High-Performance EMS: Cybersecurity

Where do the threats lie, and how can we protect against them?

This is the seventh in a yearlong series of articles developed by the Academy of International Mobile Healthcare Integration (AIMHI) to help educate EMS agencies on the hallmarks and attributes of high-performance/high-value EMS system design and operation. For more on AIMHI, visit www.aimhi.mobi.

High-performance, high-value EMS agencies routinely collect and analyze data. Data helps drive decisions that make the agency more clinically proficient, operationally effective and fiscally efficient. But collecting and mining data comes with inherent risk for security breaches that could compromise an organization and the patients it serves.

Frank Gresh is one of the most knowledgeable cyberminds in EMS. His agency, the Emergency Medical Services Authority (EMSA) in Tulsa and Oklahoma City, Okla., has done outstanding work establishing and maintaining excellent cybersecurity practices. In his role as EMSA’s chief information officer (CIO), Gresh is responsible for all aspects of technology, including computer systems, radio systems, clinical technology and more. He has been involved in EMS for more than 32 years, starting as an EMT in Pinellas County, Fla., then working through the ranks and serving in leadership roles for other services around the country before arriving at EMSA. Gresh has a bachelor’s degree in business management and a master’s in computer information systems. This interview taps his knowledge after years of dealing with bits and bytes.

Why is this subject important?

First and most important, if we fail to keep our data safe and secure, we fail the people who rely on our service. High-performance, high-value EMS agencies use data and cybersystems for system deployment, dynamic resource management, computer-aided dispatch, and billing and revenue cycle management. Not to be melodramatic, but frankly, if our computer systems fail, people could die. Consequently we must have highly reliable, bulletproof systems in place to assure 99.99% reliability.

Second, none of us look good in an orange jumpsuit. If we fail to employ due diligence to secure protected health information and that results in a security breach, we can be held liable for criminal and civil penalties, not to mention the damage to our agency’s reputation. The maximum criminal penalty is $10,000 for each breached record, which could add up very quickly if 20,000 to 30,000 records are breached. Additionally, you may have to pay for credit monitoring for up to a year at a cost of $3,000–$4,000 per record breached. Not many EMS agencies could survive the financial and community relations hit from a data breach.

What are some of the actions you’ve taken at EMSA to secure your data records?

Many people think about cyberattacks in terms of hacking a firewall, when in reality that is the least common way hackers gain access. Think about cybersecurity in terms of vectors of attack. These vectors are ways attackers could gain access to your data. Here are some examples, with strategies for each.

• Phishing e-mail messages—Hackers often send e-mails with attachments or links to websites that can install viruses that allow the attacker access to the data on the computer—or, even worse, to servers to which the computer is networked. These e-mails and websites can look remarkably benign, often with references and logos from trusted sources. And a trusted website may even become compromised with malicious code that could also access information on your computer.
  
  Defense strategy—The most common is the use of e-mail spam filters. At EMSA we use Mimecast. This application “sniffs” inbound mail looking for spam, spoofing and viruses, and it rewrites all URL links in an e-mail to go through Mimecast to assure security.
   
• Web browsing—This attack happens by accessing a website you think is safe, but the website, as mentioned above, has been hacked with a malicious code that allows the attacker access to your computer. This is why many organizations block access to websites that have a high possibility of containing malicious code.
  
  Defense strategy—Defenses to web browsing attacks include the use of a firewall such as Barracuda. EMSA has used Barracuda, but we’re now moving to Palo Alto Networks’ next-generation firewall. Palo Alto looks for known threats and suspicious web traffic and where the link and data are going. For example, computers on EMSA’s servers would have very few reasons to access websites in places like Asia, so the firewall does not allow access to sites from there. This includes inbound web URLs included in e-mail.
   
• Man in the middle—Devices such as mobile data terminals (MDTs) and tablets for ePCRs exist outside our networks. The data transmission platforms between these devices and our network servers are potential access points for hackers. Think of stories about hackers installing secondary card readers on ATMs and fuel pump card readers. These devices intercept data between the card and reader. A similar process can be used within the pipeline of data between these devices and the server. 
  
  Defense strategy—Secure the transmission platform between the field-deployed devices and the server with data encryption such as a virtual private network (VPN) connection with data encryption. And be sure the mobile devices are also encrypted if they are used to collect and transmit protected information. The basic concept is that the data should be encrypted at the origin, at the destination and in transit.
   
• Social engineering—Humans generally want to do the right thing but can be taken advantage of. This can happen through e-mail phishing, but also something more creative. Say someone comes to your headquarters wearing an ID from a trusted vendor. They say they’re here to check on some system in the building, and the receptionist lets them in. Next thing you know, the hacker is at one of your computers, logging in. Or, after hours, someone in a community college uniform tells one of your operations personnel they’re there for a ridealong. The kind employee allows them in through the back door and points them in the direction of the crew lounge. That person now has access to your facility and possibly protected data.
  
  Defense strategy—Create and enforce very strict access policies to your facilities, which may even include escorting unfamiliar visitors. Similarly, train your team members on what phishing e-mails may look like and how dangerous opening links or clicking on URLs from nontrusted sources can be.

What if a patient care reporting tablet is lost?

Without the proper vector controls in place, such as the secure configuration of your tablet and the security infrastructure behind it, this has the potential to be very problematic. At EMSA, once an ePCR has been finalized and sent to our server (through our encrypted data connection), the record no longer resides on the tablet. And all our tablets are encrypted, so if the lost tablet is hacked, all they will get is the few patient records that still reside on the tablet. Even so, the records are encrypted with virtually no way to see any protected health information. We also use EXO5, a cloud-based control software to wipe or encrypt contents off the device as soon as it’s turned on and accesses the Internet. It encrypts the boot system, rendering the device unable to even boot up and run. 

What about security audits?

Security audits are very valuable and required by law for any HIPAA-covered entity. The selection of the person or firm to do your security audit is crucial. Pick someone who does it as their full-time job. There are several certifications you should look for, such as Certified Information Systems Security Professional (CISSP) or Certified in Risk and Information Systems Control (CRISC). When you have the audit done, you’re going to feel sick to your stomach. You may think you’re doing a good job with cybersecurity, but the auditor will likely find vulnerabilities you hadn’t even thought of.

What are the top five things EMS agencies should do to enhance their cybersecurity?

1. Take cybersecurity very seriously. Threats need to be top of mind, always. I used to lose sleep at night worrying about keeping all our IT systems up and running. Today what keeps me up at night is the idea of someone hacking into our systems.
    
2. When it comes to security audits, make sure your IT manager does not get defensive. Even the best IT managers and systems have vulnerabilities. Learn from the audit, be proactive and decide where your greatest risks are and manage them.
    
3. Find a security audit vendor you are comfortable with. It should be someone from the outside. Listen to what the auditor finds and take action.
    
4. Assess all your attack vectors continually. There are new viruses and new approaches to hacking literally every day. The systems and processes you have in place today may not be effective tomorrow. Use software and structural controls that evolve. Some of the software we use at EMSA, like Mimecast, updates multiple times per day as new hacking processes are discovered.
    
5. Ask for help. No one is a security expert—we’re paramedics at heart. Don’t let your pride get you in trouble. The risks are real, but with diligence they can be mitigated. 

Matt Zavadsky, MS-HSA, NREMT, is chief strategic integration officer at MedStar Mobile Healthcare, the exclusive emergency and nonemergency EMS/MIH provider for Fort Worth and 14 other cities in North Texas. He has helped guide the implementation of several innovative programs with healthcare partners that have transformed MedStar into a mobile integrated healthcare provider. He is an EMS World editorial advisory board member.

Pinnacle EMS Leadership Forum

Interested in learning more from industry leaders such as Frank Gresh and Matt Zavadsky? They are just two of the many speakers at the Pinnacle EMS Leadership Forum, August 7–11 in Boca Raton, Fla.

Other highlights include:

• “Leveraging Clinical Technologies: The Transition from Intervention to Diagnostics,” with Thomas Judge, executive director of LifeFlight of Maine, who will discuss the shift in out-of-hospital healthcare from a focus on treating patients to a focus on new technologies that help diagnose patients and get them the right care.
   
• “How the Quality Movement Got Hijacked (and what EMS Leaders Can Do About It),” a look at how EMS systems can focus on improving care rather than judging providers, with EMS legends and dynamic entertainers Ed Racht, MD, and Mike Taigman.
   
• “Performance Improvement Measures in the Real World: What You Should Be Measuring Now,” with leaders from several EMS organizations sharing how they use clinical, operational and safety measures to improve.

Pinnacle provides forward-looking content for EMS leaders in an intimate, relaxed environment that encourages networking with colleagues and faculty, allowing EMS executives and chiefs to learn from each other and from thought leaders in public safety and healthcare.

Visit www.pinnacle-ems.com to view the entire program.