Unencrypted Hospital Pager Messages Interrupted and Seen by Radio Hobbyist

June 28, 2018

 

A lot of healthcare companies have now transitioned to safeguard messaging systems and have withdrawn their obsolete pager systems.

Healthcare companies that have not yet made the change to safeguard text messaging platforms must take note of the latest safety breach that saw pages from several hospitals interrupted by a ‘radio hobbyist’ in Missouri.

Interrupting pages using software defined radio (SDR) is not new. There are different websites that describe how the SDR can be utilized and its abilities, including the interruption of secret communications. The danger of PHI being taken by hackers using this method has been well documented.  All that is needed is a few easily obtained hardware that can be purchased for about $30, a computer, and some free software.

In this instance, an IT worker from Johnson County, MO bought an aerial and linked it to his laptop to pick up TV stations. Nevertheless, he found he might pick up much more. By chance, he interrupted pages sent by doctors at numerous hospitals. The man told the Kansas City Star he interrupted pages having highly confidential information including the page below:

“RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (physician’s name) Degree of Care: 1st Avail Medical Analysis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA”

It was not obligatory to be in the close neighborhood of a hospital to interrupt the pages and see PHI. Pages were picked up from medical centers and hospitals in Blue Springs, MO; Harrisonville, MO; Liberty, MO; Kansas City, KS; Wichita, KS; and even hospitals more away in Michigan and Kentucky.

Journalists from the Kansas City Star contacted several of the patients whose information was revealed to verify the information was right. Clearly, the patients were surprised to find out that their confidential information had been taken by illegal people, as were the hospitals.

Although not all hospitals replied, some of those that said they are working with their sellers to correct the problem to make sure that pages cannot be interrupted in the time to come.

Interrupting pages is unlawful under the Electronic Communications Protection Act, even though hacking healthcare networks or carrying out phishing campaigns to get protected health information is also unlawful, yet that does not stop hackers.

HIPAA-protected units must take note of the latest secrecy violations and must consider applying a safe messaging solution in place of pagers; nevertheless, in the meantime, they must contact their sellers and explore the alternatives for encrypting pages to avoid ePHI from being interrupted.