Building an Incident Response Plan That Survives Contact With a Real EMS Cyber Incident

A PDF in a folder is not a plan. It is a file. If the systems are down and the only place the incident response plan exists is on the compromised server, you do not have an incident response plan.

Most generic IT disaster recovery templates fail the moment they touch an EMS environment because they treat the problem as a data recovery exercise when the real problem is clinical continuity. A dead ePCR system is not an IT ticket.

> Standard operating procedures for responding to a security incident must be in place to address the breach in a manner that protects patients and ensures continued care.

>

> Adapted from HIPAA Security Rule 45 CFR 164.308(a)(6)

EMS Incident Response Plan for Ransomware

A ransomware attack on an EMS agency does not just encrypt files. It stops dispatch and charting and medication verification and billing. The plan must account for each of these failures separately.

The first step is the paper fallback covering where the paper charts are and who manages the manual numbering system to ensure no gaps in the medical record. The transition from digital to paper must be rehearsed rather than theorized.

The second step is medication safety requiring a manual double-check process for dosing since digital drug calculators and allergy alerts go dark during an outage. This is a clinical control.

The third step covering dispatch continuity must specify exactly how calls are received and triaged and assigned if CAD is down. The communication matrix needs verified phone numbers for neighboring dispatch centers rather than just a list of agency names.

The fourth step is billing coordination with the clearinghouse to notify them of delayed submissions since a dead ePCR means billing stops.

How to Maintain Clinical Continuity During EMS IT Outage

The difference between an EMS IR plan and a corporate one is the clinical layer since an EMS agency cannot stop operations while systems restore. Clinical continuity requires defining minimum viable operations before an incident happens with the absolute minimum set of tools and data needed to send an ambulance to a call and document the response. That minimum set must be available offline.

This connects to the broader dependency problem I wrote about in Ransomware Hit the Hospital. The EMS dependency map intersects with hospital and dispatch and vendor platforms so a plan that only covers one piece misses the full picture.

Manual Dispatch Protocols for EMS Cyber Attacks

A runbook is not the same as a plan. The plan is strategy and the runbook is the step-by-step manual for the person on duty at 2 a.m. The runbook must be physical as a binder or offline device because a runbook that lives only on the compromised network is useless.

The runbook needs actionable checklists with specific steps like logging into BackupServer01 and running script X and confirming output Y. The steps must be specific enough that someone under stress can follow them without interpretation.

The runbook needs a panic button matrix on a single page listing the most critical contacts including vendor support and cyber insurance and forensic team and Medical Director. No digging through directories.

The runbook needs decision trees with clear if-then logic. If CAD is unreachable and radio is functioning then switch to manual dispatch protocol B. The decisions must be made in advance.

NEMSIS Reporting During Electronic Patient Record Failure

When the ePCR is down the data elements NEMSIS requires still need to be captured and reported. The gap between what was documented on paper and what needs to go into the system is data debt. The plan must establish a data recovery task force that begins transcribing paper records into the ePCR as soon as it is safe.

EMS Cybersecurity Runbook vs Incident Response Plan

Test the plan by simulating a CAD outage and an ePCR failure and losing both at the same time. The people writing the plan are often in the office while the people executing it are in the trucks. Validation must come through tabletop exercises that include field crews. The first time you learn your plan has gaps should not be during a real incident.

A plan that has not been tested is a theory and a theory that fails during a real incident is a liability.

Frequently Asked Questions

Why is a standard IT disaster recovery plan insufficient for EMS?

Standard IT plans focus on data recovery and system uptime. EMS plans must focus on clinical continuity because the primary risk is patient harm due to loss of critical medical information.

How do we handle NEMSIS reporting if we use paper charts?

Establish a data recovery task force that transcribes paper records into the ePCR once systems are safe. This ensures compliance with state and national standards.

What is the difference between an IRP and a Runbook?

The IRP is the high-level strategy defining who is in charge and what the goals are. The Runbook is the tactical step-by-step instructions for what to do at 2 a.m.

Who needs to be included in an EMS cyber incident notification chain?

The Medical Director for clinical risk. The billing clearinghouse for revenue continuity. Neighboring mutual aid agencies for operational support. State and federal bodies for HIPAA compliance.

Closing

A PDF in a folder is not a plan. A plan that has not been tested is a theory. A theory that fails during a real incident is a liability. Build the runbook and make it physical and test it with the people who will execute it. The patient in the back of the rig does not care about your backup strategy.

-- Steven