Skip to content
Cyber Replay logo CYBERREPLAY.COM
Book a Call
Back to all articles
Security Operations 14 min read Published Apr 16, 2026 Updated Apr 16, 2026

Nursing Homes Checklist for Security Teams: Practical Cybersecurity Controls and Response Playbook

Practical nursing homes checklist for security teams - step-by-step controls, incident playbook, and measurable outcomes to reduce risk and downtime.

By CyberReplay Security Team

Nursing Homes Checklist for Security Teams

TL;DR: Implement this focused nursing homes checklist to reduce common attack vectors, shorten detection and containment times, and protect resident care systems. Start with asset inventory, patching, multi-factor authentication, network segmentation, and a tested incident response playbook - these five steps cut remediation time and service downtime dramatically when enforced.

Table of contents

Problem and stakes

Nursing homes operate both health data and direct resident care systems. A cyber incident can stop electronic health records, disrupt medication pumps, and force manual workflows that increase clinical risk and regulatory exposure. The cost of inaction is concrete:

  • Clinical downtime - loss of EHR access delays medication administration and billing workflows, increasing risk and overtime costs.
  • Regulatory fines - HIPAA enforcement and state regulators may assess penalties for breaches of protected health information. See HHS enforcement guidance for details. HHS OCR guidance.
  • Business disruption - ransomware and extortion events can suspend operations and force relocations. The FBI and CISA continue to report health sector targeting. CISA ransomware guidance

This checklist focuses on rapid, measurable risk reduction for long-term care facilities - not abstract best practices. Follow the steps in order: inventory, patching, identity, segmentation, monitoring, and a tested response plan.

Quick answer - immediate priorities

If you only have time for five actions this week, do these and document them:

  1. Create a complete asset inventory (medical devices, workstations, EHR servers, network gear) - goal: 100% coverage within 7 days.
  2. Enforce multi-factor authentication for all staff accounts that access clinical systems.
  3. Apply critical security patches to EHR servers and internet-facing systems; schedule staged patching for devices that cannot be patched immediately.
  4. Segment networks so medical devices are on a separate VLAN with strict ACLs to the internet.
  5. Activate 24-7 monitored logging or MDR if you cannot provide continuous SOC coverage.

Expected outcomes within 30 days when these are implemented correctly: reduced attack surface by removing direct internet exposure, faster detection (MDR shortens detection time from weeks to hours), and fewer days of EHR downtime during incidents.

For an assessment and operational help, consider a managed option such as CyberReplay’s managed services: https://cyberreplay.com/managed-security-service-provider/ and for incident support see https://cyberreplay.com/help-ive-been-hacked/.

Who this checklist is for

  • IT and security teams in skilled nursing facilities, assisted living, and long-term acute care hospitals.
  • Administrators who must balance clinical uptime, regulatory compliance, and limited budgets.
  • Security vendors and MSSPs preparing assessments or proposals for nursing homes.

Not for: device vendors or individual endpoint users who lack enterprise oversight. This checklist assumes an organizational IT owner and a governance sponsor.

Definitions and scope

  • EHR: Electronic health record system used for charting and medication orders.
  • Clinical device: Any networked medical device with firmware - infusion pumps, telemetry monitors, smart beds.
  • MDR: Managed detection and response. 24-7 monitoring and triage provided by a third party.
  • MSSP: Managed security service provider. Offers monitoring, patch management, and compliance support.

This checklist covers network, identity, patching, monitoring, backups, and incident response. It does not replace vendor-specific medical device safety procedures. Coordinate with clinical engineering when changing device networks.

Top 10 controls - operational checklist

Use this as your high-level nursing homes checklist for leadership reporting. Each item has a measurable target.

  1. Asset inventory and classification

    • Target: 100% discovery of networked assets within 7 days.
    • Method: Use network discovery + agent-based inventory for workstations. Maintain an inventory CSV with device owner, location, OS/firmware, and clinical impact rating.

  2. Patch and configuration management

    • Target: Critical patches applied within 7 days; high-severity within 14 days.
    • Method: Prioritize EHR servers, gateway firewalls, and internet-facing devices.

  3. Identity and access controls

    • Target: 100% of administrative accounts protected with MFA; least-privilege enforced for clinical apps.
    • Method: Implement MFA (prefer hardware or FIDO2 where possible) and role-based access.

  4. Network segmentation and ACLs

    • Target: Medical devices isolated with no direct internet access; EHR servers limited to specific clinician subnets.
    • Method: VLANs, firewall rules, and deny-by-default ACLs.

  5. Backup and recovery validation

    • Target: Daily incremental backups; weekly full backups; quarterly restore test.
    • Method: Offline or immutable backups for EHR and critical configs. Log restore time and data integrity.

  6. Logging and 24-7 monitoring

    • Target: Centralized logging with 90-day retention; 24-7 alerting via SIEM or MDR.
    • Method: Forward logs from firewalls, EHR servers, domain controllers, and VPN appliances.

  7. Vulnerability scanning and remediation tracking

    • Target: Monthly scans; tracked remediation SLAs for critical findings.
    • Method: Authenticated scans for servers and network scans for devices.

  8. Secure remote access

    • Target: No direct RDP to servers from the internet; VPN with MFA or jump-hosts only.
    • Method: Use managed remote access solutions; log all remote sessions.

  9. Vendor and patch lifecycle management for medical devices

    • Target: Documented firmware versions for each device; contact vendor for unsupported items.
    • Method: If vendor firmware is end-of-life, add to replacement plan and increase compensating controls.

  10. Incident response plan and tabletop exercises

  • Target: Full incident response checklist live and tested quarterly.
  • Method: Run scenario-based tabletop exercises that include clinical leadership and legal.

Technical checklist - configurations and commands

These are specific, repeatable checks your security team can run. Replace placeholders with your environment values.

  • Verify domain controllers and EHR servers have current patches and recent backups:
# Powershell example: list last Windows update install date for servers
$servers = Get-Content -Path .\servers.txt
foreach ($s in $servers) {
  Get-HotFix -ComputerName $s | Sort-Object InstalledOn -Descending | Select-Object -First 1 | Format-Table PSComputerName, Description, InstalledOn
}
  • Confirm MFA enforcement for all privileged groups (example for Azure AD):
# AzureAD example to list users without MFA enforced (requires MSOnline or AzureAD module)
Install-Module MSOnline -Force
Connect-MsolService
Get-MsolUser -All | Where-Object { $_.StrongAuthenticationMethods.Count -eq 0 } | Select UserPrincipalName
  • Validate firewall ACLs block direct device internet access:
# Example pseudo-commands for a firewall check
show access-list | include medical-vlan
# Expect: deny ip medical-vlan any eq 80
# Expect: deny ip medical-vlan any eq 443
# Expect: permit to EHR server range only
  • Verify backups are immutable or offline and test restore window:
Test-restore procedure:
1. Select dataset from last full backup
2. Restore to isolated test environment
3. Confirm EHR service starts and sample patient record is intact
4. Measure restore time and log result

Network and device segmentation template

Segmentation reduces lateral movement and isolates clinical risk. Use this template to set VLANs and firewall zones.

  • VLAN 10 - Management: RMM, admin workstations, jump servers
  • VLAN 20 - Clinical staff: nurse workstations, EHR client apps
  • VLAN 30 - Medical devices: infusion pumps, monitors (deny internet)
  • VLAN 40 - Guest wifi: internet-only, captive portal
  • Firewall rules examples:
    • Allow VLAN 20 -> VLAN 10 on ports 22, 3389 only to jump-hosts
    • Allow VLAN 20 -> VLAN 50 (EHR servers) on app ports 443/8443/SQL as needed
    • Deny VLAN 30 -> Internet:80,443
    • Allow VLAN 30 -> VLAN 50 on specific ports to the EHR server only

Document every rule in a change log and require clinical engineering signoff before modifying device connectivity.

Incident playbook - contain, recover, communicate

A short, practical incident response workflow nursing homes can follow in the first 24 hours of a suspected compromise.

  1. Identification and triage (0-2 hours)

    • Trigger: unusual EHR behavior, ransom note, or detection alert.
    • Action: record time, affected systems, initial indicators, and isolate suspected endpoints from the network.

  2. Containment (2-8 hours)

    • Short-term: disconnect infected hosts from the network but keep them powered on for forensics.
    • Network: apply firewall ACLs to isolate EHR servers from user workstations if needed.
    • External: disable remote access paths that may be abused.

  3. Evidence preservation (2-12 hours)

    • Capture disk images or forensic snapshots; collect logs from firewalls, VPN gateways, and EHR application logs.

  4. Communication and legal reporting (2-24 hours)

  5. Eradication and recovery (24-72 hours)

    • Restore EHR from validated backups to isolated environment then reconnect incrementally and validate clinical workflows.
    • Replace or rebuild compromised systems; rotate keys and passwords.

  6. Post-incident review and hardening (72 hours - 30 days)

    • Conduct root cause analysis and implement control changes to prevent recurrence.
    • Run a tabletop and update playbooks.

Sample checklist to run during containment:

  • Document scope and indicators
  • Isolate endpoints but preserve forensics
  • Snapshot and collect logs
  • Notify legal and regulators if PHI is involved
  • Stand up temporary clinical workflows and log manual entries
  • Begin restore from immutable backups

When in doubt, call immediate external help. For incident response support see: https://cyberreplay.com/help-ive-been-hacked/.

Proof scenarios and quantified outcomes

These scenarios show how the checklist plays out and the measurable benefits to a facility.

Scenario A - Ransomware hits a facility with no segmentation

  • Inputs: EHR and clinical devices on the same flat network, no central logging, manual backups daily
  • Attack: ransomware encrypts 75% of workstations and parts of EHR data store
  • Outcome without controls: 5 days of partial outages, estimated overtime and agency nursing costs $150k, regulatory reporting and vendor recovery fees $80k

Scenario B - Same facility after implementing core checklist

  • Inputs: network segmentation, immutable backups, MDR with 24-7 alerts, MFA for admin accounts
  • Attack: ransomware executed on one workstation but contained by MDR and network ACLs
  • Outcome with controls: detection within 3 hours, containment in 6 hours, no EHR data lost, total downtime <8 hours, estimated cost avoided >$200k

Typical operational improvements when facilities adopt baseline controls and MDR:

  • Mean time to detect reduces from weeks to under 24 hours in many engagements.
  • Recovery time for EHR from immutable backups can drop from multiple days to under 8 hours when backups are properly tested.
  • Segmentation often prevents device compromise from spreading beyond the initial host, lowering remediation scope by 60-90%.

Sources: CISA and HHS provide sector guidance on reducing ransomware impact and preserving evidence. See CISA ransomware guidance: https://www.cisa.gov/ransomware and NIST incident response guidance: https://www.nist.gov/publications/guide-computer-security-incident-handling.

Common objections and answers

Objection: “We lack budget for MDR and can not staff a 24-7 SOC.”

  • Answer: Prioritize controls that lower the probability of large incidents first - asset inventory, segmentation, MFA, and immutable backups. Then implement targeted MDR for critical assets (EHR, domain controllers) while you plan budget for full coverage.

Objection: “Our medical devices cannot be patched or taken offline.”

  • Answer: Use compensating controls: isolate devices on a locked VLAN with no internet access, limit inbound connections to a small set of management hosts, and maintain vendor support contracts for emergency firmware.

Objection: “Testing backups will disrupt clinical operations.”

  • Answer: Schedule restores to a parallel test environment and validate using sample patient records. A quarterly test minimizes risk and proves recoverability - the cost of not testing is unknown downtime during an incident.

If you use third-party packages or software - npm policy

If your IT stack includes node.js or npm packages for integrations or custom apps, enforce this policy:

  • Do not adopt new npm packages or versions that are less than 14 days old for routine production use.
  • Exceptions: urgent security fixes may be applied earlier only under a documented break-glass approval process that includes dependency scanning, test-validation, and rollback instructions.

Document approvals and validation steps for any exception. This reduces supply-chain risk and avoids integrating packages that may be pulled or patched immediately after release.

References

What should we do next?

  1. Run a 7-day asset discovery sprint to identify gaps and tag critical EHR assets.
  2. Enforce MFA for all administrative and remote access accounts this week.
  3. If you do not have 24-7 monitoring, schedule an MDR assessment to cover EHR and domain controllers or request incident response support for immediate containment.

If you want a short, actionable briefing, book a 15-minute assessment and we will map your top risks and a 30-day execution plan.

How much does this cost and how fast can we implement?

Estimated timing and rough cost ranges for planning purposes only:

  • Asset inventory and segmentation plan: 1-2 weeks; internal cost $2k-10k depending on tooling. Outsourced assessment $6k-20k.
  • MFA rollout for administrative accounts: 1 week; tool cost $0-10/user/month depending on vendor.
  • Immutable backups and restore testing: 2-4 weeks to implement and validate; backup solution cost varies - expect $5k-30k initial depending on scale.
  • MDR coverage for critical systems: onboarding 1-3 weeks; monthly managed cost typically ranges $2k-10k depending on assets and SLAs.

Budget decisions should be tied to business outcomes: reduced downtime, fewer overtime hours for staff, and lower regulatory risk.

Can we run this with current staff?

Yes, if you prioritize and sequence controls. Use this rollout order for limited staff:

  1. Asset discovery and classification - run network scans and collect device lists.
  2. MFA for admin accounts - small scope, high impact.
  3. Segmentation design and temporary ACLs to limit device exposure.
  4. Contract an MSSP/MDR for 24-7 monitoring and triage while internal staff refine patching and backups.

If staff are already stretched, outsource detection and incident response first to reduce time-to-detect and contain. External providers can reduce your operational burden and contractually commit to response SLAs.

How to test the checklist

  • Monthly: Run vulnerability scans and verify remediation tickets are created.
  • Quarterly: Restore critical backups to a test environment and confirm EHR functionality.
  • Biannually: Full tabletop incident exercises with clinical staff and legal to validate communication paths and decision authority.

Measure KPIs: mean time to detect, mean time to contain, restore time for EHR, number of unsupported devices, and percentage of accounts with MFA.

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your assessment and we will map your top risks, quickest wins, and a 30-day execution plan.

Start with an asset discovery sprint and immediate MFA enforcement. If in-house 24-7 monitoring is not possible, engage a managed detection service to cover your EHR and domain controllers. For an actionable assessment aligned to long-term care operations and compliance, consider scheduling an MDR/MSSP assessment or an incident readiness review: https://cyberreplay.com/managed-security-service-provider/.

Implementing this nursing homes checklist will materially reduce exposure, shorten incident lifecycles, and protect resident care services while keeping regulatory risk manageable.

When this matters

Use this checklist when any of the following apply:

  • You are managing an EHR migration, new clinical device rollout, or vendor remote-maintenance program where unknown devices may touch the network.
  • You have limited IT staff or no 24-7 monitoring and must prioritize controls that reduce incident scope quickly.
  • You are preparing for a compliance review or responding to a near miss such as a phishing campaign or unexplained EHR outages.
  • You operate older or unsupported medical devices that cannot be patched and need compensating controls.

If one or more of these apply, run the asset discovery sprint and segment clinical devices first to reduce immediate risk.

Common mistakes

  • Incomplete asset inventories. Teams assume visibility but miss networked medical gear. Fix: run both agent-based and network discovery, and tag owners and clinical impact.
  • Treating medical devices like regular workstations. Many devices have limited patching options. Fix: isolate devices on a locked VLAN, limit management to jump hosts, and coordinate changes with clinical engineering.
  • Backups that are not immutable or tested. Backup jobs alone are not enough. Fix: implement immutable or offline backups and perform restore tests quarterly.
  • Allowing direct remote access. Exposed RDP or vendor tunnels increase risk. Fix: use VPN with MFA or secure jump-hosts and log all sessions.
  • Skipping tabletop exercises. Plans that are not practiced fail under pressure. Fix: run scenario-based tabletop exercises with clinical, legal, and executive participation.

FAQ

Q: How fast should we apply critical patches to EHR and server infrastructure?

A: Apply critical security patches within 7 days and high-severity fixes within 14 days where possible. For devices that cannot be patched, use compensating controls and document the replacement plan.

Q: Can we isolate medical devices without disrupting patient care?

A: Yes. Work with clinical engineering to move devices to a locked VLAN, restrict internet access, and enable only the minimum ports to EHR servers. Test connectivity and workflows during a maintenance window.

Q: What if we find unsupported or end-of-life devices?

A: Treat them as high risk. Isolate them, limit management access, and prioritize replacement or vendor support contracts. Track unsupported devices in your risk register and schedule replacements.