Every unprotected device is a breach waiting to happen

A stolen laptop without full-disk encryption. A personal phone syncing practice email with no MDM policy. A workstation running Windows 10 three months past its last security patch. These are not theoretical risks — they are the actual causes behind the majority of HIPAA breaches affecting independent practices.

In Step 4, we secured the physical environment. This step — Step 5 of our 17-step HIPAA compliance roadmap — secures the devices themselves. The endpoints. The hardware that your staff uses every day to access, store, and transmit patient data.

Full-disk encryption: the non-negotiable baseline

Encryption is technically an "addressable" specification under the Security Rule — meaning you must implement it or document why an equivalent alternative is reasonable. In practice, there is no reasonable alternative to full-disk encryption on any device that stores or accesses ePHI.

Here is why: under the Breach Notification Rule, the loss or theft of a device containing encrypted ePHI is not a reportable breach if the encryption meets NIST standards. The loss of an unencrypted device is a reportable breach — full stop. You must notify every affected patient, report to HHS, and potentially to the media.

What to encrypt

• Workstation hard drives — Windows BitLocker, macOS FileVault. Both are built into the operating system and free.
• Laptops — every laptop that accesses ePHI, no exceptions. Laptops are the most commonly stolen device category in healthcare breaches.
• External drives and USB storage — if your practice uses removable media (and you should minimize this), they must be encrypted.
• Mobile devices — modern iOS and Android devices encrypt by default when a passcode is set. Verify this is active.
• Backups — encrypted backup drives and encrypted cloud backup services. An unencrypted backup is a copy of your entire patient database with no protection.

Verify encryption status

Do not assume encryption is active. Verify it. BitLocker can be disabled by an admin change. FileVault can fail to enable on new machines. Check every device on your inventory list and document the encryption status. This documentation serves double duty — it supports your risk assessment and provides evidence of compliance.

Mobile device management

Mobile devices are the fastest-growing attack surface in healthcare. Staff check EHR portals on their phones. Providers use tablets for charting. Text messages contain patient information. Without management controls, every personal device that touches PHI is uncontrolled territory.

BYOD: the uncomfortable reality

Most independent practices cannot afford to issue dedicated devices to every staff member. Bring Your Own Device is the default. That is not inherently a problem — but unmanaged BYOD is.

A BYOD policy must address:

• Device enrollment — which personal devices are approved for accessing ePHI, and what management capabilities the practice requires on those devices
• Passcode requirements — minimum length, complexity, biometric options
• Encryption verification — confirmation that device encryption is enabled
• App restrictions — which apps can access practice data, and whether practice data can be copied to personal apps
• Remote wipe capability — the practice must be able to wipe practice data from a lost, stolen, or terminated employee's device without destroying personal data
• Separation of data — containerization that keeps practice data isolated from personal apps and storage
• Exit procedures — what happens to practice data when an employee leaves

Mobile Device Management (MDM) solutions

For practices with more than a handful of mobile users, an MDM solution is worth the investment. MDM platforms allow you to:

• Enforce passcode and encryption policies remotely
• Push security updates and configurations
• Create a secure container for practice data
• Remote wipe the container if the device is lost or the employee departs
• Monitor device compliance status

The cost is typically $3-8 per device per month — trivial compared to the cost of a breach originating from an unmanaged device. Medical records are worth $280-310 each on the dark market — ten times the value of a credit card number.

Automatic lock and timeout

Every device that accesses ePHI must lock automatically after a period of inactivity. This is a Security Rule requirement (workstation security) and one of the simplest controls to implement.

• Workstations: 5-minute timeout is the standard. Configure via Group Policy (Windows) or Configuration Profile (macOS).
• Mobile devices: 2-minute timeout or less. Enable biometric unlock for convenience without sacrificing security.
• EHR sessions: Configure your EHR to time out independently of the device — most EHR platforms support session timeout settings.

Do not rely on staff to lock screens manually. They will forget. Automatic timeout eliminates the human variable.

Patch management

Unpatched software is one of the most exploited attack vectors in healthcare. The WannaCry ransomware attack that crippled healthcare organizations worldwide exploited a Windows vulnerability that had been patched two months earlier. Every organization that was hit had failed to apply the patch.

What needs patching

• Operating systems (Windows, macOS, Linux)
• EHR and practice management software
• Web browsers
• Email clients
• Plugins and extensions (PDF readers, Java, Flash — remove Flash entirely)
• Firmware on network devices (routers, firewalls, access points)
• Medical devices with software components

Patch cadence

• Critical security patches: Apply within 14 days of release. Sooner if the vulnerability is actively exploited.
• Standard updates: Apply within 30 days.
• Test before deploying to production: For EHR and critical systems, test patches in a non-production environment first if possible. For workstation OS patches, deploy to a pilot group before full rollout.

Automate where possible

Enable automatic updates on workstations and mobile devices. For servers and critical infrastructure, use a patch management tool that alerts you to available updates and tracks deployment status. Document your patching process and maintain records of what was patched and when.

Antimalware and endpoint protection

Every workstation and server must run current antimalware software. "Current" means the software is active, signatures are updated, and real-time scanning is enabled.

Modern endpoint protection goes beyond traditional antivirus:

• Behavioral detection — identifies threats by behavior patterns, not just known signatures
• Ransomware protection — monitors for mass file encryption and blocks it
• Web filtering — prevents access to known malicious sites
• Email scanning — catches phishing attachments and links before they reach the user

Free consumer antivirus is not sufficient for a HIPAA-covered practice. Invest in a business-grade endpoint protection platform that provides centralized management, alerting, and reporting.

Build a device inventory

You cannot secure what you have not inventoried. Maintain a current list of every device that accesses ePHI:

• Device type, make, model, serial number
• Assigned user
• Operating system and version
• Encryption status
• MDM enrollment status (for mobile devices)
• Last patch date
• Antimalware status
• Location

Review this inventory quarterly. Update it whenever devices are added, reassigned, or retired. This inventory feeds directly into your risk assessment and provides the foundation for every device-level control.

The endpoint security standard

Healthcare is the most targeted industry for cyberattacks, and independent practices are the most vulnerable segment. You do not have a dedicated security team. You do not have a SOC monitoring your network 24/7. What you can have is thorough endpoint hardening: every device encrypted, patched, managed, and monitored.

That is what separates a practice that survives a lost laptop from one that reports a breach affecting thousands of patients.

---

This is Step 5 of our 17-step HIPAA compliance roadmap. Previous: Step 4 — Lock Down Physical Access. Next: Step 6 — Enforce Access Controls.