Security Risks of Unencrypted Pages Evaluated

Pagers are still extensively used in the healthcare industry even though the devices have been shown to pose a considerable security risk.

Trend Micro has recently demonstrated – in the company’s ‘Leaking Beeps’ series of reports – the extent to which pagers leak data and how easy it is for sensitive information to be intercepted by cybercriminals. The equipment needed to intercept unencrypted pages can even be purchased for as little as $20.

The third installment in the Leaking Beeps series of reports has just been released, further highlighting the risk of exposure of healthcare data and showing how cybercriminals could attack the systems to which pagers connect.

Trend Micro draws attention to two tools in particular that could be used by hackers to gain access to systems and data: SMS-to-pager gateways and email-to-pager gateways.

SMS-to-pager gateways use specific numbers to receive SMS messages and forward them to pre-configured pagers. SMS-to-pager gateways are commonly used by healthcare organizations and the data transmitted is often unencrypted. Not only can messages be intercepted, SMS-to-pager gateways may also include systems that look up caller IDs. One healthcare provider’s system was discovered to have leaked 135 patients’ names, along with dates of birth, patients’ pregnancy status, phone numbers, and information about symptoms and contracted illnesses.

Email-to-pager gateways could potentially provide attackers with a range of information that could be used in future cyberattacks. Attackers could intercept and compile lists of contacts for use in spear phishing campaigns. Email-to-pager gateways could also be used to obtain information about the routers used by an organization and any downtime experienced. Armed with this information, an attacker could search for vulnerabilities affecting those routers and use them to conduct attacks on healthcare networks.

During the research, messages were intercepted that provided details of LDAP servers where authentication and account information were stored. Trend Micro notes that an attacker who has already gained access to a company’s system could use this information to move laterally within a network.

Other data exposed via unencrypted pages, SMS-to-pager gateways, and email-to-pager gateways included WINS names, Microsoft SQL Server and Oracle Database server names, types of databases used by organizations, server error messages, and information generated by intrusion detection systems showing the types of attacks that have been experienced and the vulnerabilities that attackers have attempted to exploit. Trend Micro researchers also discovered an “astonishing” number of passwords and passcodes that were transmitted in clear text.

One of the main threats comes from attackers using information gathered from unencrypted pages for future spear phishing and social engineering attacks. Trend Micro was able to gather a wide range of information that could be used such as employees’ names, birthdays, vacation time, and appointments. It was also possible to determine interpersonal relationships between staff members.

Parcel tracking numbers were gathered which could allow attackers to determine parcel delivery schedules. This information could be used to craft convincing phishing messages.

Due to the security risks that come from using pagers and concerns over HIPAA violations from sending PHI via unencrypted pages, many healthcare organizations have now ditched the pager in favor of secure, HIPAA-compliant messaging platforms on smartphones and other portable electronic devices.

Any healthcare organization still using these legacy devices should carefully consider the risks involved and weigh these up against the benefits that they provide. Healthcare organizations should conduct a thorough risk analysis on the use of pagers to communicate sensitive information.

If there are any reasons why pagers cannot be retired, at the very least, healthcare organizations should strongly consider organization-wide encryption of pages. If encryption is chosen in favor of a modern messaging platform, the method of encryption should meet the minimum standards outlined in NIST encryption guidelines.

Until such time that a more secure system is in place, healthcare organizations should refrain from sending PHI via encrypted pages and avoid transmitting highly sensitive information such as passwords and passcodes.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.