Texas ESD Commissioner Accountability in the Age of Cyber Risk

Texas ESD Commissioners are fiduciaries. They oversee public funds, critical services, and regulatory compliance. In today’s environment, cybersecurity is increasingly tied to all three—and that creates a governance obligation that cannot be ignored.

Regulatory agencies no longer view cyber incidents as purely technical mishaps. Improper access to patient records, weak authentication practices, or lack of risk assessments are now treated as management failures. In enforcement actions, the question is often not “Was there a breach?” but “Did leadership take reasonable steps to prevent it?”

Commissioners may assume that cybersecurity responsibility ends with approving a contract or funding a software system. In reality, governance expectations extend further. Boards are expected to understand risk at a high level, ensure assessments are performed, verify training occurs, and confirm that incident response plans exist.

This mirrors other operational risks. Commissioners don’t personally inspect brake pads—but they ensure fleet maintenance programs exist. They don’t staff every shift—but they approve staffing models and funding. Cybersecurity fits the same pattern.

Texas-specific laws reinforce this responsibility. HIPAA and HB 300 impose training, access control, and safeguard requirements that apply to EMS agencies regardless of size. Failure to meet these standards can result in civil penalties, corrective action plans, and reputational damage—none of which can be delegated away.

Cyber incidents also create discovery risk. Emails, board minutes, policies, and assessments may all be reviewed after an incident. Boards that cannot demonstrate oversight may find themselves exposed to unnecessary scrutiny.

Good governance does not require technical mastery. It requires asking the right questions:

• Have we conducted a recent security risk assessment?

• Do we know where patient data is stored?

• Are staff trained annually?

• Do we have a documented cyber incident response plan?

  
  

When commissioners engage at this level, they protect not only the agency—but themselves.

Cybersecurity is now part of the duty of care for EMS governance. Ignoring it doesn’t reduce responsibility—it increases exposure.

Stop by EMSCyber360 booth #516 tonight at the open house at the SAFE-D Conference to discuss your ESD's needs.