Cybersecurity for EMTs and First Responders | Protecting Patients and Professionals

Welcome to the Security Cocktail Hour.

I'm Joe Patti.

I'm Adam Roth.

And I'm Mike Knatt. Cheers.

Yeah, we have a special today, Adam and Mike. I feel like I'm seeing double, like I have two Adams. This is something new. Or two Mikes. Or two Mikes, no. You have two screens, two Mikes.

That's right.

No, everyone's special. We're all little snowflakes. No one's the same. No, but welcome. Welcome, Mike. Thanks for joining us today.

Appreciate it. Thank you very much for reaching out and giving me the opportunity to kind of share some of the things that I teach about, that I coach with. And actually, what I'm looking forward to is learning from you guys today.

Don't get your expectations too high on that.

I think we're going to be learning from each other.

Well, well, Mike, you have, I was actually looking at your resume before this. My, my God, you have done a lot. You are, you have been an EMT, you know, leader. You've been a, an NYPD cop. professor, leadership speaker and everything, wow, I'm humbled when I see all that.

You've been all over the place. It's just me being myself. Every time I always look at that I'm doing something different, when I look backwards and do retrospective study on myself, it's basically doing the same thing that I've always done. And it's kind of the framework that I use, whether it's mentoring, speaking, and things that I like to speak about. In EMS, we have CME, usually continuing medical education. And my spin on that has been talking about communication, mindset, and empathy. And that's just kind of the way that I've gone. And with the journey that I've taken, I've realized that through observing others, if you have a mentor, you have a coach, somebody who's there to lead you. You can either go far or you can go high. And, um, I kind of feel like I was always lagging behind, uh, learning things the hard way. And what I wanted to do for others was to make sure that I can share my knowledge with them. So that's, that's basically all I've been doing is finding forums, finding people willing to listen and speaking my truths, my journey, and, uh, trying to raise others up.

I think Mike a lot of us. I mean, I don't consider myself really I Guess a season EMT though. I've been in EMT 27 years and maybe eight years per diem the nine-one-one system but all of us every single one of us always I feel at least all of us are kind of Feel like we have imposter syndrome like we really don't know where we are. We're never good enough that we always felt like there's something else that we need to learn and accomplish and That's just who we are, I think.

Well, Adam, I think you should have imposter syndrome because it looks like you're trying to impersonate Mike there. Mike's better looking than I am. For those who are listening, because not everyone is on video, but Mike and Adam are both wearing black t-shirts and they have the same haircut, let's just say, which is very stylish.

Very, very stylish and very hard for some people to pull off.

That's right. Well, you guys got the look. You look fantastic. Anyway, so before we get down to the discussion, a little business for everyone. Please, we love our audience. Thank you for joining us. Please, if you're If you're listening on Spotify or one of the other podcasting platforms, please follow us. Please put comments. We'd love to hear from you. And if you're listening or watching on YouTube, please like, subscribe, comment, tell your friends, share. You know, we're really trying to build the audience here and having more people, you know, comment and get engaged. Helps the algorithm, helps us get out, and helps us get great guests like Mike on. So thank you very much. It also gives us an excuse to drink. And to buy rubber duckies. And to buy rubber duckies, yes. So what do we have today? This was Mike's call. What do you got there, Mike? Jack Daniels. Jack Daniels, classic. Adam, what are you doing? You doing a coffee or what?

No, no, no. So I'll tell you this. The bottles from the Dominican Republic, I don't know what it is, but I'm drinking it. I don't know what it is. Okay. All right.

It's brown and it's wet.

Really? I hope you have EMTs close by. This is bourbon. This is Woodford Reserve. It's become my go-to bourbon lately. I don't drink it at all. Very good. All right. So cheers, everyone. We're doing a lot of bourbon lately.

It's popular, it's guest choice. It seems to be what everyone wants. I think we need the podcast in New Orleans. Absolutely.

Man, let's try to get some different stuff. We used to go south.

Yeah.

That's right.

We're going to need it soon as it starts to get a little cooler here. You know the irony? The last time I was in New Orleans was 9-10-2001. Wow. Really? Wow. That's crazy.

comes around it's almost nine ten right before nine eleven but uh... you know it's it's uh... it reminds you right it's uh... it's humbling i was going to say i have a lot of interesting things for that week uh... one of my partners from the NYPD it happens to be his daughter's birthday is nine eleven uh... obviously for us nine eleven where we lost a lot of our brothers and sisters and we continue to lose them every day uh... But one of the other things is that's also the week where, in 1987, I got into EMS and started my career. So it's a mixed week for me, highs and lows, a lot of memory, a lot of reflection, thinking back about the past and where we're going in the future. So I always kind of embrace it and look at it as a positive because we've Learned a lot about other people. We've learned a lot about what responders do we've gotten an opportunity to learn?

How we need to make sure that we take care of ourselves, so I think a lot of good has come out of there And in the other thing the ad is around this week Was the funeral for Mike Gorumba? I don't know if you know Mike Rumba. He was a fellow EMT and a firefighter and He was in my EMS class, and he passed away a week before 9-11. I went to his funeral, and then a week later, we lost people from that funeral. So I know I'm not trying to bring things down, but now that we think about it, now that it comes to mind, this is an episode that would also remind us to remember 9-11.

Yeah, it's important to remember. It's funny. When I was working, I started working in downtown Manhattan and in Brooklyn shortly after 9-11, maybe a year or two later. And someone who was there working, he said something interesting. It was a day where we saw the worst in a small number of people, but also the best in a lot of people. The absolute best.

For the short period of time after 9-11, there was a camaraderie. There was a level of embracement and I'm not saying it's totally gone away, but people were extra nice to each other people were very Respectful of each other and everyone came together. So Anyway, god bless america never forget That's right

Anyway, so I know this is a cybersecurity show, and you guys aren't usually used to being hacked, but I'm going to hack the show today. I'm going to flip the script. And instead of me, the guest, being the one with all the answers, growing on my mindset part of it, growth mindset, I want to learn from you guys and see what you guys have as far as how we can work and embrace communication mindset and empathy. Whether it's dealing with people, process, actual hardening of physical and virtual realities. I always start off my mentoring with explaining how well communication will set you up for success in the future. If you're going to be a leader, you need to communicate a vision. You need to make sure that vision is clear to your people. If you're going to be an effective leader in the field, you need to communicate with your team members, give them clear directions on how to deal with people. When you approach the hospitals, you need to be able to communicate with people from different backgrounds and experiences and be able to have one cohesive story going forward so we can take care of our patients. If you're in front of an audience and you're presenting to a town board, to a council, to students, to fellow practitioners, you need to be able to effectively communicate. Now, part of our effective communication is not only verbal, it's written. And in the last maybe 20 years, we started using electronic patient recording devices so that their charts are now electronic. As far as an agency, leader as far as an agency manager, what are some of the things that I should be looking for or considering in terms of securing my networks that I use or what kind of providers should I be using? How do I ensure that my patient information is compliant with like HIPAA that we're as secure as we can be?

For me, we can go into any degree and talk about how you You know, we'll make sure that, you know, your VPN and virtual private network and security is good, but I love to start in the beginning.

By the way, but before you go, just to let everyone know, you know, that's like the easiest question imaginable. He just said, how do I build a security program for, for an EMS organization? So, okay, we're up for it. That's plenty of material.

So physically secure your tablet, physically secure your password, start at the, Thing that people don't realize like, you know, like I I've been to a lot of places I've walked into apartment buildings. I've walked into businesses and I'm like, I Personally think and people are gonna argue with me about this that physical security is Sometimes the foremost important thing so if you're driving a bus or ambulance and you leave the doors unlocked but you left a tablet in there and the tablet is not secure and and somebody steals that tablet and is able to use some kind of reverse engineering to get into the tablet, they have a portal right into your organization. And it's really no different from even your personal cell phones where people use Outlook Web Access for their organizations, where Outlook Web Access is literally just a browser. There are people who don't secure things, so always secure your devices and equipment and always move forward as if somebody is looking over your shoulder and looking at information that they shouldn't be seeing, whether it's patient information, whether it's your password, whether they have access to your multi-factor device, meaning your phone, and what I mean by that is, if your phone is sitting there in plain text, you're handling a patient, and then you put your phone down, and your phone disappears, and it was unlocked, and they connect to your organization. They have everything. So I'll leave it at that. Joe, your thoughts?

Well, I think at a little at a little higher level, I mean, we can get into all that's right. And we can get into a lot of things of, you know, what individuals can do. Well, what I think is very important is that, you know, a lot of the leadership when it comes to security has to come from the leaders. And, you know, one of the things that people can do is, you know, think about the things that they can do, but also ask their leadership, what is our security program? What are we doing here? I'm worried, even from a selfish standpoint of, I don't want to get in trouble. I don't want to lose the patient's data. I don't want to do this stuff. What tools do I need? Are you going to give me those tools that I need? Are you going to train me? Because the most important thing for any security program, the number one most important thing is the support of the leadership. You know, security is expensive and it's difficult and it takes a whole organization to participate, to be effective. And if you don't have it, you know, from the top, from the leadership, and I mean, the CEO, the chairman of the board, the director, the chief, whoever, whoever's at the top from them. And, you know, all their people up there, the total leadership, if you don't have the support there, then you're not going to have a successful security program. And, you know, again, what one of the ways you can, you can tell if that support is there is you know, even if you're just, you know, the person, even if you're the, I don't like to say the bottom of the organization, but wherever you are, you can, you can see it. You can see that there are security devices. You can see that there are little reminders that say, don't lose your, don't lose your phone. Be careful putting things down. You can see that sometimes there are security people trying to drive you crazy. with, you know, with stuff, you know, do this, there's this software here, I don't like this, this other thing to making things a little bit more clunky, it can be inconvenient, but it's also a promising side, that, that things are happening, and that the, and that the organization cares in there. And I would say, look at it as, you know, they're giving you the tools that you need to do it, right. You know, because we've talked about this before, you know, I'm not an EMT, like you guys, but but but when I, you know, when I have someone you know, coming to my house to give me help in an emergency or something. I don't want to worry. Even for me, my privacy is not my first concern. Getting them to help, but we can do things so that they can focus on the things they need to focus on without compromising security to make it easy for them. Reduce the cognitive load, that kind of thing.

Well, I love the things that you were speaking to. And again, my basic framework that I use is communication mindset and empathy. So one of the things that I'm hearing you say is that as a CEO or a CIO, you need to communicate what our protocols are, what our policies are. When we're onboarding from HR perspective, when we're onboarding new people, we need to make sure that they're being educated and they're being taught about what the policy is. From what I was hearing, Adam, is if you're a field training officer or you're a frontline supervisor, Make sure that the people learning to lock the doors make sure that they take the tablets and either they go back into a secure compartment or sometimes they have The brackets in the front where they lock in and you can turn a key to lock it and make sure that it's not Easily accessible or removable without the crews consent a lot of good things so In terms of a provider, you want to have a growth mindset. So you want to go seeking out these policies, procedures, and learning about the protocols, as you were saying, Joe. Find out what it is that we do, what we can do. Because a lot of times, you're right. When somebody comes into a household, there's a lot of fear already about what's going on, who's coming in, strangers are entering the house. they don't want to have, you don't want to put your patient in a situation where they're worried about, well, if you're asking me for my social security number or my insurance card and where are you putting it? What are you doing with it? That it's not information that's going to be lost and, and, and put out there on the black web where people are going to be able to manipulate it and do what they do with it.

Right. And people are going to give it to you because they trust you. Yes. Not just with your information, but with their health.

They don't necessarily trust you, Joe. They, they kind of, They have no choice. They know in order to receive the help and support they need, they're kind of in that situation where they have to provide it. They might even ask you, well, what happens if I don't give it to you? And I'll explain what I mean by that in a minute. But I wanted to step back a moment, Mike. You did something that I applaud. And you did something that I just had a conversation with my wife about that a lot of leaders don't do, and you're doing it. You're doing active listening. You're listening, you're taking the information that we're giving to you, and then you're giving it back to us to let us know, one, an affirmation that you are listening to us, and two, you want to confirm if what we said is accurate, that you understood. And I can't tell you how many times, I actually get chills, I can't tell you how many times people do not do that. And that's a leadership trait. It sounds like I'm pretty much kissing your ass here, but it really is true. A true leader will listen and then spell out what they think they heard and then receive either an affirmation or a correction to it. God bless you, man. People don't do that, and that's a big thing. Going back to the thing before, Joe, I can't tell you how many times as an EMT I would go into somebody's house. lifelong EMT and I applaud all my brothers and sisters who do that as a career because it's a thankless job and They really work their asses off every single EMT Paramedic works a job and a half if not two jobs But when they walk into a house first Joe, it's it obviously is actually the other way around Do we also trust? Entering in that home. Are we safe? It's something gonna happen And back then, I wasn't worried as much, but now, are we being recorded? Are we going to be put on the internet? Is everything we're saying, every action that we take, is that going to be used against us as EMT? So our security, our privacy comes into question, but once we move past that, the people that we're serving Most of them are in such a dire straight. They're not saying, hey, thanks for coming by. We love to see you. Thanks for showing up. They're like, my husband is dying. My daughter's not breathing. My son is vomiting. And when you ask them the questions, they know they have to answer. Because if they don't, they won't receive the support. And then one more step forward, they're not going to always tell you, I was doing ecstasy. I was shooting up. I was doing coke. I did something I shouldn't have done because they don't want to get in trouble. They're afraid that standing next to us might be police officers that might have to arrest them. So when we're providing medical aid, patient care, we don't always get the full picture of what's going on either.

Well, I was going to say where I think, Adam, where that can tie in, in terms of thought process, is are you using a virtual private network? Are you using up-to-date software and things like that? Or is somebody listening in, like that cop who's listening in to our conversation with the patient? Are you aware of what's on around you? If you are using software where you might be able to scan or swipe a card, is there a reader that has been interfaced with it where that somebody can intercept the information like they sometimes do with the gas pumps or at the checkout, self-help checkout counters at the stores? All kinds of opportunity for people to think it. So when we talk about, as you were saying, is the scene safe? There's a lot to it, not just from are there bacteria, viruses, products that are going to endanger our cells, is there carbon monoxide by their people, carbon monoxide, exactly, things that we may not be able to see. But again, is somebody like standing over us as we're logging into our laptop to start recording the information that the patient's giving us, as we're entering in somebody's social security number, Did somebody get malicious software where they're able to track the keystrokes that we're doing and stuff like that? So these are all things from a security standpoint of view that most of the times people aren't listening or thinking about in our industry because we're focused on the medical but we're not focused on the electronic and the virtual world that you guys deal with on a regular basis. So with that, my next question that I would ask is I'm sure it probably depends on the size of the agency, but what are some of the factors that you would, if you were consulting somebody, recommend to consider whether to keep things in-house or to outsource as far as either doing IT support or security or as far as software and things like that?

There are different schools of thought that they've evolved over time. You know, I used to say when people say, should I outsource or should I do it myself? Is it safer to outsource? Or is it safer or more secure to do it myself? And I'd say, well, that kind of depends on how good you are at security. But the truth is, you know, as things have evolved, doing security is very difficult. And smaller organizations tend to outsource a lot of the functions to the extent that they can, just because doing it right is very difficult. and very expensive. The extreme case is to have a SOC, a Security Operations Center. It's the guys you see with all the screens, where they're sitting at the keyboard seeing the things come in. Well, if you think about it, those things are expensive. But also, you need a minimum of at least six to eight people to You know staff it staff a place 24-7 those six to eight people are not cheap. You probably need a lot more and only the very large Organizations still do that in-house for for just for just that that reason so you know typically For a lot of organizations, you're going to want to be doing a lot of outsourcing. In fact, a lot of big ones do different outsourcing, too. And it also gets down to a lot of these organizations, do you really want to build that capability? Are you really a security organization?

No.

You're a health care organization. You're an EMT. You want to focus on that stuff. Get the people who are experts in other things to do the other things for you.

And I love that. One of the schools of thought when I'm doing leadership development is I talk to people about creating collaborative and cross-functional teams and surrounding yourself as a leader. You don't need to be the smartest person in the room. You need to have the smartest people in that room. So like you were saying, if we're going to be focusing on health care, then we want somebody like yourself or Adam to be in that room consulting us on the IT aspects of it or any of the other security things that we are concerned with. Just as much as if we're dealing with repairs on our equipment, we want to have somebody who's a biotechnician and is familiar with the thing, not just us tinkering just because we tinker with our lawnmower on the weekend. So we don't want to bring our inexperience to the table we want to bring the experience to the table and you're saying that we need to have People who are experts and focus on those areas and let us think about other things.

I like that So yeah, so we can really definitely expand on this. Let's stop this. Let's start first with the patient care We don't always get the opportunity to go into you know to a to a room and close the door and and Ask all this vital information. It might be on a, you know, a train platform. It might be in a park. It might be on the beach. It might be in somebody's apartment, which might be a little bit easier. And even there, we're not really, and tell me if I'm wrong, Mike, I mean, you're the leader here, right? We might not, we're not really supposed to be sharing information with the police officers, even though we always do, right? We really do. Like, you don't want to ask the patient twice the questions. They're looking over the tablet like, oh, The name is you know Roth Adam, you know certain things We're not really supposed to share at all what what they're doing the medical issues, but they're there they're right next to us We can't say mr. Police officer or miss police officer. Please leave now going back to in-house versus Not doing it in-house There's so many different types of things that we're doing with an EMS agency, right? We're doing Whatever you want to call it the the ACR ambulance call reports, which is another patient information That is most likely going to be a cloud-based software that you can't even bring in-house then we're talking about the vehicle Monitoring, you know, where's the vehicle located the GPS? Is it what we use in Verizon the monitor these are we using another brand and then we're talking about? other things about you know resupplying which is probably everything here is probably all cloud-based and I don't know much about the FDNY EMS organization, what software and stuff they're using, but I do know that they probably have the capability of bringing it in-house, and they probably put it out there, too, as well, because a lot of third parties integrate via an API, or an interface, we call it, right? So whatever is happening with the ACR, or Ambulance Call Report software, there's another organization that's using it for billing. And there's another organization that's using it maybe to restock materials. So a lot of this is all cloud-based and all connected. So even then, you still have to manage the hardware, which is probably going to be a third party doing the repairs. I know a lot of stuff does get sent to Queens for repairs. But these private agencies, I see the vehicles all the time at gas stations. Oh, they're fixing the vehicle. Do we know who these people are fixing these vehicles? Can they get into the... Are the tablets there? Are the tablets not there? Are they putting devices in there? So you don't know, but there's a certain level of trust.

Yeah, something we're kind of getting into that is something that lately is very big in security called third-party risk management. It's, you know, worrying about your third parties, your vendors. And especially in IT, you know, the big thing is, are they secure? A lot of people have been hacked, or they haven't been hacked themselves, but it's their vendors who've been hacked, and then they get in through them, or they steal data from the vendors that was originally with them. a lot of hacks that's become much more of a thing. And I would say kind of to the EMT community, it's like, I know that a lot of the equipment you use is probably very heavily regulated. It's tested. There are standards that they have to meet. Be aware that IT and even security is not like that. It's changing. There are more regulations, but You know, virtually anyone can go up and write some software and sell it to you. But there are the ones that are doing a good job and there is a whole I don't want to say a whole science, but a whole discipline of just going in before you buy something, checking on what security are they providing us? Is it suiting our needs? And healthcare software or service providers generally will say, well, we follow these standards and we're HIPAA compliant or compliant with whatever the other things are. But ultimately, you're still trusting them.

Okay, so one of the other things under mindset is resilience. And while we want to kind of build an armor around ourselves, protect ourselves, protect our minds and stuff like that, from the cyber world, I know, Adam, you were suggesting initially, like, make sure that we lock the tablets in the vehicles or we take them with us, we secure our phones, make sure they're on our person. But what other things can we do to harden how we approach or handle information or our devices that may transmit information to either to a cloud or to a server located somewhere. How do we tend to protect ourselves or keep ourselves out of trouble in terms of what we do?

Well, I'll jump on this really quick and then I'll defer to Joe, but your device, your laptop, your tablet, your phone, whenever possible should have a secure connection to a server. We talk about VPN, but there are things built into Windows that allows a certificate between the device itself and the server. We also talk about NAC, or network access control. And what I mean by that is, you know, there's a lot of ways, and some of them are a little bit immature, like, you know, 802.1X, and what that means is that's a protocol that says, I'm not going to let you talk to me on the network unless I know your MAC address or your serial number. But that can easily be spoofed. But there are levels. Security is never one thing. It's different levels of things that are in place to protect you. However, the more security levels, the more complex you make it. The more complex you make it, the more you need people to monitor it and manage it and document it. And then when you have an issue, You throw your hands in the air and you wave it like you just don't, no kidding. You're like, okay, is it the SSL certificate? Is it the VPN? Is it the access rules on the firewall or the switch? So the more complexity you add, and we kind of call that a security through obscurity, but there's no right thing for any one agency. It's really about your budget. Don't get me wrong, you need to adhere to whatever the law is, But there are organizations that are kind of forced to add additional levels of complexity or security as required by an audit or to do business. And Joe loves to discuss this.

Oh, yes. Being the subject of audits is just fabulous. But the thing that's very important, I think, for a lot of people, and particularly for the individual, EMTs out on the street to understand this, this is stuff that your organization has to do. And they should be taking care of that and giving you the equipment and the tools that are properly secured and that meet all those requirements and do what they need to do in terms of security. The same as with the medical equipment that you use. And what I would advise a lot of people to do is, if you're interested, ask about it, learn a bit more. you know, give feedback if you, if you think it stinks. Um, but also, um, use them, use what you're given, um, pay attention to the training, use the stuff. And even if you don't think it's great, and even if you don't think it's as good as it should be, because the organization has decided to use it, some other people have decided it's adequate. It may or may not be, but by using it at least, you're putting a little faith in them, but also you're protecting yourself. Please don't go and use your own stuff, especially when you're dealing with healthcare and people's data and stuff. Don't say it's just easier if I send it with my gmail account or I'll just use my phone or my text instead of something secure that they gave me or I'll just shoot it this way because it's quicker. It will cause nothing but trouble and that And that will be on you if you do that, because that can be very troublesome.

That's a key point, because in the field, we're always hitting walls here and there. And one of the things that I was taught early on as a leader, our job is to remove obstacles from our employees from being able to do their job. Sometimes people feel multiple sign-ins instead of a single sign-in for access to things or using this big clunky device as opposed to my small phone. They don't realize, and I'm glad you bring this up Joe, is that While it might be easier for us to use our device or my laptop, I'm more familiar with it, or it's lighter or smaller, versus the device that your agency has provided, that they've loaded software, they've gone through the protocols to make sure that certain ports are turned off or on, that there's no access or limited access. They've set up the security perimeters, and by you circumventing it, it's like that, a fire escape door where when we talk about physical security where somebody it's only meant to go out and locks so you can't come back in everybody pops that little can or rock by the door because they all go out for their cigarette break but they need to leave the door open so they can get back to work If you're leaving a door open, I'm gonna in my novice way equate it to leaving a port open on your device where somebody can now gain access to it. You've just let them in because it wasn't secure. It wasn't hardened. You didn't make it resilient.

And I'm gonna add to this. I'm gonna jump on this. This is an important part. You brought up another key thing, Mike and Joe. A lot of organizations believe in BYOD or bring your own device. Let me kind of give you a hint of why you got to be really careful. If you look what's happening, I don't want to get into the politics, I just want to give an example. If you look what's happening with NYPD right now, several members of NYPD have had their phones seized because those devices can provide insight to a case. It can exonerate them, it can get them in trouble. I don't know specifically what happened, and I'm not here to discuss that. If you're the EMT, the paramedic that's working on a job, and for some strange reason you're putting notes into your own phone, or your company says, bring your own device, manage your email from your personal phone for our organization, and you wrote notes, hey, I was on this job, and blah, blah, blah, blah, They want to and then something happens where an attorney decides to seize your phone because you were the person that Handled somebody that might have passed away for their questioning that and it had nothing to do with they say you were 100% innocent Everything that you have in that device even things about your health Illnesses that you might not want to discuss and they can get access to it. That's gonna be into into record I'm not saying to be publicized But it's gonna be entered into record. So you got to be careful what you do with your device because if there's any thought of Misuse they're gonna subpoena or seize that device and go through it So you got to be really careful what you do always treat and I'm a victim I mean, I'm not saying I'm not the person that does that too You got to be really careful what you put on your phone because even if you say ha ha ha Joe stupid I Something happens and said you said Joe was stupid weren't you with him last when he got hit by the car? We think you you know You might have been the one that orchestrated that so you got to be careful Yeah, one thing I tell people very much and you know We don't give legal advice.

This is not legal We're not attorneys nor do I play one on TV, but You know, I mean You're always protecting yourself especially in terms of exposure with security if you're following the procedures, you know So follow the procedures just as he would in the health care in the health care case now, I know in the real world We sometimes break the rules or bend them a little bit and you know, maybe you're doing health care too to save someone um, I would suggest that If you do, be transparent and say, I had to do this quickly to save someone. Let them know, get it documented. And I don't know what your usual take on that is, but that's kind of what we do in normal industry. But realize that if you go outside the rules, you are taking on risk yourself. You may say, it's no big deal. I'll be a baby, whatever. But you are taking a bit of a risk. Things may come out. And as Adam was saying, Make no mistake, I mean, read the stuff in the paper and look, make no mistake. If you email something, if you text it, if you put it anywhere online, if you think it's protected, a lawyer or a court can and will get all of it. Don't be under any illusion with that. If they want to and if they're empowered to do it, they will.

One of the things that you were talking about that just kind of brought up to me is we were doing a presentation at a church but it was for high school kids and we had kind of like a show and tell what to do safety and things like that was the topic and one of the local police officers came in and gave a discussion about online presence and stuff like that and one of the things that stuck with me from that presentation and it's what you're saying is Everybody thinks Snapchat when you send and it disappears it disappears from you from your device That's right, but when that picture that you sent that maybe you shouldn't have sent of the person that got hit by the car or the hanging or whatever it was it's still on a server somewhere, and law enforcement, if they want, they can go to Snapchat and they can access that information, whether it's a conversation, photos, and things like that. So that's one of the things that I'm glad you brought up, is information's out there, and if you're doing it with your own device, it's still subject to being used in a court of law.

Yeah, there are, and we've talked about them before, there are systems and services that get around that, that are more protected, but realize a lot of it depends on the resources of the organization that wants to get it. I mean, if you're in If you're in New York, the NYPD has some of the best forensic people in the world. They're very good at getting data out of things that are not supposed to give up data. So no illusion with that.

There's a reason we're called the finest.

That's right. They're very, very good.

So Joe and I, when we worked, I shouldn't say we worked together, when I worked for Joe, oh my God, those years, when I worked for Joe, Joe and I used to, We used to try to figure out legal strategies along with the attorneys that we work for. And we're not saying that attorneys do anything wrong. I'm saying that there's always a strategy. And we spoke about whether bringing certain things in-house or putting it in the cloud. And then there's things called bring your own key. I'll explain that in a second. Have your own key and a hybrid of both. So if there's emails being used in the cloud. Law enforcement agencies can use something called a blind subpoena, go to Microsoft and say, hey, we think something happened wrong and we want to get those emails. But if you have your own key, and that key means that you're allowed to encrypt your emails, they have to subpoena your key. So now you know that they don't have access to your stuff. They have to get your key in order to get those Emails or bring your own key, but if you use the key from the provider themselves Then they can do a blind subpoena and get your stuff. So what I'm getting at is If you're doing stuff don't say don't think they're gonna come for your phone They might just do a blind subpoena and again, this doesn't mean that you've done any wrongdoing you happen to be doing a job and you're in Midtown Manhattan and And there's a well-known celebrity, and something happened, and somebody died, and he or she was in the room. And now your phone's gonna get subpoenaed into a matter of record, because they wanna make sure that you didn't transmit, and anybody else didn't transmit any information. So you might have done anything wrong there, but now a lot of your private information's been looked at. You might not want it. Again, you might have done nothing wrong. Yeah, another thing I'd add to that,

get to the other side of it and maybe a little more more positive side for the ENT community. It's something that can get you in trouble but it's also something that can protect you. One of the things that I was amazed with when Adam started telling me about you know, being an EMT is the amount of abuse you guys take. I'm like, who cuts off the ambulance in the street? Who fights with the EMTs? That's amazing to me. Um, but you know, if you do have some, obviously it's cyber stuff is not going to stop a fistfight, but, um, you know, if you have someone who's harassing you, if you have someone who's interfering, if, uh, you know, you think, uh, like someone on Snapchat is, you know, I think going after you, your agency or something, I've had, You know, uninformed people say, well, they're using this anonymous thing. We'll never know who it is. Nonsense. If the law enforcement or your legal team, whatever, is motivated, they can find it and they can help you and get to the bottom of that stuff. So there's a plus to it also.

There's a variety of models of how EMS systems run. Some people, like when we were in the city, we'll sit in a truck. So the only access we have to the internet might be through the tablets we have in the truck or our own tablets that we bring in phones. Some places have people positioned at stations where they have a desktop there and they sit and they have a work laptop or desktop they can work. What are some of the things that we can kind of think about in terms of like phishing emails or logging on or clicking links, things that we as a provider can do, whether intentionally or unintentionally, to put our agency at risk while we're on a agency device.

All the things you've been told not to do and be careful of, listen to it. You say these things for a reason. If you've heard about, and we were just, Adam and I were just at a conference the other day, talking to someone who does incident response. And we said, Hey, what's, what's going on with your incidents? Are they still ransomware? Is it still phishing? He goes, yes, it's all ransomware these days. And still most of it comes in through phishing. And when we say phishing, we mean You click the link on the email and your machine got infected and they went from there. You open the attachment from someone you didn't know or from something that looked dodgy or you got the email that looked like it came from Microsoft, but really didn't. And you put your Microsoft credentials in there and boom. you've been popped and your whole organization has been popped. We can't get into here, into the whole how to protect yourself, but you know, all those things that you've heard, listen to them, heed them, pay attention and be careful. They are for real. And those are the ways that all these things you see happening are happening. We often don't hear that in the press. We see that because we look at the whole, you know, analysis of everything, but it often doesn't make it into the mainstream. It's like, oh, they hacked in somehow. Well, that somehow is often, um, human error, email links. Um, and well, I don't even like to say human error because you know, very often what they're doing is the bad guys do this because they know, they know what, they know what works. They know what people's hot buttons are. They know that if they get a cool picture, people will want to go look at it. They know that if they say, oh, here's something about your Amazon package that 90% of the people probably ordered something from Amazon in the past couple of days. So they're going to think it's real. They're very good. So be careful.

So I will divert and then come back. One, 100% assume that anything that you do on that tabular agency device is 100% monitored. Anything you say can and against you in a court of law. I'm being funny, but everything's being monitored. The flip side to that is if you're sitting in your bus, slash ambulance for those, and you decide that, you know, you're having a slow day or you're on a transfer truck and you want to watch a movie and then you decide, hey, I'm going to turn around and I'm going to sit outside the Starbucks or Dunkin Donuts or someplace else and connect to their Wi-Fi. at least use a VPN, because any conversation you have, and I've seen this happen before, I'm not saying specifically EMS, you know, that guy Mike, he's a jerk off supervisor, and then something ends up happening with you, again, and then that information might be used, so be careful what you do, even on your own device, during working hours. So, whatever you do, during your employer's time, You have to always expect that that can be used because you're being paid by your employer at that time. Yeah, that's actually good.

And that's some good advice because I know that a lot of the EMTs, you're right, they sit in the bus, I know as you call it, spend a lot of time out in the field, out in places. Public Wi-Fi. you can use it, but don't trust it too much. You can you can use it to look at Facebook or to read the news or watch YouTube or something. But like, if you need to connect to your bank, it's really best to use a VPN. If you need to do something really sensitive or financial, it's best to use, you know, one of a good VPN service. You know, even though it has those things have the little lock, you know, they say, you know, your bank is protecting you, whatever. It's, it's not It's not optimal. There are ways around it. And unfortunately, especially if you're in, you know, if you say, how can anything happen here? It's like, you know, if you're going into a Starbucks, you know, in New York or Manhattan or Los Angeles or Miami. Well, where do you think the bad guys are setting these things up and using these techniques? Not out in Iowa, some rest stop, you know, in the big cities where people are.

But if you're also, if your device is running low and you decide to run into a store to charge it, and this is going to sound a little bit weird, use a USB condom. Joe, you can explain that.

OK, well, this is a little bit. interesting too. You know how your phone comes with a cord, and you put it into the little thing, and you plug it in. And now they have places to charge it, and now they have places where they have the USB port right in the wall, like in your car, where you can plug it right in. Well, that cable is not just power, it's also a data cable. And maybe a year or so ago, a little controversy erupted that people were using those things and almost turning them into like ATM skimmers, where there are little fake pieces on it that could get onto your phone and steal your data. That was kind of debunked, that it wasn't going on. But it is very possible, technically, and not that difficult. And I would not count out that it's either gotten here or it's coming very soon. So, yeah, it's best to either use the thing you plug in yourself with the electrical plug or use what's called a USB condom. That's a little thing you add.

It only gives you power, no data. You only use the wires for power. That's right.

I think Adam just wanted me to say condom.

Well, look, you know what? We as cybersecurity people, Joe and I, And you probably speak to my family, they'll tell you I'm horrible, but I always believe in mitigating risk. You never prevent risk, you mitigate risk. Preventing risk is you buy the $5 USB thing that only allows the power, you turn around and your Wi-Fi doesn't say the name of where you live. Turning off the beaconing of the name doesn't do anything for you. Everybody can see it But you don't want to put down Roth household, you know Patty household you want to put down, you know You know Apple sauce or something crazy, you know people like what the hell is this? It doesn't tell me who this person is You want to mitigate risk by not identifying who you are where you are if you're in the street I'm not talking about EMTs and paramedics But you really don't want to walk around going to your work with the thing that says, Adam Roth, X Bank, employee number 7675309, whatever. You don't want to identify, you don't want to have your password on your ID when you're walking around. You want to do situational awareness. Are people looking at you? Are people watching you? Are they looking at your moves? You know, always be careful whether you're displaying your ID or whatever it is. So, that's what I'm getting at. Mitigate risk, not prevent it.

Well, we are coming up to the time that we usually call last call, where we get our final thoughts in. So, you know, Mike, this is an unusual one. You flipped it around. You've been listening to us babble on about stuff for a long time. What are your thoughts? What do you think about all this? Can you kind of filter this down to what is most meaningful for your constituency?

What do you think? I think there was a lot of good things that you guys brought up over the course of the day. In terms of communication, you need to communicate not only visions, but you need to communicate the whys behind policies. Communicate these policies, whether it's onboarding your new employees, bring in your head of IT or one of your IT people to discuss why it is that we do this, not for your discomfort, not to make your job more miserable, but have somebody give an insight. Have your mindset set to growth and as a growth mindset read on Things that are being brought up in your field. There's definitely a lot of information that's being either skimmed or hacked from health insurance and health care and Some of that that we can mitigate as far as the policies and procedures we do be aware of being like you saying Adam I Are we in Starbucks on a public network? Or as you were saying, Joe, are we plugged into a wall at a facility and charging, and it's not only powering, but it's soaking up the data that we're providing through the cable? Make yourself aware of these things. Consider, like you were saying, whether to insource it or outsource it. And at least from my point of view, it sounds like it's better after doing your homework to make sure you have a trusted third party that you're outsourcing to, but to outsource it to them because you're not going to be able to pay a staff to 24-7 monitor it, to be on the latest information, because that's not their primary mission. Our primary mission is healthcare, not IT security. So that was a very good point. being out there and understanding that there's a variety of ways they can attack you, whether it's through email, whether it's through skimming devices, whether it's when you're entering into an area where they have maybe an RFID type of thing for your information, for your equipment that you're restocking and doing stuff like that, all kinds of different places. And I think this for me has been a very enlightening opportunity and hour that I've been able to spend with you guys and learn how we can continue to do our job better, but also do it in a more safe way. Thank you.

Yeah. I was going to say, you know, it's funny, right? I'm eligible as an EMT, but when we have these discussions, Mike, you bring out so much more than I haven't thought of personally. And you know, I, I never reached the level that you have. And, you know, with the leadership, my leadership is more around cybersecurity and other types of security. But when I look at what you're doing and when you're molding these new first responders, EMTs and paramedics, I'm sure you've had other, like Joe says, constituency, probably with law enforcement agents. We have to remind ourselves that it's not just you go to work, you provide patient care and you go home, you will have to continue that effort and learn and evolve in order to be the good provider that you need to be. And that's an important aspect that I keep on forgetting that. I always renew my New York State EMT and my national registry, but I gotta remind myself there's more to it than that.

Yeah, it seems like it's a really tough job. If we can help, please let us know. That's why we have the podcast. We're here to help. Feel free to reach out to us, put stuff in the comments. If there are some aspects of things, if you want to discuss something we've discussed here, or if there's something else that's completely different you want to ask, please let us know. We're happy to go through it and talk about it. And to all the EMTs and first responders out there, please have no doubt. We appreciate you very much. Thank you. And we know it's not easy. and please keep doing the good work and be careful out there too. And I don't mean with security. Watch yourselves.

I'm not going to mention the person's name, Mike, but you can kind of figure out who it is. And he's a supervisor in a large hospital system. I keep telling him, give me some tours. He's like, I would never give you a tour ever again. I don't want you near me. He's a really good friend. He's like, I don't want you working my bus. I don't want you interacting. He goes, do your cyber stuff. Stay away from me. But if anybody wants to give me a tour, I'm available. Thank you, sir. Thank you again, gentlemen. Appreciate it.

Mike, thanks so much for joining and making this easy for us. Thank you, sir. All right. Take care, everyone. Bye-bye. We'll see you. Cheers.