When you think of security at your fire or EMS stations, your thoughts usually encompass door locks, alarm and video systems, secured drugs or petty cash storage. But emergency service organizations also handle and store something with sometimes far greater value than material goods – information. The theft of personally identifiable information has become as prevalent as theft of property. Identity theft costs all of us millions of dollars each year and the holders of such information have a duty to prevent the misuse and loss of it.
Personnel files contain valuable information about members, whether they are paid or volunteer. This includes names, addresses, dates of birth, license numbers, Social Security numbers and many other personal items that are enough to fraudulently obtain credit cards or order goods online in another person’s name. This information may also be used to develop false identification. Identity theft can cause problems for its victims for years to come, including ruined credit or false accusations of wrongdoing. Dispatch centers may have information such as the location of people with disabilities who may easily become victims of a variety of crimes, medical information that is highly classified or the location of keys or lock combination numbers for quick entry into buildings. In the wrong hands, this information can be quite dangerous.
Protecting patient files
One of the most sensitive areas is EMS patient records. The Health Insurance Portability and Accountability Act (HIPAA) and other privacy laws have made us look at these documents differently. Just think of the ramifications if hundreds or even thousands of these records fall into the wrong hands.
Aside from the obvious consequences of identity theft, there are other factors to be aware of. Your organization would likely be sued by the people whose information has been compromised, and while you may think you have adequate insurance to protect yourself and your organization, that may not be the case. Typical general liability policies do not include coverage or may not provide adequate coverage for what has been dubbed “cyber liability.” In addition, federal, state and local statutes may require you to notify everyone involved, which could include hiring a “call center” to respond to questions. You may also be required to provide credit monitoring to all affected by the breach. There may be advertising and postage expenses and without specialized insurance coverage, these would all be at the expense of your organization. Additionally, you may be responsible as the agency collecting the information for leaks from agencies that you may have legally shared it with, such as a hospital. Contact you insurance provider and review your current coverage.
A new look around the station may be in order. Personnel files, patient care reports (PCRs) and other documents with personally identifiable information should be locked and key distribution closely guarded. They should not be stored in a place with other files or information. Only people who need this specific information should have access to it.
If personally identifiable information is stored electronically, the computer system should be set up so that only people with passwords have access to it. During periods of inactivity, computers should automatically lock so a password will be necessary to re-access it. This will prevent anyone from accessing the information should an authorized person leave for an incident response or other reason without quitting the program first.
Members or employees with access to personally identifiable information should be instructed not to use easily guessed passwords such as their names, the names of spouses, children or pets, favorite sports teams or badge numbers. Assigning passwords also seems to do little since many users write them on notes stuck to computer monitors. Furthermore, it should not be permissible to have computers “remember” passwords.
Electronic backup files should be safely stowed and laptop computers securely stored to prevent theft of the entire system. In the wrong hands, the information on a laptop may be more valuable than the unit itself. Flash drives and external hard drives should be protected as if they were cash because if stolen the results could be just as devastating. Another option is to encrypt hard drives, flash drives and laptops.
Computers with sensitive information should be dedicated for that purpose and if possible not connected to the Internet. If an Internet connection is required, use superior forms of encryption such as WPA or WPA2 for wireless devices and maintain anti-virus software in all systems.
A device we rarely consider is the copy machine. Many copy machines have hard drives that maintain copies of every image produced. Theft of this equipment could produce information of greater value than the machine itself.
A government worker recently was arrested and charged with pilfering identifying information about thousands of people and using it to steal at least $100,000 through fraudulent credit cards and computer purchases. She was a clerk-typist and simply obtained the information from documents that crossed her desk. This information was then allegedly sold to an identity-theft ring. Bogus credit card accounts were set up and maxed out before bills were sent. It was just that easy.
Federal laws further enhance the importance of the privacy of medical records, including EMS reports. This information is quite sensitive and such reports should not be left around for others to view, but should be dropped into a secured cabinet that can be accessed only by individuals with a need to do so. Not only would release of this type of sensitive information to the public expose your organization to litigation and embarrassment, but it would be a major disservice to the people you have helped.
Proper disposal of records
Finally, be careful what you do with trash. Many of the documents required to be kept by an emergency service organization must be stored for set periods, but when they are ready for disposal, be certain that they are shredded or burned. Information on the computer is just as sensitive. Did you know that deleting a file never truly deletes it? The file is only marked as deleted and remains on the hard drive until the space is re-used. When disposing of computer hardware, remove the hard drive and use a device that meets government standards to do a drive wipe or physically destroy it. The same is true for software and backup drives.
Do the best you can to protect the security of your employees, members and the public who put their trust in you every day. Take all precautions possible and be certain your organization is properly insured in case the worst happens. Whether your department is in a big city or a rural area, security has become a whole new ballgame.
Bill Tricarico, CSC
Senior Risk Management Consultant
Insurance Program (ESIP)
The writer served for more than 25 years with the North Bellmore, NY, Fire Department, holding positions including chief, commissioner and safety officer, and was fire commissioner for the City of Cortland, NY. Also, for 40 years, he has been a risk-management consultant to the emergency services. He is certified as a Workplace Safety and Loss Prevention Consultant and Certified Safety Consultant (CSC) and serves on two NFPA Technical Committees.