2019 AAA Annual Conference & Trade Show Quick Take: What keeps EMS CIOs up at night
While cybersecurity and HIPAA are high on the radar, the real challenge these days is keeping up with the tech-savvy customer and end user
NASHVILLE, Tennessee — EMSA Oklahoma CIO Frank Gresh discussed the lot of the modern IT chief with his presentation on the 10 things that keep EMS IT folk up at night at the American Ambulance Association Annual Conference & Trade Show. Gresh highlighted how EMS IT departments are coping with the challenges of serving one of the most tech-savvy generations while meeting the needs of information security and breach prevention.
Top quotes on EMS information security
Here are some poignant quotes from Gresh’s presentation:
“If we just unplugged everything from the wall it would be the perfect situation, but unfortunately, business must go on and therefore we must protect our systems.”
"We are one shadow IT application away from the HIPAA police or worse.”
“We are but one click away from a really bad day!”
“Time and energy spent not only on systems but also people will help keep the system safe”
Top takeaways on data security
Here are Gresh’s top 10 considerations for EMS IT personnel:
1. The Internet of Things (IoT)
Many pieces of technology now have the potential to be connected to an agency's network. These can range from watches and phones, to smart TVs and even toasters! The more you have connected, the more you risk security breaches and HIPAA violations. Any connected device has the potential to be exploited by a bad actor, so knowing what is connected and who is connecting them is a key priority for EMS IT chiefs.
2. It is all mission-critical
Failure and disruption to a departmental IT system could cause an entire operation or business to grind to a halt. IT and C-suite leaders must identify mission-critical operations within their organization. Email going down for an hour may be an inconvenience, and outages in billing and administrative systems may slow the tempo of daily business, but the loss of the CAD may be a life-and-death situation. Plans to deal with each level of outage should be considered.
3. Keeping up with technology
Gresh pointed out that we have more processing power in our pocket today than was used to propel the Apollo program into space and land men on the moon. As a result, our ability to keep up with technology directly relates to the expectations of our employees, our customers and our patients. So, we too must follow the times and understand technology trends.
4. Having to choose
As technology develops, there is a product to solve every problem we didn't even know we had. Unless a department has a limitless checkbook, understanding the specific problems and issues facing your department and then clearly identifying the appropriate solution is key fixing your issues without blowing the budget.
5. The cloud
Placing data in the cloud is no longer a question of “if” anymore, but “when,” says Gresh. The safety and security of your data very much depend on how much you are willing to invest to store and secure it. IT directors considering a move to the cloud should consider platforms based on availability, security, performance, integration, data ownership and compliance.
6. ‘X’ ware
The “X” in this case could be any deliberate disruptive attacks on systems, such as malware, ransomware, spyware, adware or scareware. Each seeks to extort, disrupt, illegally acquire or delete an organization's data information. There are many news reports of public safety agencies that have been hit by ransomware.
7. Orange jumpsuits
IT directors do not want to be seen in prison overalls. Data breaches and loss of HIPAA-related material could result in prosecution, and occasionally, conviction and incarceration. Gresh noted that as of June 30, 2018, a total of 688 cases of data breaches where criminal intent was suspected had been sent to the Department of Justice for prosecution.
8. Shadow IT
Gresh introduced the term “shadow IT,” which is the use of IT-related hardware or software by a department or individual without the knowledge of the IT or security group within the organization. It can encompass cloud services, software and hardware. By way of example, an extra router purchased at any tech store and innocently brought to boost a signal could enable a security breach if logged into the data network. To combat the shadow IT problem, a significant takeaway that would significantly reduce risk simply requires IT directors to understand the needs of a very tech-savvy workforce and be prepared to accommodate equipment that may come into contact with (or even close to) a department’s servers, security and data.
Examples of shadow IT devices are:
- Wireless thermostats
- Wireless thumb drives
- Surveillance cameras
- Smart TVs
- Voice assistants
- Medical devices
With the advent of 5G, there is an emerging scam to create sites that “spoof” a regular cell tower to attract a user to link to it and seek data.
9. What’s going on with IT
Understanding what is going on within the IT system is an absolute necessity. Gresh recommends agencies have a reliable monitoring system with intrusion detection that identifies new patterns of traffic (is traffic going to or coming from odd, weird or suspect locations). Departments should consider using systems that can interpret what is happening with email (particularly AI-based systems that can ensure that data that requires encryption is captured before it departs the home server), identify where cloud-based files are being accessed from and which IP addresses are accessing them.
10. It just takes one
The last and most sobering take away is that departments are but one click away from a really bad day. Gresh notes too much security is also a problem – we still must be able to get the job done! But everything must be watched, monitored and scrutinized 24/7/365 to avoid, meltdown, mission failure, ransom or prosecution.
Gresh concluded by identifying that the first and easiest step is to train the team to be IT security savvy. Time and energy spent not only on systems, but also on training people, will help keep your EMS data safe.
Learn more about big data for EMS improvement
To learn more about information security and big data for EMS improvement, read these EMS1 articles: