Your practice’s security perimeter now ends at your clinician’s home router
Part of the Telehealth & Healthcare Security Series. Risk assessment is a core component of the IDENTIFY function—understanding threats, vulnerabilities, and likelihood before you can protect against them. See also: The Compliance Trap | The Asset Inventory You Don’t Have | NIST CSF 2.0 Guide for Telehealth
A telehealth clinician conducts 15 virtual visits a day from her home office. Her home network also connects her teenager’s gaming PC, three smart speakers, a Ring doorbell, and a smart TV that hasn’t been updated in two years. All of these devices share the same network as her patient consultations.
She doesn’t think about it. Why would she? The practice told her to “use a secure connection,” and her home Wi-Fi has a password. That counts, right?
It doesn’t. Last month, her teenager downloaded a modded game file from a Discord server. The file contained an infostealer—a piece of malware designed to harvest credentials, browser sessions, and cached data from every device it can reach on the local network. Because the clinician’s work laptop sits on the same subnet as the gaming PC, the malware didn’t need to “hack” anything. It simply scanned the local network, found an open file share on the laptop, and exfiltrated the browser’s saved session cookies—including her active telehealth platform login and EHR portal access.
Nobody noticed for three weeks. By then, an attacker had accessed recordings of 47 patient sessions and downloaded clinical notes for over 200 patients. The breach didn’t start at the practice. It started at a home router that still had “admin/admin” as the login credentials.
A typical clinician’s home network has far more devices than most people realize. Below is a walkthrough of this clinician’s network—representative of most work-from-home clinicians. Devices marked with a warning indicator represent elevated risk.
Threat modeling doesn’t have to be complicated. At its core, it’s answering three questions: What can go wrong? How would it happen? and What can we do about it? For home-based telehealth, the entry points are well-known, the exploitation methods are documented, and the compensating controls are practical. The table below walks through the most common attack vectors for a clinician working from home.
| Entry Point | How It Could Be Exploited | Compensating Control |
|---|---|---|
| Home router (default credentials) | Attacker gains administrative access to the network, redirects DNS, intercepts traffic, or installs persistent backdoor on the router itself | Change default admin password to a strong unique passphrase, enable WPA3 encryption, update firmware to latest version, disable remote management |
| Shared family computer | Malware from gaming sites, pirated software, or phishing emails steals session tokens, cached credentials, and browser data accessible on the local network | Dedicated work device for clinical use; at minimum a separate user account with no admin privileges on the shared device |
| Smart home devices (IoT) | Compromised IoT device (smart TV, speaker, camera) used as a network pivot point to scan and attack other devices on the same subnet | Network segmentation—place IoT devices on a separate VLAN or the router’s guest network, isolating them from work devices |
| Unencrypted or weak Wi-Fi | Telehealth session intercepted by a nearby attacker using packet capture tools; WEP or open networks are trivially exploitable | WPA3 encryption (WPA2 minimum), strong Wi-Fi passphrase, VPN for all clinical sessions, disable WPS |
| Personal mobile device | Lost or stolen phone with cached patient data, saved login sessions, patient messaging apps, and EHR portal access | MDM enrollment, remote wipe capability, device encryption enabled, biometric lock with short timeout |
| Video/audio recording | Telehealth session recorded by compromised device, screen-capture malware, or nearby smart speaker; recordings exfiltrated or held for ransom | End-to-end encrypted telehealth platform, disable smart speakers in office during sessions, camera/microphone hygiene, verify platform recording settings |
Notice the pattern: every one of these entry points exists outside the practice’s traditional security perimeter. Your firewall, your endpoint detection, your email filtering—none of it reaches the clinician’s home. The home network is the gap between what your security program covers and where your patient data actually lives.
The good news is that most of these risks can be dramatically reduced with straightforward measures that don’t require an IT department to implement. Here are five controls that every practice should require—or at minimum, strongly guide—for any clinician conducting telehealth from home.
Use the router’s guest network or a dedicated VLAN for work devices. This is the single most impactful change a clinician can make. When work devices are on a separate network segment, a compromised gaming PC or smart TV cannot see, scan, or communicate with the work laptop—even though they’re connected to the same physical router.
Cost: $0. Time: 15 minutes. Impact: Isolates clinical traffic from every other device in the home.
Don’t use the family laptop for telehealth. A dedicated device—even an inexpensive Chromebook for basic telehealth platforms—dramatically reduces risk. A dedicated device means no personal browsing, no kids installing games, no shared credentials, and a clean attack surface. If the practice can’t provide one, a clearly separated user profile with no admin privileges is the minimum acceptable alternative.
Cost: $200–$500 for a basic device. Time: 1 hour to configure. Impact: Eliminates the most common infection vector—shared device contamination.
Change the default admin password. This sounds obvious, but studies consistently show that the majority of home routers still use factory credentials. Beyond the password: enable WPA3 (or WPA2 at minimum), update the router firmware, disable WPS (Wi-Fi Protected Setup—a known vulnerability), and disable UPnP (Universal Plug and Play—which allows devices to open ports without permission).
Cost: $0. Time: 20 minutes. Impact: Closes the most exploited entry point on home networks.
If the practice provides VPN access, use it for all clinical activities—not just when accessing the EHR. A VPN encrypts all traffic between the clinician’s device and the practice network, rendering local network interception useless. If the practice does not provide a VPN, verify that the telehealth platform provides true end-to-end encryption and that the clinician is not transmitting PHI through unencrypted channels like regular email or SMS.
Cost: Varies (many practices already have VPN infrastructure). Time: 10 minutes to configure. Impact: Encrypts all clinical traffic regardless of local network security.
Lock the screen when stepping away—even for 30 seconds. Use headphones for patient calls so PHI is not audible to household members. Ensure no smart speakers (Alexa, Google Home, Siri) are active in the room during telehealth sessions—these devices are always listening and transmitting audio to cloud servers. Position the screen so it is not visible from windows or doorways.
Cost: $0 (headphones: $20 if needed). Time: 5 minutes to configure. Impact: Prevents inadvertent PHI disclosure through physical and audio channels.
Patients are not security professionals, and we should not expect them to be. But a small amount of plain-language guidance—delivered before the first virtual visit—can significantly reduce patient-side risk. These recommendations are designed to be simple enough to print on a handout or include in a pre-visit email.
Don’t take telehealth calls in public—not at a coffee shop, not in a waiting room, not at your desk in an open office. Find a room where you can close the door. Use headphones so no one nearby can hear your provider’s questions or your answers. Your health information deserves the same privacy as an in-person visit.
Avoid shared or public computers for medical visits. A library computer, a friend’s tablet, or a workplace shared terminal may retain your login information, browsing history, or cached data after your session ends. Use your personal phone, tablet, or computer—a device only you use and control.
Make sure your phone or computer is running the latest software. Those update notifications you keep dismissing? Many of them patch security vulnerabilities that attackers actively exploit. Before your telehealth visit, check for and install any pending operating system and app updates.
Avoid public Wi-Fi for telehealth visits. Coffee shop Wi-Fi, hotel networks, and airport hotspots are not secure—traffic on these networks can be intercepted. Use your home Wi-Fi network or your phone’s cellular data connection instead. Cellular data is significantly more secure than most public Wi-Fi networks.
Minimize what’s running on your device during your visit. Close unnecessary browser tabs, messaging apps, and social media. This reduces the chance that another application could access your camera or microphone, and it ensures your telehealth session runs smoothly without interruptions.
Unless your provider explicitly says it’s OK, do not record your telehealth session—video or audio. Recording creates a copy of sensitive medical information on your device that may not be encrypted, may be backed up to a cloud service, and may be accessible to anyone who uses your phone or computer. If you need to remember instructions, ask your provider to send a written summary through the patient portal.
Two practical tools your practice can use immediately. The first is a hardening checklist for clinicians who work from home. The second is a patient-facing handout you can print and distribute before virtual visits.
Router default admin password changed to a strong, unique passphrase
Wi-Fi encryption set to WPA3 (or WPA2 as a minimum)
Router firmware updated to the latest version available from the manufacturer
Work devices on a separate network segment (guest network or dedicated VLAN)
Dedicated device for clinical work (not shared with family members)
Device encryption enabled (BitLocker on Windows, FileVault on Mac, device encryption on Chromebook)
VPN or end-to-end encryption verified for all telehealth and clinical activities
Auto-lock / screen timeout configured to 5 minutes or less
No smart speakers or voice assistants active in the home office during patient sessions
Headphones used for all patient calls to prevent audio disclosure
Print this section and provide it to patients before their first telehealth appointment.
Have you assessed the home network security of providers who conduct telehealth?
Do your clinicians use dedicated work devices for telehealth, or personal/family devices?
Have you provided patients with guidance on how to prepare for a secure virtual visit?
Do you know whether your telehealth platform provides end-to-end encryption?
Have you included home office security in your HIPAA risk assessment?
If a clinician’s home network were compromised tomorrow, would your incident response plan cover it?
If you hesitated on any of these, the risk your practice carries from home-based telehealth is larger than you’ve accounted for. The good news: every one of these gaps can be closed with practical, affordable controls.
National Institute of Standards and Technology. (2024). Cybersecurity framework 2.0. U.S. Department of Commerce. https://www.nist.gov/cyberframework
U.S. Department of Health and Human Services. (2013). HIPAA security rule: Security standards for the protection of electronic protected health information. 45 C.F.R. § 164.308–164.312. https://www.hhs.gov/hipaa/for-professionals/security/index.html
U.S. Department of Health and Human Services. (2024). Telehealth privacy and security tips for patients. https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html
Venuto, J. (2026). The compliance trap: Why ‘HIPAA compliant’ medical groups still get hacked. Hudson Valley CISO. https://www.hudsonvalleyciso.com/govern/gv-rm/hipaa_compliance_trap.html
Venuto, J. (2026). The telehealth asset inventory you don’t have (and why attackers love that). Hudson Valley CISO. https://www.hudsonvalleyciso.com/identify/id-am/telehealth_asset_inventory.html
Venuto, J. (2026). Why HIPAA compliance isn’t enough: A NIST CSF 2.0 guide for telehealth. Hudson Valley CISO. https://www.hudsonvalleyciso.com/govern/gv-rm/telehealth_nist_csf_hipaa_guide.html
Your clinicians’ home networks are your new perimeter. Make sure they’re defended.
We’ll evaluate your remote telehealth environment—clinician home office security, patient-side risk, platform encryption, and network exposure—and deliver actionable recommendations you can implement in a week.
Hudson Valley CISO
A Division of Security Medic Consulting
Fractional CISO Services | Risk Assessment | Healthcare Security