ImageTrend, ESO, and Zoll Online: A Security-Posture Evaluation Framework

The ePCR vendors send renewal notices like clockwork. ImageTrend, ESO, Zoll Online. Usually a PDF attachment with a signature line at the bottom and a note about a small price increase. Most agencies sign it and move on.

The problem is that the renewal is the one moment in the contract cycle where you have real negotiating room. The vendor wants to keep you. They will answer questions during renewal that they will deflect during a new sale. And most agencies do not ask the right questions.

I have worked with enough EMS agencies to know how this goes. The BAA is somewhere in a folder. The admin passwords are shared across the shift. Nobody knows whether audit logs capture reads or just writes. The tablet encryption status is unknown. And if there is a breach, the notification timeline is whatever the vendor decides it is.

This article gives you a framework for changing that. A rubric for evaluating ePCR security posture and a set of specific questions to send each vendor before you sign the renewal.

Access Control and Identity Management for ePCR Systems

Start with how users get in. The default for most ePCR platforms is still username and password with an optional MFA toggle. That is not acceptable for a system holding PHI.

The standard you should hold vendors to is SAML/SSO with mandatory MFA for all administrative accounts. No exceptions. If the vendor tells you MFA is \"available but not required,\" ask them to make it required for your agency. If they cannot enforce it at the platform level, that is a gap you need to document and accept in writing.

Role-based access control matters just as much. Restrict access by module. Billing users should not see clinical notes and field crews should not see billing data. And the super user account should be locked in a drawer, assigned to a specific person, with its own MFA.

Session management is the part most agencies overlook. What is the idle timeout? Can you force a global logout if a tablet is stolen mid-shift? If the answer involves a support ticket and a 24-hour turnaround, that is a problem.

Data Encryption Standards for ePCR Platforms

Encryption at rest should be AES-256. That is the floor. But the real question is who holds the keys. Vendor-managed encryption is better than nothing, but customer-managed keys give you control over who can decrypt your data if the vendor has an incident.

Encryption in transit should be TLS 1.2 or 1.3. Any vendor still supporting TLS 1.0 or 1.1 should be dropped from consideration. That is not negotiable in 2026.

The part that catches agencies is the endpoint, meaning the tablet in the ambulance and the laptop at the station. The ePCR platform may encrypt data in transit and at rest inside its own cloud, but if the field device stores a local cache of patient data without disk encryption, that cache is fully exposed. A stolen tablet with FDE and a strong PIN is a manageable risk. A stolen tablet with a shared password and no disk encryption is a breach waiting to be discovered.

Ask the vendor how they handle local data caching. Some platforms cache aggressively for offline operation. That cached data needs the same protection as the cloud copy.

Audit Logging Requirements for HIPAA ePCR Systems

HIPAA requires the ability to track who accessed PHI. That includes reads, not just edits. Many ePCR platforms log writes by default but require configuration changes to log reads. Some do not log reads at all.

Find out before renewal. Ask for a sample audit log showing a typical day. If the log only shows \"User modified chart 12345\" without showing who viewed it and for how long, you have a gap. Unauthorized viewing of a patient chart is a breach under HIPAA regardless of whether anything was changed.

Log immutability is another test. Can the vendor or your internal admin delete or modify audit records after they are written? Immutable logs are table stakes for any system handling PHI. If logs can be altered, they are evidence of nothing.

SIEM integration is the advanced question. Can you stream audit logs to your own monitoring system via Syslog or API? If the logs are trapped in a vendor portal that you have to log into and export manually, your incident response team will not see a problem until days after it starts.

What to Look for in an ePCR Business Associate Agreement

A signed BAA is the minimum. The terms inside it are what matter.

Read the breach notification clause. Many BAAs say the vendor will notify you \"as soon as possible\" or \"without unreasonable delay.\" That is not a commitment. You need a specific timeframe, ideally 24 to 72 hours. Your state may require you to notify affected patients within a certain window. If the vendor takes a week to tell you about a breach, you lose the ability to meet your own legal deadlines.

Liability allocation is the other critical term. Does the BAA hold the vendor responsible for breaches caused by their own negligence, or does it shift all liability to your agency? Some BAAs are written to protect the vendor almost entirely. If you sign one of those, you are accepting full legal and financial responsibility for a breach that started on their infrastructure.

Right to audit is a clause worth asking for. The vendor should provide a SOC 2 Type II report at minimum. If they refuse to share it or claim it is confidential, that tells you something about their confidence in their own controls.

Security Questions for ePCR Software Renewal

Send these questions to your vendor before you sign the renewal. Get the answers in writing.

1. Can you provide a detailed RBAC role matrix and confirm whether MFA is required for all administrative accounts?

2. Does the audit log capture read events plus write and edit events? Can these logs be streamed to an external SIEM via API or Syslog?

3. What encryption standard is used for data at rest, and who manages the keys?

4. In the event of a breach originating in your environment, what is the maximum number of hours between discovery and notification to our agency?

5. Will you provide the most recent SOC 2 Type II audit report and the associated letter of attestation?

These are not gotcha questions. They are due diligence questions. Any vendor that pushes back on answering them in writing is giving you information you should factor into your renewal decision.

For more on the operational side of vendor risk, the article on EMS telemedicine integration covers the BAA chain problem in detail. And the piece on agency mergers covers what happens when two systems with different security postures suddenly need to talk to each other.

Frequently Asked Questions

Is a signed BAA enough to ensure my ePCR data is secure?

No. A BAA is a legal contract that defines liability and responsibilities. It is not a technical security control. You still need to verify the vendor's encryption, access controls, and audit capabilities. A BAA plus weak security still means a breach.

Why should I care about read logs if the data was not changed?

HIPAA and most state privacy laws require tracking who accessed PHI, not just who changed it. Unauthorized viewing of a patient chart is a breach regardless of whether the data was edited. Read logs are the only way to detect that kind of access.

What is a SOC 2 Type II report and why do I need it?

A SOC 2 Type II report is an independent auditor's verification that a company's security controls were designed correctly and operated effectively over a period of time, usually 6 to 12 months. It is the closest thing to an objective third-party assessment of a vendor's security posture.

What happens if my ePCR vendor refuses to answer these questions?

That is itself an answer. If a vendor will not put their security commitments in writing before renewal, factor that into your decision. A vendor silence forces you to document the gap and plan compensating controls on your side instead of relying on theirs.

---

The renewal is the time to ask. The five questions above take ten minutes to send and the answers will tell you more about your vendor's security posture than any sales deck ever will.

-- Steven