Unencrypted Hospital Pager Messages Intercepted and Seen by Radio Hobbyist

June 27, 2018

 

A lot of healthcare companies have now switched to safe messaging systems and have retired their obsolete pager systems.

Healthcare companies that have not yet made the change to safeguard text messaging platforms must take note of the latest safety break that saw pages from several hospitals interrupted by a ‘radio hobbyist’ in Missouri.

Interrupting pages using software defined radio (SDR) is not new. There are different websites that describe how the SDR can be used and its abilities, including the interruption of secret telecommunications. The risk of PHI being obtained by hackers using this method has been admirably recorded.  All that is needed is some easily gotten hardware that can be purchased for about $30, a computer, and some free of charge software.

In this instance, an IT worker from Johnson County, MO bought an antenna and linked it to his laptop to pick up TV stations. Nevertheless, he learned he might pick up much more. By chance, he interrupted pages sent by doctors at a number of hospitals. The man informed the Kansas City Star he interrupted pages having extremely confidential information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (physician’s name) Level of Attention: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not necessary to be in close proximity of a hospital to interrupt the pages and see PHI. Pages were picked up from hospitals and medical centers in Blue Springs, MO; Kansas City, KS; Liberty, MO; Harrisonville, MO; Wichita, KS; and even hospitals further away in Michigan and Kentucky.

Journalists from the Kansas City Star contacted with several of the patients whose information was disclosed to verify the information was right. Clearly, the patients were stunned to find out that their confidential information had been obtained by illegal people, as were the hospitals.

Although not all hospitals replied, some of those that did said they are working with their dealers to correct the problem to make sure that pages can’t be interrupted in the future.

Interrupting pages is unlawful under the Electronic Communications Protection Act, even though hacking healthcare networks or carrying out phishing campaigns to get PHI is similarly illegal, yet that doesn’t stop hackers.

HIPAA-protected units must take note of the latest secrecy violations and must consider applying a safe messaging solution in place of pagers; nevertheless, in the meantime, they must contact their suppliers and explore the alternatives for encrypting pages to avoid ePHI from being intercepted.