The opinions expressed in this blog article are those of the author alone.
In our previous blog, we discussed how pagers used in medical settings present an opportunity for threat actors to intercept valuable protected health information (PHI) and disrupt encryption and privacy. For malicious hackers, radio-based communications are a potential attack vector that organizations should watch closely. The risk is real, as more than 85 percent of hospitals still rely on pagers for communication, and the PHI data transmitted is not monitored with the same level of scrutiny as other electronic mobile devices.
While organizations have a responsibility to protect this information, the entities that govern the radio frequency environment in which those pagers operate (such as the FCC and U.S. criminal code) need to modernize as well. They simply haven’t kept up with the changing threat landscape or the easy access malicious hackers have to inexpensive software-defined radio, open source software, and YouTube how-to videos. This isn’t unusual, as technology typically outpaces the legal system and the implementation of new laws. Now that the gap is evident, however, it’s time for action.
Federal Radio Regulations vs. IT Regulations
Security and privacy gaps become clearer when you look at the differences between federal regulations regarding radio transmissions versus standard IT operating procedures. For example, people who work in information security understand that encrypting information as it is transmitted is a requirement for privacy, and that bad actors regularly attempt to gain access to this information.
Without encryption, there can’t be any expectation of privacy. From an IT security perspective, the solution is implementing strong encryption that is trusted and tested regularly by the security community, rather than just telling hackers what they’re doing is illegal and trusting they don’t want to get caught breaking the law.
On the legal side of that paradigm, current regulations do not require encryption as a prerequisite for privacy, and don’t allow the same level of industry security research in the radio space (such as for those pagers) across all technologies. For instance, Federal Title 18 code and FCC Title 47 make it a crime to listen in on sensitive information transmitted over most wireless technologies, even when it is unencrypted.
That’s the level of control that is administered. That’s it. It’s illegal, so don’t do it.
This regulatory approach also prevents the discovery of existing vulnerabilities in some frequency bands that hackers may already be well aware of and exploiting. Security researchers are constantly looking for vulnerabilities in software and systems. However, if the same type of research techniques were applied in radio to identify vulnerabilities in open communication channels and a researcher came forward, he or she could be fined and/or imprisoned for violating federal law.
Again, this policy doesn’t apply to all bands and/or technologies, but it does for many very common ones such as pagers and cell phones. Bad guys will ignore the laws and keep those “zero-day” attacks to themselves to exploit rather than tell vendors or legitimate security researchers so they can make corrections.
Restrictions based on existing regulations on innovation and progress in radio are also still on the books. Imagine if the next breakthrough in securing radio communications was designed in someone’s spare time. Amateur radio operators have historically innovated with new techniques and protocols to meet a number of needs. However, when it comes to providing innovation on protecting sensitive information in radio communications, current regulations make it illegal in both voice and digital modes in amateur radio bands to use any form of encryption or disguising of data in any way so that compliance with FCC regulations can be monitored.
Making the Case for Reform
Modernization of communications and closer monitoring of laws needs to be prioritized so the same level of expectations and capabilities in the radio space can be applied to all radio technologies, just as they are in IT. The laws should take into account legitimate researchers to better enable them to identify security gaps that hackers may already exploit. Industries should come to understand that without encryption, privacy should not be expected. Simply making it a crime to listen in on sensitive information doesn’t provide any protection to our information as it goes across the air.
While it would inevitably take time to change, lawmakers should push for reform in FCC and federal regulations to remove any restrictions on the use of encryption, and remove penalties for capturing unencrypted transmissions. This shift in philosophy would allow vendors, manufacturers, and researchers to use encryption whenever they feel there is sensitive information to protect, and identify gaps in existing solutions that can be addressed and corrected to everyone’s benefit.
Delta Risk offers cyber security professional services and managed security solutions to healthcare clients of all sizes. Our team is ready to discuss our capabilities to help you manage and reduce the risks associated with HIPAA compliance and data security of all types in your organization.