IRON RODSecurity

Cybersecurity Budgeting for a 10-Truck EMS Service

Steven Carlson·

A 10-truck EMS service in the Southeast got hit with a ransomware demand for $50,000 last year. They had no incident response retainer and no immutable backups. They had a firewall and a copy of Norton that the county IT guy installed three years ago. The chief had to go to the county commission and ask for emergency funds to pay a recovery firm. The total cost, including the emergency forensics, the downtime, and the lost billing days, came to about $85,000.

The security tools that would have prevented or shortened that incident would have cost about $28,000 for the year, which is roughly what I outlined in The Year-One Cybersecurity Plan for a New EMS Director. That is roughly the price of one ambulance tire change and a set of stretcher straps.

Cybersecurity Budget for a Small EMS Agency

Let me be direct about what a realistic budget looks like for a service with about 60 users and 70 endpoints. These are not aspirational numbers. These are what the tools actually cost.

MFA (Multi-Factor Authentication): $3,000 per year. This covers every user for VPN access and email and cloud-based ePCR. A single phished credential is the most common way ransomware starts. MFA stops that attack cold.

EDR (Endpoint Detection and Response): $7,000 per year. This replaces whatever antivirus you are running. Traditional AV looks for known malware signatures while EDR looks for behavior patterns. When an attacker uses PowerShell to move laterally through your network, EDR catches it. Antivirus does not.

Immutable Backups: $6,000 per year. Cloud-based immutable snapshots that the attacker cannot delete. If your backup server is on the same network as your production servers, it is not a backup. It is a second target.

Incident Response Retainer: $10,000 per year. This is a pre-paid retainer with a cybersecurity firm. When something happens, you get an expert on the phone in minutes, not days. Without this, you are calling around during a crisis hoping someone has availability.

Security Awareness Training: $2,000 per year. Phishing simulations and basic training for field staff. The human is the primary attack vector, and training is cheap relative to the alternative.

Total: $28,000 per year. That is about $2,800 per truck. A single ambulance tire costs $400 and an engine rebuild runs $15,000. The math is not complicated.

EMS Cybersecurity Tools Cost Estimate Breakdown

The numbers above are annualized, but let me break them down per month so they are easier to think about.

MFA runs about $250 per month, EDR about $580, and backups about $500 per month. The IR retainer is about $830 per month and training is about $170 per month.

That is about $2,330 per month. For context, that is less than the monthly payment on a single Type II ambulance. It is less than what most services spend on diesel in a week.

The items that often get cut are the ones that are hardest to explain to a non-technical audience. The IR retainer is the most common casualty. It feels like insurance. You pay for it and hope you never use it. But when you need it, you need it immediately. Trying to negotiate a retainer during an active breach is expensive and slow.

Critical Cybersecurity Controls for Ambulance Services

If you can only fund a subset of this budget, here is the priority order.

First: MFA. It stops the most common attack path. Password spraying and credential stuffing are the primary ways RaaS affiliates get in. MFA makes those attacks useless. This is the single highest-return control for the lowest cost.

Second: Immutable Backups. If an attack succeeds, you need to be able to recover without paying. Immutable backups are the only way to guarantee that. Test your restore process. A backup you have never restored is a hope, not a plan.

Third: EDR. This gives you visibility into what is happening on your endpoints. When an attacker drops a Cobalt Strike payload on a dispatch workstation, EDR catches it. Antivirus does not.

Fourth: IR Retainer. This is the safety net. If the first three controls fail, you need someone who knows how to contain the breach, preserve evidence, and get you back online. Trying to figure that out yourself during an active ransomware attack is how agencies end up paying $85,000 instead of $28,000.

How to Fund Cybersecurity in a Public Safety Operating Budget

The hardest part of this conversation is not the technical decision. It is the budget conversation. Here is the argument that works.

Frame it as patient safety. A ransomware attack that locks the ePCR system means providers cannot access patient histories, allergies, or medication lists. Cybersecurity is not an IT cost. It is a clinical safety requirement. The same way you budget for cardiac monitors and drug boxes, you budget for the tools that keep patient data available.

Frame it as operational continuity. Without CAD and billing systems, the agency stops functioning efficiently. Revenue stops. Response times suffer. The cost of one week of downtime is higher than the annual security budget.

Frame it as regulatory risk. HIPAA requires reasonable safeguards for ePHI. The Office for Civil Rights has made it clear that lacking basic controls like MFA and EDR constitutes willful neglect, a topic I covered in more detail in HIPAA Workforce Screening and the EMS Hiring Gap. The fines for that are far higher than the cost of the tools.

Frequently Asked Questions

Can a small EMS service get by with just a good firewall and antivirus?

No. Modern attacks bypass firewalls through phishing and can disable traditional antivirus. A combination of MFA and EDR and immutable backups is the current baseline for protecting patient data.

How do I convince a Fire Chief or EMS Director to fund cybersecurity from the operating budget?

Frame it as a patient safety and operational continuity issue. A cyberattack is not an IT problem. It is a clinical failure that prevents access to patient records and disrupts emergency response.

What is the most important item for a limited budget?

MFA and immutable backups. MFA stops the majority of credential-based attacks, and immutable backups ensure you can actually recover if an attack succeeds. If you can only fund two things, those are the two.

---

The agency I mentioned at the start recovered eventually. They paid the recovery firm, rebuilt their systems, and implemented most of the controls listed here. Their annual security spend is now about $30,000. The chief told me he wishes he had done it before the attack, not after. That is the pattern I see most often. The budget gets approved after the incident, not before. It does not have to be that way.

-- Steven

Need help with your agency’s cybersecurity? Get in touch

Cybersecurity Budgeting for a 10-Truck EMS Service | Iron Rod Security