To access the remainder of this piece of premium content, you must be registered with Firehouse. Already have an account? Login
Register in seconds by connecting with your preferred Social Network.
Complete the registration form.
When you think of security at your fire or EMS stations, your thoughts usually encompass door locks, alarm and video systems, secured drugs or petty cash storage. But emergency service organizations also handle and store something with sometimes far greater value than material goods – information. The theft of personally identifiable information has become as prevalent as theft of property. Identity theft costs all of us millions of dollars each year and the holders of such information have a duty to prevent the misuse and loss of it.
Personnel files contain valuable information about members, whether they are paid or volunteer. This includes names, addresses, dates of birth, license numbers, Social Security numbers and many other personal items that are enough to fraudulently obtain credit cards or order goods online in another person’s name. This information may also be used to develop false identification. Identity theft can cause problems for its victims for years to come, including ruined credit or false accusations of wrongdoing. Dispatch centers may have information such as the location of people with disabilities who may easily become victims of a variety of crimes, medical information that is highly classified or the location of keys or lock combination numbers for quick entry into buildings. In the wrong hands, this information can be quite dangerous.
Protecting patient files
One of the most sensitive areas is EMS patient records. The Health Insurance Portability and Accountability Act (HIPAA) and other privacy laws have made us look at these documents differently. Just think of the ramifications if hundreds or even thousands of these records fall into the wrong hands.
Aside from the obvious consequences of identity theft, there are other factors to be aware of. Your organization would likely be sued by the people whose information has been compromised, and while you may think you have adequate insurance to protect yourself and your organization, that may not be the case. Typical general liability policies do not include coverage or may not provide adequate coverage for what has been dubbed “cyber liability.” In addition, federal, state and local statutes may require you to notify everyone involved, which could include hiring a “call center” to respond to questions. You may also be required to provide credit monitoring to all affected by the breach. There may be advertising and postage expenses and without specialized insurance coverage, these would all be at the expense of your organization. Additionally, you may be responsible as the agency collecting the information for leaks from agencies that you may have legally shared it with, such as a hospital. Contact you insurance provider and review your current coverage.
A new look around the station may be in order. Personnel files, patient care reports (PCRs) and other documents with personally identifiable information should be locked and key distribution closely guarded. They should not be stored in a place with other files or information. Only people who need this specific information should have access to it.
If personally identifiable information is stored electronically, the computer system should be set up so that only people with passwords have access to it. During periods of inactivity, computers should automatically lock so a password will be necessary to re-access it. This will prevent anyone from accessing the information should an authorized person leave for an incident response or other reason without quitting the program first.
Members or employees with access to personally identifiable information should be instructed not to use easily guessed passwords such as their names, the names of spouses, children or pets, favorite sports teams or badge numbers. Assigning passwords also seems to do little since many users write them on notes stuck to computer monitors. Furthermore, it should not be permissible to have computers “remember” passwords.