HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Highlights Risk of PHI Exposure from Unencrypted Healthcare Pagers

Many healthcare providers have now transitioned from pagers to more secure forms of communication. Secure text messaging platforms allow protected health information to be shared quickly and efficiently between physicians and care team members. Those platforms incorporate the necessary security features to ensure messages cannot be intercepted and viewed by unauthorized individuals. However, pagers typically lack security controls such as encryption. Many even lack the functionality to be able to authenticate users. As such, many pager systems used by healthcare providers are violating HIPAA Rules.

A recent study conducted by Trend Micro has clearly shown just how easy it is for healthcare pager messages to be intercepted. Researchers found they could intercept and decode pager messages using only a software-defined radio (SDR) and a USB dongle – Equipment that can be purchased for as little as $20. Further, it is not even necessary to be in close proximity to the source of the pages to intercept messages. The $20 equipment is capable of picking up messages many miles from the source of transmission.

For the study, researchers monitored pager communications for a period of four months between January and April 2016. 54,976,553 pages were analyzed, of which 11% were sent from healthcare providers such as hospitals, medical centers, clinics, and rehabilitation centers. According to the report,  “unencrypted pages are a systemic problem affecting several states in the US.”

The researchers noted there were numerous cases of unencrypted pages being sent containing protected health information, in particular for Interfacility transfers (IFT) – When patients are transferred from and to a healthcare facility.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

PHI such as patients’ names, contact telephone numbers, dates of birth, and medical diagnoses were often included in the pages. According to the report “We have observed abundant IFT pages that were either generated by software with interfacility coordination functions or manually entered, as well as pages transmitted in the EMS (Emergency Medical Services) workflow.”

However, unencrypted pages were not limited to patient transfers. “We’ve seen pages describing admission to the emergency department, bed requests, in-facility transfer preparation requests, treatment orders, patient status updates up until the discharge or further transfer process.”

During the course of the study, a wide range of data classed as protected health information under HIPAA Rules were intercepted, as detailed in the table below:

Data Element Number of Pages Percentage of Total
Email 805,609 28%
Medical terms 647,745 23%
English names 510,313 18%
Syndromes / Diagnosis 399,862 14%
Medicine on FDA drug list 164,117 6%
Phone numbers 124,949 4%
Date of birth, age, gender 110,708 4%
Medical reference number 90,124 3%

Source: Trend Micro, Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry

In many cases, the types of information obtained from the pages were limited to patient names, genders, and brief summaries of symptoms. However, in some cases Trend Micro researchers were able to use the information obtained from the pages to make “reasonable assumptions about medical diagnoses and treatment plans.”

Interception of pages is not the only problem. It would also be relatively easy for pages to be spoofed. To test the theory, the researchers set up a controlled environment and conducted tests using standard pagers commonly used by healthcare providers. The researchers were able to successfully send spoofed pages which were picked up and decoded by commonly used pager decoding software.

The researchers proposed a number of possible attack scenarios such as the sending of spoofed pages to a pharmacy to interfere with patients’ medications, directing patients to incorrect facilities or operating rooms, declaring medical emergencies within healthcare facilities, obtain information about patients from doctors by spoofing pages, stealing identities, and spooking SMS messages sent to pagers for a wide range of nefari9ous purposes.

In order to prevent the interception of pages a system must be used to encrypt communications, authentication controls should be used to ensure messages can only be read by authorized individuals and to ensure pages have been sent from a trusted source. PHI must only be sent if it is not possible for the information to be used to identify the patient.

If pagers do not use encryption and lack authentication controls, they violate HIPAA Rules. The Department of Health and Human Services’ Office for Civil Rights has not acted against healthcare providers that use insecure communication systems to communicate PHI. However, it remains a possibility.

In order to comply with HIPAA regulations, the easiest solution is to retire the pager and adopt a HIPAA-compliant communication system such as a secure, encrypted, text messaging platform.

The Trend Micro report can be viewed on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.