by Arianna Etemadieh
Article filed in
Beware: Hospital Pagers Can Cause HIPAA Violations
by Arianna Etemadieh
Just like the outdated fax machine, pagers still live on and prosper in the healthcare industry. For decades, doctors have been notified about their patient’s condition through pagers.
However, recent reports have revealed that communicating through pagers may not be as secure as we once thought.
Hospitals around the country, especially some in Kansas City, may be exposing protected health information (PHI) every time a doctor receives a page.
Some hospitals have wisely moved to secure, encrypted pager systems. However, many hospitals have not. Their pages remain sent over open radio waves and can include sensitive PHI such as a patient’s name, date of birth and medical diagnosis.
Any revealing of PHI to an unauthorized individual is a costly HIPAA violation. If your hospital or practice uses pagers to communicate, beware of this risk.
Hospital pagers risk patient PHI being exposed
Pager transmissions can be intercepted using free computer software and an antenna that costs less than $30. While this equipment is typically used by radio or tech hobbyists, the cheap cost makes it even more accessible to those with malicious intent.
One man from Johnson County, Missouri came across this interesting discovery while toying with his TV antenna. Only reported as an information technology worker by The Star, the man was playing with an antenna he purchased to get TV channels on his laptop computer. He used a simple program that would allow him to pick up radio signals that could then be digitized.
However, instead of picking up local TV stations, the man saw information like this:
RQSTD RTM: (patient’s name) 19 M Origin Unit: EDOF Admitting: (doctor’s name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA
The personal patient data of a 19-year-old male was broadcast on open airwaves to anyone who had access to it. The message was intended for the pager of the man’s doctor.
“When I first saw it I thought, ‘How does this happen? Why is it not fixed?’ This is 2018,” the IT worker said. “One, We’re still using pagers? And two, we’re sending unprotected patient data to them?”
Apparently, this potential security risk had been documented on tech websites, but patients had no idea about it.
The Star preserved the IT worker’s anonymity due to legal concerns about the Electronic Communications Protection Act, which extended “restrictions on tapping phone lines to the interception of other electronic communications.”
A warning for all hospitals using pagers
The IT worker did not intentionally seek out the hospital data. However, his accidental discovery prompted him to bring attention to the security flaw.
He received patient data from five different hospitals, including the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary’s Medical Center and Wesley Medical Center in Wichita. Not to mention, from his home base of Missouri, he saw some patient data from as far away as Michigan and Kentucky.
The unencrypted information included data on hundreds of patient visits, some of them for particularly sensitive issues like drug overdose, suicidal thoughts and alcohol withdrawal.
The IT worker feared how easy it would be for criminals to steal this easily accessible information for identity theft.
“It’s security by obscurity at this point — and that’s scary,” he said. “In my line of work you see a lot of, ‘Let’s hope nobody finds it,’ ‘It’s hard to find, so it’s pretty secure.’ That’s not enough. We can’t just trust people won’t stumble upon it. We have to assume that they do.”
John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, said all hospitals should move to secure, encrypted pager systems.
“When sending or receiving personal health information, the AHA recommends all hospitals and health systems use secure data transmission platforms that are in full compliance with standards of the HIPAA Data Privacy and Security Rules,” Riggi said in an emailed statement.