IRON RODSecurity

EMS Cybersecurity Insights & Resources

Bluetooth Pairing on the Cardiac Monitor — Security Risks and Firmware Reality

Cardiac monitor Bluetooth pairing creates an attack surface in crowded ED hallways. A practical look at LifePak, Zoll, and Corpuls security.

Mitm attackEd hallwayZollBluetooth securityCardiac monitor

Connected Vehicle Telemetry and Who Owns the Apparatus Data

Fire apparatus and ambulances are data centers on wheels. Who owns the telemetry data, and what to negotiate before the purchase order is signed.

Connected vehicle telemetryFleet managementCjis complianceVendor lock inEmergency vehicle contracts

USB Drops at Fire Stations — Threat Model, Group Policy Controls, and the Charging Problem

Fire stations face a unique USB drop threat from open bay doors and unattended workstations. Technical controls and the policy fix for the charging problem.

EDRFire station securityUsb data blockersRubber duckyGroup policy

QR-Code Quishing at the Station — Attack Patterns and Practical Defenses

Quishing attacks target fire and EMS stations through fake QR codes on posters and stickers. Here is how they work and what to do about it.

Fire station securityQr code phishingAwareness trainingEMSPublic safety

CJIS Compliance for Fire and EMS: The Shared CAD Problem

Fire and EMS agencies accessing NCIC data through shared CAD systems face CJIS audit failures on personnel screening, MFA, and data segregation.

MFACad securityNcicShared cadPersonnel screening

Paging App Security for Fire and EMS — Active911, IamResponding Threat Model

A practical threat model for Active911, IamResponding and similar paging apps covering the data pipeline, location privacy, and vendor renewal questions.

Paging app securityFirst responder privacyCad securityVendor riskActive911

Drone Footage at Fire Scenes: Chain of Custody, HIPAA, and the Cloud Security Default You Did Not Configure

Every fire department I work with has a drone now, maybe two. They bought it for thermal imaging on structure fires and scene overviews on MVCs, plus searc

Chain of custodyCloud securityFire departmentDigital evidenceDrone footage

State Breach Notification Laws and the EMS Multi-Jurisdictional Problem

Somewhere right now, an EMS director is trying to figure out how many states they need to report a breach to. The ePCR vendor called at 4 PM on a Frid

Incident responseHipaa complianceState lawEms data breachBreach notification

42 CFR Part 2 in the Field: Substance-Use Disorder Confidentiality That HIPAA Doesn’t Cover

Most EMS agencies know HIPAA cold. They train on it at orientation, build their ePCR workflows around it, audit for it. And then 42 CFR Part 2 walks in thr

42 cfr part 2ConsentSudRe disclosureCompliance

Crew Phones and Social Media at the Scene: A HIPAA Framework Built for Reality

A practical HIPAA framework for EMS agencies managing crew phone photos, social media posts, and scene documentation on personal devices. No blanket bans, just real workflows.

Social mediaPersonal devicesEMSPolicyDe identification
EMS Cybersecurity Blog and Resources | Iron Rod Security