Securing a Mobile EMS Operation

Although a mobile/paperless EMS operation is vastly more secure than a paper-based operation, it is not automatically bulletproof. A few initial steps, and a couple of ongoing company policies, are required. Most are necessary for HIPAA compliance, but all are sensible and inexpensive.


Minimize Role Membership

AngelTrack uses roles to grant access to its features and data. When an employee is a member of a role (such as "dispatcher"), that employee has all the privileges of that role, including read and (sometimes) write access to that role's data. Some roles are very powerful, with write access to large amounts of company data.

Greater access creates greater opportunities for accidental damage -- not to mention sabotage. So, do not add employees to any role unless they have a bona fide and ongoing need for those access privileges. And remove them from roles they no longer perform.

Restricting high-access security roles to company facilities

High-access security roles -- the Supervisor, Dispatcher, and Biller roles -- can be restricted to company facilities, by means of the ☑ Provisional mark. Any user account thus marked will be subject to the Timeclock IP restriction system, where the employee will enjoy their high-access roles only when logged-in from a company-owned IP address.

To learn how to configure the IP restriction system, read the Timeclock Hosts Guide.


Use the administrator account only when necessary

Never never use AngelTrack's built-in administrator account for day-to-day operations. The administrator account has full read/write access to everything in AngelTrack, so a person logged-in as administrator has many opportunities to accidentally modify something important. This is a liability, no matter how trustworthy or careful your employees are.

Furthermore, the administrator account does not have any specific person's name on it. As such, its activities cannot be positively traced to an individual.

Use the administrator account to create yourself a separate employee account. Add yourself to whichever roles you require. Then logout, log back in using your new account, and don't use the administrator account again unless you specifically need to.


Computer security


Do Not Share Accounts

Every person who accesses your AngelTrack cloud server should have their own separate employee account. No exceptions.

Resist the temptation to create an employee account named "QAReview" or "Billing" for multiple people to use. When multiple people share an account in that manner, it becomes impossible to tell which one of them performed which action. You won't be able to trace a mistake back to the person who needs retraining.

This also applies to any outside contractors who you invite in to your cloud server. Even if the contractors all operate under a single company ("Acme Billing"), do NOT create them an "AcmeBilling" account even if they specifically request it. Each one of Acme Billing's employees should have a separate account in their own name.


Securing Passwords

Password policy is a pillar of IT security. Appropriate password policy is already built in to AngelTrack, and no further action is required unless you wish to adjust it.

Password expiration

AngelTrack has a password expiration interval, configurable on the Preferences page accessible from the Settings page. By default, the expiration interval is 180 days. You can choose any interval from 1 to 999 days, or set it to 0 to disable password expiration.

When an employee's password is expired, they will be prompted to change it when they next access AngelTrack. As with announcements, the password expiration prompt will not be shown if the employee has an active dispatch assigned.

Password expiration has another benefit: when employees are prompted to reset their password, they are also prompted to update their mobile number, their mailing address, and their emergency contact... in case these are outdated.

Common passwords automatically prohibited

AngelTrack has a built-in list of the 150 most common passwords. Attackers have the same list, and routinely use it to conduct brute-force attacks. To protect you from such attacks, AngelTrack does not permit any employee to choose a password that is on the list.

Warn employees to not share passwords

Employees should be counselled -- and then occasionally reminded -- that they are strictly prohibited from sharing passwords with other employees.

Sometimes, an employee will use another employee's password because he (the employee borrowing the password) does not believe that he is running any personal risk. The risk, he feels, is born entirely by the employee who mistakenly told him their password. Counter this assumption by reminding employees that just knowing another employee's password is a personal liability: if Bob knows Alice's password, and Alice knows he does, then Alice can later blame Bob for her own activities in AngelTrack. Alice could say "I don't know who made those changes, but I know Bob knows my password, go talk to him."

Two-factor authentication

Every user account in AngelTrack can be enabled for two-factor authentication, as long as it has a messaging address (email or SMS) on file.

You can use the Employees Missing HR Data report under HR Home to see which employees have and have not enabled 2FA on their AngelTrack accounts.

Self-service password reset

If an employee has typed their messaging address (email or SMS) into their employee file in AngelTrack, they will be able to reset their own password if locked out. In this situation, AngelTrack will offer a reset button to the employee:

Password reset option

The employee will then receive a message containing a new, randomly-generated AngelTrack password.

Automatic account lockout

In order to defend against brute-force password guessing attacks, AngelTrack automatically locks its user accounts after several unsuccessful password attempts.

Account locked

When locking a user account after repeated password failures, AngelTrack follows this lockout schedule:

Consecutive Incorrect Passwords Lockout Duration
2 none
3 2 minutes
4 5 minutes
5 10 minutes
6+ 15 minutes

A locked account can be unlocked by anyone with Captain, Lieutenant, Dispatcher, or HR privileges. Just visit the Employees List, find the locked row, and click the red "Locked" button.

Automatic defense against username-guessing attacks

The logon page automatically defends against attempts to guess logon names, by refusing to confirm or deny whether any particular logon name is valid.

AngelTrack will even allow the attacker to attempt a self-service password reset via email, offering them a fake email address so that they cannot tell whether a logon name is valid. This is why, if you accidentally try to logon with the wrong username, you might see AngelTrack offer to send a password reset message to an email address that you don't recognize. AngelTrack won't actually send that email, but it will pretend to do so, in order to confuse an attacker.


Keypad doorknob Securing Desktop Computers

Desktop computers used by back-office staff (dispatchers, billers, and the like) should have a passworded screen-saver configured to protect the computer after 5 minutes of inactivity. Back-office staff enjoy a great deal of access to AngelTrack, and there is always the risk they will go home for the night without remembering to logout of AngelTrack. The passworded screensaver secures that vulnerability.

If that proves too annoying, then a reasonable alternative is to secure the door of the dispatch office and the billing office. Install automatic door-closer mechanisms on the doors, and then install keypad doorknobs so that only authorized employees may enter. Once that's done, you could set a longer screen-saver lock on the computers inside -- perhaps thirty minutes instead of just five.

Avoid old operating systems that are no longer supported by the vendor

Upgrade your desktop computers to an operating system version that is still being supported by Microsoft or Apple, ensuring that the computer will have the latest security updates.

Windows 7 is no longer being supported by Microsoft, and so may have an escalating number of vulnerabilities. Consider immediately upgrading or replacing all Windows 7 computers.

Likewise for old web browsers, such as the venerable Internet Explorer, which has since been superceded by the Microsoft Edge browser.

TLS v1.2 / SHA-256 / RSA-2048

Your AngelTrack server requires your computer to connect by means of the secure TLS v1.2 protocol, using AngelTrack's very strong 2048-bit RSA key. This protects all of your internet traffic from eavesdropping.

Obsolete versions of TLS -- v1.0 and v1.1 -- are forbidden from connecting to AngelTrack. As such, very old mobile devices and very old desktop computers may be unable to connect, if they only support the insecure older versions of the internet protocols.


Securing Mobile Devices

Automatic screen lock

A lost or stolen tablet creates a brief security vulnerability, if an employee was left logged-in on its web browser when the tablet went astray. In the interval between losing the tablet and realizing the loss, a malicious party could use the logged-in web browser to access the employee's run reports, certificates, and the like.

To secure this vulnerability, iPads and other tablets taken into the field should be configured with a lock screen and passcode. Choose a simple passcode that every employee can remember -- perhaps the last four digits of the company's main phone number? -- and then configure tablets to delete themselves after a few unsuccessful attempts.

An ugly iPad case Distinctive cases

To reduce the odds that company-owned mobile devices get stolen, select a protective case that is distinctively colored or decorated, and use the same case on every company-owned device.

A bright and ugly color is best: orange, lime green, fuschia. Not only do such colors make the device unappealing to steal, but they also make it easier to find when accidentally left somewhere.

Central registration and remote wipe

Company-owned mobile devices should be registered to a central authority (e.g. iTunes), which then allows tracking and remote wipe. Do not hesitate to remote wipe a mobile device that has gone missing; if it is subsequently recovered, no EMS information was lost, as AngelTrack does not store any information on the device.

Securing personal mobile devices

If you permit your employees to use their personal mobile devices in the line of duty, then announce a HIPAA rule which they must follow:

If you use your personal mobile device to photograph HIPAA-protected patient documents, then federal law requires you to set a password on your device. Configure the device to wipe itself after ten unsuccessful password attempts.

At the end of each shift, after all reports are sent to QA, delete all HIPAA-protected photographs from your device.

This policy is already written for you as a built-in announcement in AngelTrack; you must simply activate the announcement.


Tracking of Employee HIPAA Training

AngelTrack has a built-in certificate type to track each employee's HIPAA training, and you can add custom certificate types to track other forms of recurring training... even something as simple as a ten-minute annual update on company policy regarding AngelTrack usage.

By means of these certificate types, you can use the Crew Certificates Overview report to easily monitor which employees need a refresher course on security-related topics.


Employee Termination Policy

When an employee is terminated, it is important to immediately suspend their access to AngelTrack. Although AngelTrack does not permit gross damage like report and document deletion, a disgruntled employee could nevertheless alter his or her run reports so as to cause problems in Billing, or alter the reports crewmates to add profanity and the like. Therefore it is important to add the task "Revoke the employee's AngelTrack access" to your termination procedure.

Revoking AngelTrack access is easy. Any user with HR privileges can mark any employee inactive, which immediately suspends all AngelTrack access. Employees can easily be reactivated later, so do not hesitate to deactivate an employee when termination is imminent.

Automatic warning of stale user accounts

When a user account has not been utilized during the past 45 days, AngelTrack automatically marks it with a skull and crossbones in the Employee List. The account will also be reported in the "Stale Employee Records" dashboard under HR Home.

It is prudent to deactivate all stale user accounts, unless you know of a specific reason to keep them active.


Logging of AngelTrack Activity

You are already familiar with AngelTrack's journals, which track field-by-field changes to all dispatches, invoices, and timeclock entries. These journals cannot be altered or deleted by anyone, and hence are admissible in court as evidence.

There is also a journal of employee logon attempts and successes, available under HR Home and also from each employee's Employee Self-Edit page.

In addition to these, AngelTrack keeps logs of all web activity at the request level. This means you can review who accessed your AngelTrack cloud server, including the date and time, their IP address, their device type, and the pages accessed. The log cannot be altered and is retained for a period of time specified in the Data Lifetime and Export policy.

To learn how to use AngelTrack's logs and other forensics features to trace a data leak or other malfeasance to the responsible employee, read the Data Leak Forensics Guide.



AngelTrack Help Index - Training Portal - AngelTrack Support