2021 HME Business Handbook: Software/IT

Evaluating Protocols For Secure, Anywhere Access

There are a lot of trends driving remote patient and staff connectivity, but it is essential that provider maintain data security. Here are measures your HME business can implement.

The age of remote work is upon us. While most HME staff have returned to work in person, many are maintaining some level of flexibility for remote access. With this, it’s time to re-evaluate policies put in place during the pandemic and establish a sustainable, long-term plan that adjusts and reinforces your security protocols for every work environment.

Recent headlines of ransomware attacks are stark reminders of how important it is to secure a business’s data. With the U.S. Department of Health and Human Services (HHS) reporting more than 600 significant breaches in 2020, up from roughly 500 in the previous year, data breaches of healthcare organizations are becoming more prevalent year after year. And while over two-thirds of last year’s breaches were considered “hacking incidents,” a significant number of unauthorized disclosures were reported along with a handful of lost or stolen unencrypted computing devices.

In today’s digital world, patients have high expectations that their personal information is safe and protected. A business that fails to secure its data would not only be reportable to CMS and at risk for penalties; it also risks losing the trust of its patients and partners.

If the most important part of healthcare is providing care, a close second is caring for patient data, including their protected health information, personally identifiable information, and credit card or payment card industry data. Here are measures to ensure your business is protected from cybersecurity attacks whether working in person, at home or somewhere in between:


Provide adequate training for employees on common tricks from threat actors, such as socially engineered and phishing attacks. Reinforce that knowledge by practicing key events and running through scenarios with your leadership and security teams. You need to understand your team’s weaknesses and vulnerabilities so you know where you can improve.


Once you know where you need to improve, consult with professionals who can teach those specialized skills with activities like penetration testing, which is required if you collect credit card information through your website, and information lifecycle management, which ensures various types of data, including patient, financial, and marketing data, are properly protected.


Ensure secure visibility across all digital infrastructures, from servers and employee computers to firewalls and virtual private networks, or VPNs. Computers and other access points to data should automatically lock after 10 to 20 minutes of inactivity. Information retention policies should be updated to include the discussion and disposal of confidential information at shared locations and around others. Physical buildings should also be secured with card key access and robotic systems, like cameras and HVAC computerized control systems, should be monitored by your security team.


It’s not enough to ensure your data system is protected. Your system is just as vulnerable to an attack if your outside partners do not also have adequate security protocols in place. Communicate with your partners to make sure they have a robust security program and monitor all “backdoor” access they have into your system.


Stay up to date on relevant federal and state laws regarding the storage of employee and customer information, especially for health data protected under the Health Insurance Portability and Accountability Act of 1996, which has more stringent standards. States like California have specific regulations, like the California Consumer Privacy Act, that are important to be aware of as well.

As you connect more with patients and other providers, you must proactively monitor and protect your employee and patient data. While the pivot to hybrid work environments highlights new needs in data access, it is just as important to hammer down the basics of the physical and digital security of your business and that of your partners.


  • Having a robust security program means both physical and digital protection — make sure there is no “backdoor” access to your building or your data.
  • Learning and practicing is the key to knowing your organization’s security inside and out — know where you need help and call on experts for guidance.
  • “Sharing is caring” is a great policy for a strong partnership — communicate with your partners and make sure both your data systems are secure.


To read more articles about IT for HME businesses, visit hme-business.com/software, and to learn more about secure business management solutions, visit www.brightree.com.

This article originally appeared in the May/Jun 2021 issue of HME Business.

About the Author

Jerry Dennany is Chief Technology Officer at Brightree, where he leads the research and development and IT functions across the company’s portfolio of cloud-based post-acute care solutions. He has more than 20 years of technology leadership experience. Reach him via email at jdennany@brightree.com.

HME Business Podcast