Cyber security and what you need to know
Guest author Frank W. Nagorka, JD, EMT-P
It is simply impossible to go more than a day and not see a news article talking about a data security breach. It is absolutely vital in Emergency Medical Services that we safeguard data and harden the tools that we use every day to communicate and run our operations. The purpose of this brief article is to provide you a glimpse of the issues involved and make some concrete suggestions to help you do your job even better.
High efficiency organizations are by their very nature data driven. Data makes our organizations both strong and weak. It makes them strong because with data and an understanding of that data efficiency ensues and resources are used well. Data, or rather the lack of it, can weaken your organization if access to that data is either impaired or destroyed. For example, ransomware can stop your business in its tracks. Ransomware can be defined as software surreptitiously installed on your business that locks down your data and requires you to pay a ransom to have your data unlocked and made available to you. If you don’t have backup, that will allow you to restore your data to its uninfected state, you may literally be put out of business. There is no good evidence that even if you pay the ransom that your data will become unlocked. Thus, it is imperative that you have a comprehensive and from the ground up cybersecurity policy.
Malware can take a variety of forms and the ransomware phenomenon is but one of them. For example, all of us have heard of computer viruses and no doubt we all have taken steps to make certain that our systems are not infected. However, just because you have an antivirus program does not mean that you have met the standard of care for keeping your system safe.
Perhaps the best way to make certain that you have taken all the necessary steps to protect your computers and assorted peripherals from cyber-attack is to perform a security audit. Do not think that your IT staff can handle this security audit on its own. You should consider retaining an outside consultant to perform a thorough security audit and carefully consider the recommendations contained within the audit. At a very minimum, you will have a plausible legal defense should your computer systems become compromised.
Some EMS providers only look to their computer systems when they consider cybersecurity. However, the IoT (Internet of Things) is becoming a consideration for those in the know. For example, ambulances have GPS units and automated features on ambulances and radios. So as is evident, emergency services have to be continuously vigilant to protect their assets, their employees, and their patients. There have been reports that certain vehicular systems (telematics) have been compromised. You certainly do not want to be the poster child for the failure to harden and safeguard your assets. In reality anything that is connected to a network can be compromised, so it only sensible to review your assets to determine what is vulnerable. A great question to ask at this point is what is your touch point for reliability? When people seek out emergency services, they expect it to be timely and reliable.
The best practices path would be to outsource a review of any system that has a connection to the internet. You should listen closely and perform a risk benefit analysis and move forward. The default position is generally to do nothing but that is not you, is it?