ZOLL Pulse Blog: EMS, Fire & Healthcare Insights | ZOLL Data Systems

Are You Secure? Cyberattacks and Security Issues for EMS in 2021

Written by Ryan Stark, Esq., Managing Partner, PWW | Jan 11, 2022 5:15:00 PM

The effects of a cyberattack on an EMS agency, software vendor, or third-party billing company can be devastating. In 2021, information is the hot commodity, and your patient information is often worth hundreds of times more to cybercriminals than credit card numbers.

Why Do Cybercriminals Want Medical Information?

EMS patient care reports contain a wealth of information such as demographic data, past medical history, and health insurance identifiers. Credit cards can be cancelled, and social security numbers can be monitored by credit monitoring agencies. Medical information follows patients for a lifetime, and misuse of that information is more difficult to track.

Some of the ways cybercriminals exploit medical information are:

    • Creating fake insurance ID cards to obtain healthcare services and goods (e.g., prescription drugs and medical supplies)
    • Locking down the data and demanding a ransom to unlock it
    • Using existing provider credentials or creating fake provider credentials to file insurance claims for bogus services with Medicare and other payers


In many cases, patients don’t learn about the breach until weeks later when they get an explanation of benefits for a service that they never received or a breach notification from a provider after a weeklong investigation. By that time, the fake insurance claim has already been paid and converted to cryptocurrency that cannot be traced.

Cybercriminals often make off with hundreds of thousands of dollars from exploiting medical information, and very often, they don’t get caught.

How Do Typical Cyberattacks Happen?

Cyberattacks are typically the result of targeted activity on a victim that is known to the criminal. Ambulance services can be particularly enticing targets for bad actors because many agencies do not have the same robust security that larger, more sophisticated healthcare systems and facilities often have.

There are four phases in the typical lifecycle of a cyberattack:

  1. Reconnaissance — Also known as the “online stalking phase,” cybercriminals peruse company websites, social media profiles of employees, and ping servers looking for things like 9-digit numbers on your system. Once they know you have got “the goods,” they move in for an attack.

  2. Enumeration — Next, they get into your system. It could be an attack on the server whereby they try to slip past your firewalls and antivirus to install malware, or they could exploit the human element by trying to trick employees into clicking on email links or downloading malicious attachments.

  3. Execution — Once the attackers are in, they unleash a malware program to wreak havoc on your patient data. They can control your patient data or deny you the ability to access it.

  4. Lockdown/Exfiltration — Finally, the cybercriminals typically either lock down the data through encryption and demand a ransom, or try to copy and remove data from your system.

How Can You Detect a Cyberattack?

While there are many signs of potential cyberattacks, some of the more common signs are:

      • Your computer is running slower than usual.
      • You can’t find or access information or files.
      • You can’t navigate away from a website.
      • You observe a program that you don’t recognize executing on your machine.
      • There is pop-up window alerting you of a cyberattack or demanding a ransom.

What Do You Do If You Think You’ve Been Hit?

There are seven actions you should take immediately:

  1. Stop the attack by disconnecting the machine or device from both the internet and company networks.

  2. Notify your IT department or the appropriate individual about the attack.

  3. Activate your contingency, security incident response, or other plan.

  4. Contact your attorney.

  5. After consultation with your attorney, consider contacting the local FBI or Secret Service field office.

  6. If you have cyberinsurance, notify your insurance agency.

  7. Proceed with any legal obligations to notify, in consultation with your attorney, affected individuals and clients about the breach.
How Can You Protect Against Cyberattacks?
    • Secure Connections — Use secure company hotspots, VPN connections, and https protocols on the internet.

    • Company Devices Only — Only use company devices — not personal devices — to access company information.

    • Environmental Awareness — Be aware of your surroundings when you’re working in a remote location. Cybercriminals can use cell phones to record keystrokes and then take your device.

    • Physical Security — Always physically secure devices when not in use, and always keep devices with you. It’s easy to smash windows on a vehicle and steal iPads, tablets, and laptops.

    • Safe Browsing — Practice “browser awareness.” Looking for signs of malicious websites, such as low-quality images, and avoid downloading from third-party sites.

    • Email Awareness — Be cautious of phishing campaigns. Verifying that you know the sender, don’t act on urgent action emails before checking, and hover over hyperlinks to determine where it is navigating you.

    • Immediate Reporting — Report to authorities any suspicious hacking, malware, loss, or theft of devices and other events that would compromise patient information.


The impact of a cyberattack is huge. But taking key steps and training your employees to be “cyber-aware” can go a long way in preventing a serious incident.


Read More on EMS Security Vulnerabilities and Protection:

3 Reasons Cloud-Based Solutions Make Good Sense for Fire & EMS