Back to Blog
ComplianceMarch 9, 20269 min read

Cybersecurity for Home Care Agencies: Protecting Client Data in 2026

Jasmine M.

CareCade Foundation

Cybersecurity for Home Care Agencies: Protecting Client Data in 2026

Healthcare Is the #1 Target for Hackers

Simplify Your Home Care Operations

CareCade helps DDA and HCBS providers manage scheduling, EVV, and billing in one platform.

Book a Demo View Pricing

Healthcare data is worth 10-20x more than credit card data on the black market. Why? It contains everything needed for identity theft, insurance fraud, and medical fraud—all in one record.

Home care agencies are particularly vulnerable:

  • Smaller IT budgets than hospitals
  • Staff using personal devices
  • Data transmitted between homes, offices, and cloud
  • Less cybersecurity training than clinical settings

In 2025, healthcare cyberattacks increased 45% over the previous year. Small providers were hit hardest.

This isn't fear-mongering. It's reality. Here's how to protect your agency and clients.

The Regulatory Landscape

HIPAA Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to protect electronic Protected Health Information (ePHI).

Three safeguard categories:

CategoryWhat It Covers
AdministrativePolicies, procedures, training
PhysicalDevice security, facility access
TechnicalAccess controls, encryption, audit logs

Key requirements:

  • Risk assessment (at least annually)
  • Security policies and procedures
  • Employee training
  • Incident response plan
  • Business associate agreements

Penalties:

  • $100-50,000 per violation
  • Up to $1.5 million per year per category
  • Criminal penalties for willful neglect

State Requirements

Washington State has additional requirements:

  • Consumer data breach notification law
  • DSHS data handling requirements for Medicaid providers
  • Business and professions cybersecurity expectations

DSHS-specific: Agencies contracting with DSHS must meet IT security requirements, including:

  • Data encryption
  • Access controls
  • Incident reporting to DSHS
  • Regular security assessments

Common Threats to Home Care Agencies

1. Phishing

What it is: Fake emails that trick employees into revealing passwords or installing malware.

Why home care is vulnerable:

  • Staff may use personal email
  • Rushed schedules lead to quick clicks
  • Less formal IT training

Real example: Email appears to be from "DSHS" about reimbursement. Employee clicks link, enters credentials. Attacker now has access to agency systems.

Prevention:

  • Email filtering
  • Staff training on recognizing phishing
  • Multi-factor authentication (so stolen passwords aren't enough)
  • Verify unusual requests through separate channels

2. Ransomware

What it is: Malware that encrypts your files, demanding payment to restore them.

Why home care is vulnerable:

  • Often lack good backups
  • Critical need for operational data
  • May be tempted to pay

Real example: Agency gets infected through phishing email. All client records, schedules, and billing data encrypted. Agency can't operate. Attackers demand $50,000 in Bitcoin.

Prevention:

  • Regular, tested backups (offline/offsite)
  • Endpoint protection software
  • Email security
  • Network segmentation
  • Incident response plan

3. Lost or Stolen Devices

What it is: Laptops, phones, or tablets containing ePHI are lost or stolen.

Why home care is vulnerable:

  • Caregivers use mobile devices in the field
  • Devices left in cars, public places
  • Personal devices may contain work data

Real example: Caregiver's laptop stolen from car. Contains client information for 200 clients. Now a reportable breach.

Prevention:

  • Full device encryption
  • Remote wipe capability
  • Strong passwords/biometrics
  • Policies against storing ePHI on personal devices
  • Mobile device management (MDM)

4. Insider Threats

What it is: Current or former employees misusing access.

Why home care is vulnerable:

  • High turnover means many former employees
  • Staff have legitimate access to sensitive data
  • Less formal access controls

Real example: Terminated employee still has system access. Downloads client list before leaving. Sells to competitor or uses for fraud.

Prevention:

  • Immediate access revocation on termination
  • Role-based access (minimum necessary)
  • Activity monitoring
  • Clear policies on data access

5. Unpatched Systems

What it is: Software with known vulnerabilities that haven't been updated.

Why home care is vulnerable:

  • No dedicated IT staff
  • Updates seen as disruptive
  • Old computers/software in use

Real example: Agency uses old version of Windows. Known vulnerability is exploited. Attacker gains access without any user action.

Prevention:

  • Automatic updates enabled
  • Regular patch management
  • Replace unsupported systems
  • Vulnerability scanning

Practical Security Measures

For the Office

Network security:

  • Business-grade firewall (not consumer router)
  • Separate network for guests
  • Encrypted WiFi (WPA3)
  • Network monitoring

Workstation security:

  • Antivirus/endpoint protection
  • Automatic updates enabled
  • Full disk encryption
  • Screen lock after inactivity
  • No shared logins

Physical security:

  • Locked doors
  • Secure server/network equipment
  • Clean desk policy
  • Visitor logging
  • Shred sensitive documents

For Remote/Field Staff

Mobile device requirements:

  • Device encryption required
  • Strong password/biometric
  • Remote wipe capability
  • Approved apps only
  • No public WiFi for sensitive work (use VPN)

Home office requirements:

  • Secure WiFi (not default password)
  • Private workspace when accessing ePHI
  • Locked storage for any paper documents

For All Staff

Authentication:

  • Strong, unique passwords (password manager recommended)
  • Multi-factor authentication (MFA) for all sensitive systems
  • No password sharing
  • Regular password changes for high-risk accounts

Training:

  • Initial security awareness training
  • Annual refresher training
  • Phishing simulation exercises
  • Clear reporting procedures for suspicious activity

Building Your Security Program

Step 1: Risk Assessment

HIPAA requires regular risk assessments. Document:

  1. What ePHI do you have?

    • Client records
    • Billing information
    • Employee health data
    • Communications

  2. Where is it stored/transmitted?

    • EMR/software systems
    • Email
    • Mobile devices
    • Paper records

  3. What are the threats?

    • External hackers
    • Malware
    • Lost devices
    • Employee error
    • Natural disasters

  4. What controls are in place?

    • Current protections
    • Gaps identified

  5. What's the risk level?

    • Likelihood × Impact = Risk

Step 2: Policies and Procedures

Document your security practices:

Required policies:

  • Information security policy
  • Acceptable use policy
  • Mobile device policy
  • Password policy
  • Incident response plan
  • Business continuity plan
  • Data retention and disposal
  • Business associate agreements

Make them real:

  • Written in plain language
  • Actually followed
  • Regularly reviewed
  • Acknowledged by employees

Step 3: Technical Controls

Minimum requirements:

  • Encryption (in transit and at rest)
  • Multi-factor authentication
  • Regular backups (tested)
  • Antivirus/endpoint protection
  • Firewall
  • Automatic software updates
  • Access logging
  • Mobile device management

Step 4: Training

All employees need:

  • HIPAA privacy and security basics
  • How to recognize phishing
  • Password best practices
  • What to do if they suspect a problem
  • How to report incidents

Ongoing:

  • Annual refresher
  • Updates when threats change
  • Phishing simulations

Step 5: Incident Response

Have a plan before you need it:

  1. Detection: How will you know something happened?
  2. Containment: How will you stop it from spreading?
  3. Eradication: How will you remove the threat?
  4. Recovery: How will you restore operations?
  5. Lessons learned: How will you prevent recurrence?

Breach notification requirements:

  • HIPAA: Notify HHS and affected individuals within 60 days
  • Washington: Notify attorney general if >500 residents affected
  • Consider cyber insurance for response costs

Vendor Security

Choosing Secure Software

Questions to ask vendors:

  • Where is data stored? (USA? SOC 2 certified data center?)
  • Is data encrypted in transit and at rest?
  • What access controls are available?
  • How do you handle security incidents?
  • Do you have SOC 2 or HITRUST certification?
  • What's in your Business Associate Agreement?

Business Associate Agreements

HIPAA requires BAAs with any vendor that accesses ePHI:

  • EMR/EHR software
  • Billing services
  • IT support
  • Cloud storage
  • Answering services
  • Shredding companies

The BAA should specify:

  • How they'll protect data
  • What they'll do in case of breach
  • Your audit rights

Affordable Security for Small Agencies

Low-Cost/Free Tools

  • Password manager: Bitwarden (free tier), 1Password, LastPass
  • MFA: Google Authenticator (free), Microsoft Authenticator (free)
  • Encryption: Built into Windows (BitLocker), Mac (FileVault)
  • Backup: Microsoft 365/Google Workspace include cloud backup
  • Antivirus: Windows Defender (included), Malwarebytes (free tier)

What's Worth Paying For

  • Cyber insurance: Covers breach response costs (~$1,000-3,000/year for small agencies)
  • MDM solution: If staff use mobile devices extensively (~$5-15/user/month)
  • Security training platform: For automated, tracked training (~$25-50/user/year)
  • Managed IT security: If no internal IT expertise (~$100-300/month)

ROI of Security

Cost of breach:

  • Average healthcare breach: $10.9 million
  • Small practice breach: $100,000-500,000 (fines, notification, remediation, reputation)
  • Operational downtime: Potentially catastrophic

Cost of prevention:

  • Security software: $2,000-10,000/year
  • Training: $1,000-3,000/year
  • Risk assessment: $2,000-5,000

Prevention is significantly cheaper than response.

Red Flags You're Vulnerable

  • No documented security policies
  • Staff share passwords
  • No multi-factor authentication
  • Backups not tested (or don't exist)
  • Personal devices access ePHI without controls
  • No security training for staff
  • Using Windows 7 or other unsupported systems
  • No business associate agreements with vendors
  • "We're too small to be targeted" mentality

If multiple boxes are checked, prioritize addressing them.

Getting Help

HIPAA Resources

Washington Resources

Professional Help

Consider engaging:

  • Healthcare IT consultants
  • HIPAA compliance specialists
  • Managed Security Service Providers (MSSPs)
  • Cyber insurance brokers

Quick Start Checklist

If you're starting from scratch, prioritize:

  1. Enable multi-factor authentication on all systems
  2. Set up automatic backups and test them
  3. Encrypt all devices (computers and phones)
  4. Conduct basic security training for all staff
  5. Document your policies (even simple ones)
  6. Review vendor agreements for BAAs
  7. Create incident response contact list

You don't need to be perfect. You need to be better than yesterday.

Related Articles

Learn about CareCade's security features →

Ready to transform your care management?

Join agencies across Washington who are bringing transparency to developmental disabilities care.

Get Early AccessRead More Articles

Send Feedback

How's your experience?

Page: /blog/cybersecurity-requirements-home-care-providers