The Year-One Cybersecurity Plan for a New EMS Director
You just got promoted to EMS director, or you took a new job at a different agency. Either way, you are looking at a security posture you did not build and do not fully understand yet. The previous person may have kept good records. They may have kept none. You have CAD systems, ePCR platforms, dispatch interfaces, station networks, mobile data terminals, and a stack of vendor contracts you have not read. And you are expected to keep patient data safe from day one.
This article is the plan I wish I had when I walked into that situation. It is built around 12-month milestones with a hard 90-day checkpoint. The goal is not perfection by month three. The goal is knowing what you have, fixing the things that will get you sued, and building a budget case for everything else.
What to Assess in Month One
Your first month is reconnaissance. Do not fix anything yet and do not buy anything yet. You need to know what you are working with before you touch a single configuration.
Start with the inventory. Every device that touches patient data needs to be on a list. That includes desktop workstations in the station, laptops in the supervisor vehicles, tablets in the ambulances, the dispatch center terminals, and any personal devices that access ePCR or CAD from the field. If you have a BYOD policy for PCR completion, those phones are in scope too.
Next, map the network. Find the boundary between your administrative network and your operational network. If there is no boundary, that is your biggest finding. Apparatus bay Wi-Fi should not be on the same flat network as the dispatch workstations. If it is, write it down.
Reading vendor contracts in month one is tedious but necessary because you need to know which vendors have subprocessors, where your data lives, and what happens if they get breached. The ePCR vendor, the CAD vendor, the billing system, the HR platform that handles employee health records. All of them.
Finally, check the access logs. Not a full audit. Just ask who has accessed ePCR records in the last 90 days and whether that list matches your current roster. If you see terminated employees with active access, that is a month-one finding.
What to Fix by Month Three
The 90-day checkpoint is for the things that keep you up at night. These are not architectural improvements. These are the gaps that could produce a breach notification letter.
Fix terminated employee access first. This is the single most common finding in EMS security assessments. People leave the agency and their accounts stay active, sometimes for years. Run a report against your ePCR system, your CAD system, your Active Directory, and your billing system. Cross-reference against your HR termination list. Disable everything that should not be there.
Addressing the network segmentation problem is next on the priority list. If your apparatus bay Wi-Fi shares a broadcast domain with your dispatch center, that is a finding that will show up in any external assessment. You may not be able to redesign the network in 90 days, but you can put a firewall rule in place that restricts traffic between zones. Document the gap and the temporary control.
Then review your sanction policy. If a medic snoops in a PCR they have no clinical reason to open, the answer should not be "we talk to them." You need a written policy with escalating consequences. The HIPAA enforcement environment has shifted. Agencies that cannot demonstrate consistent enforcement are the ones that get the corrective action plans.
Finally, establish a basic incident response process that covers the essentials. It does not need to be a 50-page document. It needs to answer three questions: who do you call when something breaks, how do you contain it, and who notifies the patients. Write that down and put it somewhere the on-call supervisor can find it at 2 AM.
What to Budget for in the Next Fiscal Year
By month six you should have enough data to build a budget request. The key is to separate what you need from what vendors want to sell you.
Budget for a formal risk assessment, not a checkbox exercise. A real one that covers your ePCR environment, your CAD interfaces, your mobile data workflow, and your third-party vendor relationships. This is the document that justifies every other security spend. Without it, the finance office will treat your requests as nice-to-haves.
Budget for access control improvements. If you are still using shared logins on station computers or generic tablets that pass between crews without authentication, that needs to change. Multi-factor authentication for remote ePCR access is becoming the standard of care. If your vendor does not support it, that is a procurement conversation.
Budget for logging and monitoring. Most EMS agencies have logs, but almost none of them review them. A basic SIEM or a managed detection and response service that covers your ePCR and CAD environments will catch the things your staff will not notice. The cost is lower than you think. The cost of not having it is higher.
Budget for training. Not the annual HIPAA video that everyone clicks through. Real training that covers what patient data looks like in your specific systems, what appropriate access looks like, and what happens when someone steps over the line. Tie it to your sanction policy so staff understand the consequences are real.
What to Leave Alone Until You Understand the Tradeoffs
This is the hardest section for a new director. You want to fix everything. You cannot. Some things will break operations if you change them without understanding the clinical workflow.
> The most expensive security control is the one that stops the ambulance from running. Know the workflow before you touch the configuration.
Leave the CAD-to-ePCR interface alone. That integration is probably fragile. It may be the only thing keeping your crews from double-entering data. If you break it, you will have medics typing run reports on paper again, and that introduces its own HIPAA problems. Document the risk. Budget for a replacement. Do not touch the configuration until you have a maintenance window and a rollback plan.
The mobile data terminal configuration should stay as-is until you understand the crew workflow. The MDT software in the ambulance is tuned to a specific process. Changing the VPN settings or the application permissions without understanding how the crew uses it will produce help desk tickets, not security improvements. Shadow a crew shift first, then watch how they actually use the device, then make decisions.
The billing system integration is another hands-off zone you should leave alone. The billing team has a workflow that works. If you lock down their access without understanding their reconciliation process, you will delay claims and hurt revenue. Work with them, understand their process, then find the security controls that do not break it.
Leave the station culture alone for now, even if it frustrates you. If crews have been logging into the same workstation with a shared password for five years, you cannot flip a switch and change that overnight. You need to understand why it happened, what the operational pressure was, and what the replacement looks like before you demand change. Move fast on the technical controls. Move carefully on the human ones.
How to Structure the 90-Day Checkpoint
At the 90-day mark, you need to produce a written assessment for your leadership. This is not a security audit. It is a status report that tells the chief or the board what you found, what you fixed, and what still needs money.
The report should have three sections. First, the findings that have been remediated, listed with dates. This shows you are acting. Second, the findings that need budget or vendor action. These go into the fiscal year request. Third, the findings you are monitoring because the fix carries operational risk. Explain the risk and the timeline.
This report is also your protection. If something goes wrong in month four, you have documentation that you identified the gap and had a plan. That matters in a breach investigation.
Frequently Asked Questions
How do I find out what security posture I inherited without spending money?
Start with free tools. Run a network scan with Nmap to see what is on your subnet. Check your ePCR vendor's admin console for user lists and last login dates. Read the terms of service and data processing agreements you already signed. Most of what you need to know is in documents you already have. You just have not read them yet.
What is the most common security gap in EMS agencies?
Terminated employee access shows up in almost every assessment. People leave the agency and their accounts stay active, sometimes for years. The fix is a quarterly reconciliation between HR termination records and system access lists. It takes two hours and costs nothing.
Do I need a full-time security person for my EMS agency?
Not necessarily. Many agencies under 500 employees do well with a managed security service provider for monitoring and a part-time vCISO for strategy. The key is having someone who understands both security and EMS operations. A generic IT security person will miss the clinical workflow constraints.
How do I get budget for security when the ambulances need replacing?
Frame security spending as operational continuity. A breach that takes your ePCR system offline stops patient care documentation. A ransomware event on your CAD system stops dispatch. When you present it that way, the conversation shifts from compliance to mission readiness. That is a language the chief understands.
What should I do if I find a breach in my first 90 days?
Contain it first. Disable the compromised accounts or isolate the affected systems. Then notify your legal counsel and your HIPAA privacy officer. Do not try to investigate it yourself beyond the containment step. Call your cyber insurance carrier if you have one. They will have incident response resources on retainer. Then document everything for the breach notification process.
Closing
The first year is about building a foundation. You will not have a perfect security program by month twelve. But you can have an inventory, a risk assessment, a budget plan, and a set of relationships with the people who actually run the operations. That is enough to build on.
-- Steven
Need help with your agency’s cybersecurity? Get in touch