In 2005 I was still explaining two-factor authentication like it was magic. Two decades later, hospital cybersecurity often feels frozen in that era. We’ve modernized scanners, ORs, and the revenue cycle—but the front door to patient data is still a decade behind. If you doubt it, consider this: in 2023 alone, entities reported 725 healthcare breaches to HHS, affecting 133+ million records—the worst year on record. The trend didn’t reverse in 2024. That’s not a blip; it’s a structural failure.
The HIPAA Journal
What’s broken? In hospitals, security debt accumulates fast: sprawling EHRs, bolt-on scheduling tools, aging VPNs, and vendor access that never got deprovisioned. The attack surface is a patchwork quilt. Meanwhile, home-care operations—lean by necessity—can design a “zero-trust from day zero” posture. When I shadowed a Hallmark Homecare case manager last spring, her stack was boring in the best way: passwordless logins, device attestation, and per-session access to PHI. No shared logins, no mystery servers humming under a nurse’s station. That’s how you leapfrog.
Hospitals also mistake compliance for security. The HIPAA checklist is necessary, not sufficient. The UnitedHealth/Change Healthcare ransomware saga laid bare the stakes: nine days from initial access to ransomware detonation, with multifactor missing on a critical remote service. That single weakness rippled across claims, pharmacies, and small practices for weeks. If an ecosystem that centralized can topple from one missed control, then decentralization (done right) is part of the cure.
The Verge
Home care can prove the model. Start with identity: go passwordless (FIDO2), make phishing materially harder. Adopt least-privilege at the record object—not just at the app role. Encrypt data where it lives and where it travels, and prefer short-lived tokens over static API keys. Crucially, build an incident muscle: tabletop exercises every quarter, not every few years. Treat ransomware like a tornado drill.
“But hospitals are bigger,” you say. True—and that’s the opening. Smaller home-care networks can implement modern guardrails faster than a 20-hospital system with 400 apps. Set the standard: hardware-backed MFA, device compliance checks, and access that expires by default. Show the outcomes and force the incumbents to follow.
There’s also a dollars-and-sense argument. Healthcare spending climbed to $4.9 trillion in 2023; cybersecurity’s slice is tiny compared to breach fallout, downtime, and ransom costs. Funding a security refresh is not “extra”—it’s insurance on every clinical and financial process you run.
Centers for Medicare & Medicaid Services
The headline no one writes: home care can be more secure because it’s simpler. When CareFortis rolled out remote wound-care visits, they made a controversial choice: no data persists on field devices—ever. Everything is streamed, signed, and logged in a hardened cloud with continuous audit. That constraint forced them to solve for offline workflows and smart caching, but it also made lost iPads boring. Security became a property of the system, not the vigilance of the user.
If 2005 was the age of perimeter firewalls and complex passwords, 2025 must be the age of identity-first, least-privilege care—especially outside the hospital walls. We won’t checklist our way out of this; we’ll design our way out. Home care doesn’t have to inherit the hospital’s security debt. It can leapfrog it.
