Emergency Medical Services (EMS) depend on fast, secure access to real-time patient data, whether they’re in a busy city or a rural area, miles from the nearest hospital as an integral part of the continuum of patient care. As EMS agencies are increasingly adopting enterprise-grade laptops and tablets to leverage digitized workflows, telehealth, and interoperable records, they need to take the right steps toward safeguarding data.
The risks related to data breaches are too significant to ignore. In 2024 alone, the U.S. experienced 14 data breaches involving more than 1 million healthcare records. Those 14 data breaches compromised roughly 70% of the U.S. population’s healthcare data.
Developing a comprehensive security strategy is no small feat. Thankfully, the latest standards from the National Institute of Standards and Technology (NIST), the Health Insurance Portability and Accountability Act (HIPAA), and the Criminal Justice Information Services (CJIS) provide helpful frameworks for designing a robust security strategy. Let’s dive into the latest guidelines and best practices for implementing.
Security from the Ground Up: Prioritize Multi-factor Authentication & Firmware Security
As EMS relies more on mobile documentation for apparatus pre-checks and PHI patient care reporting, devices must offer security by design. This means integrating hardware-based protections, secure OS-level features, and software that enables centralized device management and monitoring. Deploying enterprise-grade devices at the onset is a solid place to start.
Any organization that deals with sensitive data such as National Emergency Medical Services Information System (NEMSIS) should use multi-factor authentication (MFA). The U.S General Services Administration mandated that federal agencies adopt MFA and encryption across devices back in 2021. EMS departments should be no different. MFA ensures protection by requiring users to verify their identity through two or more methods, typically something they know (like a password), something they have (like a smart card or code sent to a separate mobile device), or something they are (like a fingerprint or facial recognition).
For EMS, MFA can help ensure that only authorized personnel access electronic patient care records in the field. This way, even if an EMT leaves their device on the ground in a crowded area in order to help a patient, they can rest assured that if anyone does get ahold of the device, they won’t be able to access any sensitive information.
Meanwhile, the latest updates from CJIS provide firmware security standards. Device firmware is critical as it provides the foundation for operation and running software. Its importance has made it a popular target for hackers. Firmware-level threats that sit below the operating system can silently compromise system integrity and patient data.
Whether attacks take the form of malware, infected hard drives, or insecure firmware solutions, firmware security is imperative for EMS to embed into their systems. CJIS Security Policy v6.0 calls for continuous firmware monitoring and controls for scanning firmware vulnerabilities so organizations can safeguard confidential criminal justice information or other sensitive data, like healthcare records.
Implementing Security Controls
Building out a comprehensive security strategy should be top of mind when EMS departments deploy enterprise-grade devices. Here are some best practices to consider:
Adopt MFA at the device and OS levels
From a device access perspective, EMS departments need to implement at least two entry points. This could take the form of a PIN combined with a fingerprint read or a smartcard swipe. Today’s rugged modular devices make it easier for EMS departments to tailor MFA parameters to operational needs. Agencies have the option to equip devices with smart card readers or fingerprint scanners based on preference. Meanwhile, modularity allows them to easily swap out hardware components over time without needing to replace the entire device. For example, you might start with smart card access and transition to fingerprint-based authentication down the road. With a modular device, you avoid having to purchase new laptops or tablets as security requirements change.
On the software side, Windows Hello for Business supports MFA at the OS level, enabling biometric or PIN-based authentication that aligns with NIST 800-53 standards. These capabilities not only improve login security but also help reduce the risk of unauthorized access when EMTs are reviewing or transmitting patient health data in the field.
Implement a firmware security strategy
Conduct a thorough assessment of current firmware security status and partner with a tech provider who offers a firmware supply chain monitoring solution. These solutions, such as Smart Compliance, are designed to detect, respond, and prevent firmware-level threats quickly and effectively. They can be configured to align with frameworks like NIST 800-53 and CJIS Security Policy, ensuring agencies meet regulatory requirements while reinforcing device integrity.
A comprehensive firmware security strategy typically involves three key phases: inventory, hardening, and detection/response. First, teams must ensure full visibility into their infrastructure so no vulnerabilities are overlooked. Next, in the hardening phase, IT teams can proactively secure devices through integrity monitoring, policy enforcement, and automated firmware updates. Finally, during the detection and response phase, real-time alerts allow agencies to quickly identify potential implants or tampering, ensuring devices are safe to use before returning them to service. For example, if an ambulance falls victim to a break-in, IT teams can use their security solution to confirm that onboard laptops and tablets have not been compromised, helping them maintain operational readiness without unnecessary delays or device replacements.
Promote consistent compliance through continued education
Leading training and awareness sessions by third-party vendors, Panasonic Connect, or your PCR program IT for EMTs involved in operating mobile devices and accessing patient data will help ensure consistent alignment with evolving security standards.
A Path Forward
As EMS agencies continue to embrace enterprise-grade devices to improve patient care, security workflows must also remain a priority. Whether you're looking to streamline reporting, expand telemedicine capabilities, or enhance collaboration with teams in rural areas, building trust in technology should be a priority.
Prioritizing requirements such as MFA and firmware security is essential to safeguarding patient information and delivering optimal, high-quality care.
Learn more about Panasonic Connect’s solutions and support services designed to help EMS departments deploy the latest tech securely and efficiently.
