IRON RODSecurity

EMS Cybersecurity Insights & Resources

Public Records Security: What To Never Release

A public safety security review: what records adversaries request, the statutory exemptions, and a review process every agency needs.

Security exemptionsOperational securityIncident response plansPublic recordsPassive reconnaissance

Cyber Insurance for Small EMS and Volunteer Fire Services — The Clauses That Matter

What the policy clauses, MFA warranties, ransomware sublimits, and IR panel restrictions actually mean for small EMS and volunteer fire departments.

Cyber insurancePublic safety cybersecurityRansomware sublimitEms securityVolunteer fire department

The Offboarding Gap That Leaves ePCR Access Open for Days

The gap between HR termination and ePCR access revocation in EMS agencies. How ImageTrend, ESO, and Zoll sessions stay alive and the same-day checklist that kills them.

Insider threatAccess revocationEsoImagetrendZoll

BEC Against EMS Billing: The ACH Form That Costs Six Figures

EMS agencies lose six figures to BEC attacks on billing staff. Here is how the ACH change form scam works and the dual-approval workflow that stops it.

Ems cybersecurityOut of band verificationAch fraud preventionBusiness email compromiseEms billing security

Social Engineering the Dispatch Center: Attack Scenarios and Verification Protocols

Three realistic social engineering attacks targeting public safety dispatch centers and the verification protocols that stop them.

VishingSocial engineeringPsapOperational securityDispatch center security

Retiring MDTs: NIST 800-88, True Wipes vs. Factory Reset, and HIPAA Audit Proof

How NIST 800-88 applies to retiring EMS tablets, why factory resets leave PHI exposed, and the documentation needed for a HIPAA audit.

Epcr data securityChain of custodyEms cybersecurityNist 800 88Ssd sanitization

Pre-Plan Security: The PHI-Adjacent Data Most Fire Departments Leave Unlocked

Alarm codes, Knox box combinations, occupant medical conditions, and hazmat locations live in your pre-plan system with weaker access controls than your ePCR. Here is the fix.

Access controlMFARbacFire departmentKnox box

The Texting Problem: When SMS Between Crews Becomes a HIPAA Issue

When does SMS between EMS crews cross from operational chatter into a HIPAA violation? Direct guidance on OCR rules, secure messaging policy, and what a defensible mobile policy looks like.

Mobile messaging policy fire departmentSms hipaa violationHipaa compliant messaging emsOcr sms guidanceOperational chatter phi

NEMSIS Data Submission and PHI Exposure — What Your Vendor Sends and Why You Should Verify It

Your ePCR vendor transmits full PHI through the NEMSIS V3 pipeline. The narrative field is an unguarded re-identification risk most agencies never audit. Here is how to validate the payload.

Vendor risk managementRe identification riskEms dataEpcr securityHipaa compliance

The HIPAA Risk Analysis That Holds Up Under OCR Review

OCR expects a risk analysis that maps threats to vulnerabilities, not a generic compliance checklist. Here is what 45 CFR 164.308(a)(1)(ii)(A) actually requires and how to build it for your EMS agency.

Risk assessmentComplianceHipaa risk analysis45 cfr 164 308Ocr review
EMS Cybersecurity Blog and Resources | Iron Rod Security