Pre-Plan Security: The PHI-Adjacent Data Most Fire Departments Leave Unlocked

Most fire departments treat pre-plan software like a map. It is not a map. A map shows you how to get to a building. A pre-plan tells you how to get inside it, where the hazards are, which residents need help getting out, and what chemicals are stored on site. The difference between those two things is the difference between a street address and a master key.

I have looked at enough pre-plan systems to know that most of them have access controls that would not stop a motivated high school student. The data in these systems needs to be treated like what it is: a physical security blueprint with medical information attached.

What Is Actually Stored in a Pre-Plan System

The first step is understanding what you are protecting. A typical pre-plan contains multiple categories of sensitive data.

Alarm codes and Knox box combinations are the most obvious. Anyone with access to a pre-plan can walk up to a building and let themselves in. Gate codes and lockbox key locations fall in the same category. If this data leaks, you have effectively handed over the physical keys to every building in your response area.

Occupant medical conditions are less obvious but just as serious. A pre-plan might note that a resident is oxygen-dependent or that someone in unit 4 has dementia. That is protected health information in a tactical context. A pre-plan is not a full ePCR record, but the exposure risk is the same if that data gets breached.

Hazardous materials locations, gas shut-off valves, electrical panel positions. These are the kinds of details that make pre-plans useful on scene and dangerous in the wrong hands.

Fire Department Pre-Plan Software Security: Where the Gaps Are

Most agencies pick up a pre-plan tool because it solves a tactical problem. The crew needs quick access to building data on the apparatus tablet. That is a real need. But the security model rarely gets the same attention as the feature list.

Excessive privileges are the most common issue. Everybody at the department gets read access to every pre-plan regardless of rank or assignment. A rookie who just finished academy does not need the same access level as a battalion chief who runs the hazmat team. Flat access is easy to set up and hard to defend.

Pre-plan portals are cloud-based, accessible from mobile devices, and protected by nothing more than a username and password. If that credential gets phished, the attacker has full access to every building key in the system. MFA should be the baseline for any system that holds physical security data, but most departments have not turned it on.

Offboarding is another common failure point. When someone leaves the department, their pre-plan account often stays active because the system is not tied to the agency's identity provider. I have seen accounts for people who retired three years ago still ticking in the access log.

Some departments still store pre-plans as flat PDFs or JPEGs on a shared drive. No encryption. No audit trail. Just a folder full of building layouts sitting on a file server that everybody in the station can reach.

The HIPAA Risk Analysis That Holds Up Under OCR Review covers how to evaluate risk across the whole agency. The same framework applies here.

HIPAA Compliance for Fire Department Pre-Plans: The Grey Zone

The regulatory question goes like this. If a pre-plan contains a specific occupant's name paired with a medical condition, that is PHI. If it contains an apartment number and a note about oxygen use, that is probably PHI too. The threshold is whether the information can be linked to an individual. The grey zone exists because pre-plans live between tactical data and clinical data, but the grey zone does not mean you ignore the problem. It means you treat the data at the higher standard.

An OCR auditor would look at occupant medical conditions recorded in a tactical system and ask the same questions they would ask about an ePCR system. Who has access. Whether that access is logged. Whether the data is encrypted at rest and in transit. The difference between a finding and a fine comes down to having answers for those questions ready.

Securing Knox Box Combinations in Digital Pre-Plans: Access Control That Works in the Field

The tension in pre-plan security is that the data needs to be fast to reach during an incident but locked down the rest of the time. A bifurcated access model solves this.

Tactical access is time-limited and incident-triggered. When a dispatch goes out for a specific address, the responding crew gains temporary read access to the pre-plan for that property. The access expires when the incident closes. This keeps the data available at the moment it matters without leaving it open all the time.

Administrative access is for the people who maintain the pre-plans and audit the logs. Restricted to officers and pre-plan coordinators. This access requires MFA and quarterly review. It does not expire automatically, but the review cadence catches stale accounts.

Role-based access control is the mechanism that makes this work. The pre-plan system needs to know who the user is and what their role is. It also needs to know whether they are currently responding to a call. That means the system needs to integrate with the agency's identity provider and the CAD system.

Fire Service Tactical Data Access Control and Audit Trails

A pre-plan system without an audit trail is a liability. If a Knox box combination gets used in a burglary, the agency needs to know who accessed that pre-plan and when. Without logging, there is no way to narrow the investigation.

The audit log should record every access event, not just administrative changes. Who viewed which pre-plan, from what device, at what time. Read access included. The logs need to be tamper-proof and retained for at least the same period as other PHI-adjacent records.

Beyond the Password: Moving EMS to Identity-Based Security goes deeper on why standalone password models do not work for systems that hold sensitive tactical data.

How to Secure Hazardous Material Locations in Pre-Plans: The Remediation List

The fixes are straightforward. The hard part is making time for them.

Tie the pre-plan system to your identity provider. SSO integration means offboarding happens automatically. When the employee leaves the department, their access to every connected system goes away at the same time.

Turn on MFA. This is the single highest-impact change you can make for a cloud-based pre-plan tool.

Run a quarterly access review. Export the list of users with pre-plan access and check it against your current roster. Terminate accounts that do not match.

Encrypt pre-plan data at rest and in transit. If your vendor cannot confirm encryption, ask for details in writing. Their answer will tell you a lot about their security posture.

Audit your shared drives for flat PDFs and JPEGs. If pre-plans are sitting unencrypted on a file server, migrate them into a platform with proper access controls.

Request read-only audit logs from your vendor. If they cannot provide them, that is a finding.

Frequently Asked Questions

Are fire department pre-plans considered PHI under HIPAA?

If a pre-plan contains occupant-specific medical information like oxygen dependence or mobility limitations, that information is PHI-adjacent. If it can be linked to a named individual, treat it as PHI. The safer approach is to apply HIPAA-level controls to the whole pre-plan system rather than sorting through which records qualify.

Why is a standard username and password not enough for pre-plan systems?

Pre-plans contain alarm codes, Knox box combinations, and entry points. These systems are accessed from mobile devices in the field, which makes them a target for credential theft. MFA is the baseline for any system that holds physical security keys.

How can an agency ensure that former employees no longer have access to pre-plans?

Integrate the pre-plan software with your agency's identity provider through SSO. When someone gets offboarded from the main directory, their access to every connected system goes with it. Automated offboarding is the only reliable method.

What is the difference between tactical and administrative access?

Tactical access is temporary, triggered by an active incident, and limited to the specific property. Administrative access is standing access for the people who maintain and audit pre-plans. Separating these two modes keeps the data fast to reach during a call and locked down the rest of the time.

Does every firefighter in the department need access to every pre-plan?

No. Access should be based on role and current operational status. A firefighter assigned to a specific station does not need pre-plans for buildings on the other side of the city. RBAC gives you the control to match access to actual need.

---

Pre-plan data lives at the intersection of physical security and medical privacy. Most agencies treat it like a convenience instead of a responsibility. The access model, audit trail, and offboarding procedure need to match the sensitivity of what is actually stored in these systems. The question is not whether pre-plans are worth securing. The question is how long you can afford to leave them unlocked.

-- Steven