Trending Topics

What keeps EMS CIOs up at night

While cybersecurity and HIPAA are high on the radar, the real challenge these days is keeping up with the tech-savvy customer and end user

frankgresh_110819_oc.jpg

EMSA Oklahoma CIO Frank Gresh discussed the lot of the modern IT chief with his presentation on the 10 things that keep EMS IT folk up at night at the American Ambulance Association Annual Conference & Trade Show.

NASHVILLE, Tennessee — EMSA Oklahoma CIO Frank Gresh discussed the lot of the modern IT chief with his presentation on the 10 things that keep EMS IT folk up at night at the American Ambulance Association Annual Conference & Trade Show. Gresh highlighted how EMS IT departments are coping with the challenges of serving one of the most tech-savvy generations while meeting the needs of information security and breach prevention.

Top quotes on EMS information security

Here are some poignant quotes from Gresh’s presentation:

“If we just unplugged everything from the wall it would be the perfect situation, but unfortunately, business must go on and therefore we must protect our systems.”

“We are one shadow IT application away from the HIPAA police or worse.”

“We are but one click away from a really bad day!”

“Time and energy spent not only on systems but also people will help keep the system safe”

Top takeaways on data security

Here are Gresh’s top 10 considerations for EMS IT personnel:

1. The Internet of Things (IoT)

Many pieces of technology now have the potential to be connected to an agency’s network. These can range from watches and phones, to smart TVs and even toasters! The more you have connected, the more you risk security breaches and HIPAA violations. Any connected device has the potential to be exploited by a bad actor, so knowing what is connected and who is connecting them is a key priority for EMS IT chiefs.

2. It is all mission-critical

Failure and disruption to a departmental IT system could cause an entire operation or business to grind to a halt. IT and C-suite leaders must identify mission-critical operations within their organization. Email going down for an hour may be an inconvenience, and outages in billing and administrative systems may slow the tempo of daily business, but the loss of the CAD may be a life-and-death situation. Plans to deal with each level of outage should be considered.

3. Keeping up with technology

Gresh pointed out that we have more processing power in our pocket today than was used to propel the Apollo program into space and land men on the moon. As a result, our ability to keep up with technology directly relates to the expectations of our employees, our customers and our patients. So, we too must follow the times and understand technology trends.

4. Having to choose

As technology develops, there is a product to solve every problem we didn’t even know we had. Unless a department has a limitless checkbook, understanding the specific problems and issues facing your department and then clearly identifying the appropriate solution is key fixing your issues without blowing the budget.

5. The cloud

Placing data in the cloud is no longer a question of “if” anymore, but “when,” says Gresh. The safety and security of your data very much depend on how much you are willing to invest to store and secure it. IT directors considering a move to the cloud should consider platforms based on availability, security, performance, integration, data ownership and compliance.

6. ‘X’ ware

The “X” in this case could be any deliberate disruptive attacks on systems, such as malware, ransomware, spyware, adware or scareware. Each seeks to extort, disrupt, illegally acquire or delete an organization’s data information. There are many news reports of public safety agencies that have been hit by ransomware.

7. Orange jumpsuits

IT directors do not want to be seen in prison overalls. Data breaches and loss of HIPAA-related material could result in prosecution, and occasionally, conviction and incarceration. Gresh noted that as of June 30, 2018, a total of 688 cases of data breaches where criminal intent was suspected had been sent to the Department of Justice for prosecution.

8. Shadow IT

Gresh introduced the term “shadow IT,” which is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software and hardware. By way of example, an extra router purchased at any tech store and innocently brought to boost a signal could enable a security breach if logged into the data network. To combat the shadow IT problem, a significant takeaway that would significantly reduce risk simply requires IT directors to understand the needs of a very tech-savvy workforce and be prepared to accommodate equipment that may come into contact with (or even close to) a department’s servers, security and data.

Examples of shadow IT devices are:

  • Wireless thermostats
  • Wireless thumb drives
  • Surveillance cameras
  • Smart TVs
  • Voice assistants
  • Medical devices
  • Drones

With the advent of 5G, there is an emerging scam to create sites that “spoof” a regular cell tower to attract a user to link to it and seek data.

9. What’s going on with IT

Understanding what is going on within the IT system is an absolute necessity. Gresh recommends agencies have a reliable monitoring system with intrusion detection that identifies new patterns of traffic (is traffic going to or coming from odd, weird or suspect locations). Departments should consider using systems that can interpret what is happening with email (particularly AI-based systems that can ensure that data that requires encryption is captured before it departs the home server), identify where cloud-based files are being accessed from and which IP addresses are accessing them.

10. It just takes one

The last and most sobering take away is that departments are but one click away from a really bad day. Gresh notes too much security is also a problem – we still must be able to get the job done! But everything must be watched, monitored and scrutinized 24/7/365 to avoid, meltdown, mission failure, ransom or prosecution.

Gresh concluded by identifying that the first and easiest step is to train the team to be IT security savvy. Time and energy spent not only on systems, but also on training people, will help keep your EMS data safe.

Learn more about big data for EMS improvement

To learn more about information security and big data for EMS improvement, read these EMS1 articles:

Rob Lawrence has been a leader in civilian and military EMS for over a quarter of a century. He is currently the director of strategic implementation for PRO EMS and its educational arm, Prodigy EMS, in Cambridge, Massachusetts, and part-time executive director of the California Ambulance Association.

He previously served as the chief operating officer of the Richmond Ambulance Authority (Virginia), which won both state and national EMS Agency of the Year awards during his 10-year tenure. Additionally, he served as COO for Paramedics Plus in Alameda County, California.

Prior to emigrating to the U.S. in 2008, Rob served as the COO for the East of England Ambulance Service in Suffolk County, England, and as the executive director of operations and service development for the East Anglian Ambulance NHS Trust. Rob is a former Army officer and graduate of the UK’s Royal Military Academy Sandhurst and served worldwide in a 20-year military career encompassing many prehospital and evacuation leadership roles.

Rob is a board member of the Academy of International Mobile Healthcare Integration (AIMHI) as well as chair of the American Ambulance Association’s State Association Forum. He writes and podcasts for EMS1 and is a member of the EMS1 Editorial Advisory Board. Connect with him on Twitter.