The Offboarding Gap That Leaves ePCR Access Open for Days

A medic gets terminated on a Tuesday afternoon after a heated meeting with the chief. HR collects the badge and the laptop. IT disables the Active Directory account within the hour. Everyone calls it done.

But that medic still has ImageTrend open on a personal phone. The session token did not expire when the AD account went dark. The admin console for the ePCR platform won't get checked until Thursday because the clinical IT person is out sick. And that is a HIPAA violation waiting to be discovered at an OCR audit or after a data export.

This is the offboarding gap that nobody in public safety wants to talk about. The one where a departing employee with a grudge still has live clinical cloud access for hours or days because the access-revocation process was built around email alone.

The Problem with Disabling Email and Calling It Good

Each ePCR platform runs its own user directory. They do not poll Active Directory every five minutes. Some of them do not sync with AD at all. The agency that disabled the medic's email account has not actually killed anything on the clinical side.

Mobile apps make this worse. A medic who used a personal tablet or phone for ePCR entry still has that app logged in. The session lives on the device and the agency has no MDM control over a personal phone. Killing it requires an admin to log into the vendor portal and manually terminate that session. That takes somebody remembering to do it and knowing which portal to use, all in the same window as the termination.

HIPAA Security Rule 45 CFR 164.308(a)(3)(ii)(C) requires procedures for terminating access to electronic protected health information when employment ends. A two-day gap between termination and clinical access revocation is a direct violation of that standard.

> 45 CFR 164.308(a)(3)(ii)(C) -- Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.

How to Offboard EMS Employees From ePCR the Right Way

Same-day access revocation is achievable. It requires a checklist that covers the clinical layer, not just the identity layer. Here is the execution sequence.

Step 1: Kill the identity layer. Disable the AD or Azure AD account and revoke all active OAuth tokens. If you use SSO, this step cuts access to anything integrated with the identity provider. That is a good start but not enough on its own.

Step 2: Kill the clinical layer manually. Log into the admin console for each ePCR platform the medic used. Two major platforms dominate the field, and each has a user management panel. Disable the account there and find the force-sign-out or terminate-sessions option, because some platforms keep the user logged in even after account disablement until someone triggers an explicit session kill.

Step 3: Recover hardware. If the agency issued a tablet or laptop, recover it immediately on a bad-terms departure. Dispatch someone to pick it up.

Step 4: Handle BYOD devices. If the medic used a personal phone for ePCR entry, there is no remote-wipe option on an unmanaged device. But you can verify that the vendor session termination killed the app-level login by watching the portal audit logs confirm the session drop.

Step 5: Hit the integration layer. Billing portals and CAD read-only access often use separate credentials or shared vaults. Update any shared password vaults the departing user could reach.

Step 6: Verify. Try logging in with the disabled credentials. If the login succeeds, the wall is not up. Then audit the last 24 hours of logs for that user to look for unusual data queries or downloads that happened before termination.

ImageTrend User Access Revocation Checklist

For agencies running ImageTrend, the manual steps are straightforward but easy to skip.

1. Log into the ImageTrend administrative console.

2. Open User Management and locate the departing medic.

3. Set the account status to Inactive. Do not just remove group assignments. Inactive means the account cannot authenticate.

4. Use the Force Logout option if available to kill active web and mobile sessions.

5. Check the audit log for recent activity. Look for report exports or PDF downloads that suggest data staging.

6. Document the revocation timestamp and who performed it.

Stopping Insider Threats in Public Safety Cloud Access

A fired employee with ImageTrend access can export patient records or modify clinical data to cover mistakes. That is a clinical disaster and a legal disaster. The agency faces an OCR investigation, patient notification requirements, and fines that start in the five figures. The cost of not preventing this is measured in breach notifications plus legal fees plus lost community trust.

This is not a sophisticated attack. It is a basic access-control failure that is entirely preventable.

There is a connection here to an earlier post on BEC Against EMS Billing. Both scenarios involve an attacker operating inside the agency's trust boundary. The offboarding gap is an easier entry point because the access was granted deliberately and simply never revoked.

Frequently Asked Questions

Does disabling a user's email account automatically revoke their ePCR access?

No. ESO and ImageTrend each maintain their own user databases. Disabling email or Active Directory does not terminate a live session on the clinical platform. You must log into each vendor's admin console and disable the account there.

What is the biggest risk when a medic leaves on bad terms?

Unauthorized access to patient health information. A disgruntled former employee can export records or leak sensitive information. That is a HIPAA breach with mandatory notification requirements and potential OCR fines.

How can an agency kill access on the same day?

Implement a hard-coded offboarding checklist that requires manual verification of each clinical cloud portal. Do not rely on the identity provider alone. Move toward SSO so that one account disablement cuts access across all integrated platforms, but maintain the manual checklist for platforms that are not SSO-connected.

What platforms need manual revocation besides ePCR?

Billing portals and CAD read-only systems are the most common gaps. QA tools and training platforms can also use separate credential sets. Each one needs individual checking.

What should an agency do if it finds access was not revoked after termination?

Disable the account immediately and audit the user's activity logs for the gap period. Determine whether any data was accessed or exported. If unauthorized access occurred, follow your incident response plan and consult legal counsel about HIPAA breach notification requirements.

---

The offboarding gap is not a complex problem. It is a discipline problem. The agencies that close it treat clinical cloud access as a critical revocation path, not an afterthought. Build the checklist, execute it same-day, and verify it worked. That is the standard.

-- Steven