Are Pagers Leaking Your Patients’ PHI?
Pager technology has long been ousted by smartphones as a reliable and straightforward means of communication, but in some situations,
This weakness in pager technology has specific implications for the healthcare sector in the US, an industry governed by HIPAA (the Health Insurance Portability and Accountability Act). HIPAA regulates how patients’ personal data should be kept private and penalizes any violations according to the HIPAA penalty structure. In contrast, during the course of our research, we were able to read pages coming from healthcare facilities that contain a range of protected health information (PHI)—e.g., email, phone numbers, date of birth, syndromes, and diagnosis, among others.
In addition, we were able to track specific cases based on medical record numbers in the sent pages. This allowed us to follow a patient's transaction with the hospital: from the time a patient’s case is transferred from an outside facility, all the steps taken to assess, diagnose and treat the patient, up until the patient is discharged. In certain cases, we were even able to view death notifications.
This research contains the above case studies, along with several possible attack scenarios where an attacker makes use of information from unencrypted pager messages to do reconnaissance, social engineering, or some form of targeted attack or sabotage. More importantly, our researchers also outline actionable recommendations for healthcare organizations that are still using pagers in an
Download the full research paper Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.