It’s a late Saturday morning and Joe Hacker (aka WF4EAK in underground hacking circles) fires up the software-defined radio (SDR) he bought online for $20 to listen in on the local hospital paging traffic. After all, he is trying to make a few extra bucks to buy a new Xbox, and selling healthcare information on the black market has turned into a lucrative side job. Let’s face it, organizations that are strictly following HIPAA guidelines and other healthcare regulations have made it harder to hack into hospitals. So how’s a hacker supposed to get to that protected healthcare information (PHI) to make some fast cash?
The answer could be easier than you would expect. Although many hospitals have tightened up their overall security, most have forgotten or quietly ignored the electronic communications going to their staff’s pagers. Amazingly, 85 percent of hospitals still rely on pagers for communication.
Remember pagers, those little devices all the “cool” people carried back in the 90’s that were all the tech rage, like the latest smart phone is today? If you were really cool, you had the alphanumeric ones that didn’t just show a calling phone number, but could actually show text messages (yes, text messages!).
Medical staffs still carry pagers and use them regularly as part of their normal business day. And they use these pagers to talk about all kinds of medical information and hospital operations. Why are healthcare operators still using pagers? As John D. Halamka, Chief Information Officer at Beth Israel Deaconess Medical Center pointed out, “During the Boston Marathon bombing incident, all cellular technology in the city was shut off but all pagers continued to work.”
Just ask anyone in the medical field who still carries a pager to describe the information they send and receive. I did. The amount and type of information would surprise most people: patient names going into and out of surgery, bloodwork procedures for patient X, patient attending doctor names and callback info, admission and discharge info, even psych observations. And they send this information out all the time.
There is also a risk that this privileged information can leak out to interested parties or serve as blackmail material. According to a report by Trend Micro, the threat of PHI being intercepted is very real. In a 2016 research report, Trend Micro was able to identify 77,000 patient names from 401,794 intercepted pager records of PHI.
Imagine this scenario: Jane Doe is admitted to a hospital, and the intake social worker pages Jane’s doctor, saying, “Just talked to her for 20 minutes and she’s a mess. Just sent you the eval. Consider recommending 201 [voluntary psychiatric hospitalization].” If that information was intercepted by someone with malicious intent, it could mean the end of a potential promotion or project she’s been pushing to lead at work, loss of public office, or any other number of potentially damaging scenarios.
Moreover, criminals paying for medical records on the black market may pay extra if Jane is the daughter of someone important and they could use that information as leverage against her parents for blackmail purposes.
The Legal Side of Managing PHI for Pagers
Okay yes, capturing unencrypted pager signals out of the air is illegal, (or at the least a gray area depending on how you look at it.) If you’re reading this, and you’re in the United States, don’t try it. The 1986 Electronic Communications Privacy Act (ECPA) says it’s illegal in the United States to capture cell phones or pagers under federal law.
FCC Title 47, part 15 has language against intentional eavesdropping, and there are stiff penalties (roughly a year in prison). Moreover, U.S. federal law Title 18, USC 2511 section (4)(b), says it’s illegal too. But so is hacking into a computer system without permission, and that’s what hackers do, right? Protecting PHI is a foundational to stay compliant, and we as security professionals need to help organizations protection this valuable information.
Where Do HIPAA and Other Health Regulations Stand on This?
You would think that because this information is electronic, and PHI should be regulated under HIPAA, organizations should be aware of this, right? So why are medical facilities not securing it? That answer isn’t clear, but the information and guidance is out there if you look for it. The HIPAA Journal published an article indicating that pager use in medical facilities is on the decline (but still present). They go on to mention that because it is electronic information being exchanged, it is covered under HIPAA.
Others in the HIPAA community have also weighed in on guidance indicating that pager data is covered under HIPAA. In general, organizations have three options to be HIPAA compliant: 1. stop using them; 2. enact a policy such that no PHI should be mentioned in any texts (if this approach is taken, employees need to be informed of this change and their actions will be monitored for compliance); or 3. use a HIPAA compliant secure messaging platform (there are a number of them out there on the market).
From a regulatory perspective, pagers shouldn’t be treated any differently than other electronic devices. The same type of administrative, technical, and physical controls applied to other electronic information (think IT, websites, servers, mobile phones) would also need to be applied to pagers. This may also include the need to perform functions such as remote wipes if a pager is lost or stolen, similar to how you would handle a mobile smart phone or tablet.
Pagers may very well be a healthcare organization’s Achilles’ Heel for organizations still using them when it comes to maintaining HIPAA compliance and protecting patient medical information. Not all organizations have applied the same best practices around encrypting sensitive information going out over pagers the same way the IT community has for say their primary patient portal web site. This could be for any number of reasons, such as IT may not manage the paging infrastructure, the organization may not have thought about this information as electronic, and under the oversight of HIPAA, or they are aware, and the cost of implementing an alternative secure solution may not be in the budget.
Hopefully this discussion will create conversation within organizations to look into their own environment, and consider incorporating secure paging and messaging platforms into the HIPAA conversation. If you have any regular or annual assessments conducted by any outside parties, they should be asking about this topic as well. For those looking to implement an alternative, there are secure messaging solutions available in the market that claim HIPAA compliance.
Our next blog will focus on how the FCC and other regulatory bodies can maintain a tighter grip on encryption for pagers and other wireless devices through reform.