- Smartphones and secure messaging apps may be gaining favor in health systems these days, but many providers still use good old-fashioned pagers for emergency communications. And that may be putting patient privacy at risk.
Developed in the 1940s at New York’s Jewish Hospital and a seemingly ubiquitous part of every clinician’s toolbelt during the 1980s and ‘90s, pagers have long held favor with health system administrators plagued by shoddy cellular or wi-fi coverage and the constant threat of hacking or important messages lost in the mix of phone calls, spam and grocery lists. But a recent report by security firm Trend Micro finds that pager messages can be intercepted by someone armed with a $20 dongle and the right software.
“We saw that attackers would be able to view interfacility transfer communication between hospitals and other medical facilities … regardless if the pager messages (pages) were manually typed or generated by workflow software,” Trend Micro’s report states. “We also saw the range of protected health information that are available to attackers - e.g., email, phone numbers, date of birth, syndromes, and diagnosis. This makes the use of pager technology a likely violation of the Privacy and Security Rules in the Health Insurance Portability and Accountability Act (HIPAA), which can result in civil and criminal penalties for the affected healthcare organizations.”
Healthcare is still in a state of flux regarding communications between providers. Several mHealth companies are marketing secure messaging devices and platforms, and a 2014 Office of the National Coordinator for Health Information Technology (ONC) data brief found that roughly half of all physicians have exchanged secure messages.
This past January, an article in the Journal of the American Medical Association acknowledged the gradual demise of the pager in place of a mobile messaging platform, but told providers to use both pagers and smartphones for a while, to ease that transition.
With studies suggesting anywhere between half and 90 percent of health systems still using pagers in at least one department, it’s clear that transition is taking its time. A 2015 report in the Journal of Medical Internet Research found that while physicians prefer the ease of text messaging, they still saw pagers as a better means of protecting patient data.
Pagers are still seen as a secure form of communication for emergencies, such as real-time consults between clinicians in a health system or ER cases. They’re on a reliable network set aside specifically for those messages, they’re capable of reaching someone 150 miles distant, and they store no data.
They can also be intercepted, as researchers from Trend Micro discovered.
“Pagers were designed before security was even a concern and privacy standards were just coming about. HIPAA was enacted in 1996 during the height of pager technologies,” they point out. “Pagers are rarely encrypted and pages are sent over the airwaves unencrypted.”
Of the roughly 2 million healthcare-related pages analyzed over four months earlier this year, researchers found that 28 percent included e-mails, 23 percent contained medical terms, 18 percent included proper names, 14 percent included specific symptoms and diagnoses, 6 percent divulged medications on the FDA’s drug list, 4 percent included phone numbers and/or age and gender information, and 3 percent included a medical reference number.
Furthermore, the folks at Trend Micro found that they could “spoof” pages, or use information “sniffed” from pages to create pager messages and look just like real pages from legitimate sources.
So how could unsecured, unencrypted pages pose a threat in healthcare? The Trend Micro report offered six scenarios:
- A message to a pharmacy could be altered to change medications or dosages, putting the patient in danger or helping someone to sustain an addiction.
- A message within a hospital to move a patient to a certain room or department could be altered, sending him/her to a different location, such as the wrong operating room.
- A message could be spoofed to declare an emergency in a hospital.
- Messages between clinicians could be intercepted, even rerouted and spoofed.
- A message could be mined for information used in identity theft.
- A hacker could access the SMS gateway that forwards SMS messages to pagers, changing or even creating false messages.
“Healthcare organizations must immediately reevaluate the use and maintenance of pagers,” the report concludes. “They should find more secure alternatives and procedures to avoid violating HIPAA regulations. Meanwhile, they can observe some good paging content practices that uphold the security of PHI, like limiting the transmitted information to what is necessary without revealing too much. On the other hand, vendors must find ways to encrypt pager communication to protect customer privacy and should authenticate the source to prevent spoofed messages.”