- Network segmented to isolate clinical/admin systems from guest Wi-Fi
- All remote access uses VPN and MFA; no open RDP exposed to the internet
- Wireless networks use WPA3 or WPA2-Enterprise encryption
- Patch management process in place; OS and software updates applied within 30 days
- Vulnerability scans conducted at minimum annually
- Penetration test or third-party risk assessment conducted within 12 months
Identity & Access Management
- Multi-factor authentication (MFA) enabled for all staff accounts
- Role-based access controls in place; staff only access systems they need
- Shared/generic user accounts eliminated or tightly controlled
- Privileged/admin accounts are separate from day-to-day accounts
- Offboarding checklist includes same-day credential revocation
- Password policy enforces length ≥ 12 characters with complexity requirements
- Single Sign-On (SSO) used for clinical applications where supported
Email Security & Phishing Prevention
- DMARC, DKIM, and SPF records configured and enforced for your domain
- Advanced anti-phishing and anti-spam filtering in place (not just basic spam filters)
- Business Email Compromise (BEC) detection enabled
- Email encryption available for sending PHI outside the organization
- External email warning banners applied to all inbound messages
- Phishing simulation exercises conducted at least annually
Data Protection & Backup Readiness
- All patient/clinical data encrypted at rest and in transit
- Automated backups run daily and stored offsite or in cloud storage
- Backup restoration tested at minimum annually; RTO/RPO documented
- Backups are immutable or offline; protected from ransomware encryption
- Business Continuity Plan (BCP) written and reviewed annually
- Data retention and destruction policy documented and followed
Security Policies & Documentation
- Cybersecurity Policies and Procedures (CSPP) document written and in use
- CSPP reviewed and updated at least annually
- Written Information Security Policy (WISP) aligns with HIPAA Security Rule
- Incident Response Plan (IRP) documented with defined roles and escalation chain
- Business Associate Agreements (BAAs) in place with all vendors accessing ePHI
- Annual risk assessment completed and documented
- Cybersecurity insurance coverage in place (verify SHIN-NY minimum if applicable)
Staff Security Awareness Training
- All staff complete security awareness training at onboarding
- Annual refresher training covers phishing, password hygiene, device policies
- Role-specific training provided to clinical, administrative, and IT staff
- Training attendance and completion tracked and documented
- Social engineering/phishing simulation results used to drive training focus
Ongoing Monitoring & Incident Detection
- Security activity logs collected from all systems that access SHIN-NY
- Log retention meets NYS DOH minimum requirements (typically 6–12 months)
- Alerts configured for anomalous logins, access, and data exfiltration
- A named person (or ShieldForce) is responsible for reviewing alerts
- Breach notification procedure defined; chain from agency → NYeC → NYS DOH
- Post-incident review process documented to prevent recurrence
Found Gaps in Your Checklist?
Most home healthcare agencies have gaps in 3–5 of these domains, especially logging, CSPP documentation, and MFA. ShieldForce closes them all.
Managed Endpoint & Network
We deploy and manage firewall, EDR, patch management, and VPN, so you never miss an update.
CSPP & Policy Documentation
We write your CSPP, IRP, and BCP from a SHIN-NY-aligned template, then review them annually.
MFA + Identity Management
We enforce MFA across Microsoft 365, clinical apps, and remote access and handle onboarding/offboarding.
Not sure where your agency stands?
Schedule a free 30-minute SHIN-NY gap assessment. We'll walk through this checklist together and show you exactly what ShieldForce handles, starting at $35/user/month.