IRON RODSecurity

EMS Cybersecurity Insights & Resources

Public-Safety Cyber Mutual Aid: The Idea Whose Time Has Come

How neighboring agencies can share incident response capacity the same way they share apparatus, with the legal and BAA structure that makes it work.

Cyber mutual aidCad securityIncident responseBAAPublic safety cybersecurity

The Year-One Cybersecurity Plan for a New EMS Director

A 12-month roadmap for an EMS director inheriting an unknown security posture: what to assess, fix, budget for, and leave alone.

Access controlCad securityIncident responseEms directorCybersecurity roadmap

The Vendor Subprocessor Problem: When Your ePCR Vendor's Vendor Has Your PHI

Your ePCR vendor's BAA doesn't cover their subprocessors. Here is what to demand in your next contract.

Hipaa breach notificationEms data securityBaa requirementsSubprocessor riskEpcr security

Charging Stations and Lockboxes for Issued Phones and Tablets: Physical Security That Carries HIPAA Weight

A tablet with an open ePCR session in an unsecured charging bay is a HIPAA exposure waiting to happen. Here is the hardware and policy fix.

Mobile device securityCharging stationsHipaa security ruleEpcr securityPhysical safeguards

Apparatus Bay Wi-Fi Is Not Station Wi-Fi: A Network Segmentation Story

Why the network the trucks join when they park needs to be different from the office network the chief uses.

Fire stationAccess control listsEpcr securityEMSVlan

NEMSIS Data Submission and PHI Exposure — What Your Vendor Sends and Why You Should Verify It

Your ePCR vendor transmits full PHI through the NEMSIS V3 pipeline. The narrative field is an unguarded re-identification risk most agencies never audit. Here is how to validate the payload.

Vendor risk managementRe identification riskEms dataEpcr securityHipaa compliance
EMS Cybersecurity Blog and Resources | Iron Rod Security