View Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry
Pager technology has long been ousted by smartphones as a reliable and straightforward means of communication, but in some situations, pagers are still being used, like in restaurants, hospitals or in places that can't be reached by a cellular signal. Unfortunately, modern technology has caught up with this legacy solution. Through software-defined radio and cheap equipment, third parties can read unencrypted pager messages (pages) in the clear even tens of kilometers away from their source. We discuss our findings in our latest research “Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry.”
This weakness in pager technology has specific implications for the healthcare sector in the US, an industry governed by HIPAA (the Health Insurance Portability and Accountability Act). HIPAA regulates how patients’ personal data should be kept private and penalizes any violations according to the HIPAA penalty structure. In contrast, during the course of our research, we were able to read pages coming from healthcare facilities that contain a range of protected health information (PHI)—e.g., email, phone numbers, date of birth, syndromes, and diagnosis, among others.
In addition, we were able to track specific cases based on medical record numbers in the sent pages. This allowed us to follow a patient's transaction with the hospital: from the time a patient’s case is transferred from an outside facility, all the steps taken to assess, diagnose and treat the patient, up until the patient is discharged. In certain cases, we were even able to view death notifications.
This research contains the above case studies, along with several possible attack scenarios where an attacker makes use of information from unencrypted pager messages to do reconnaissance, social engineering, or some form of targeted attack or sabotage. More importantly, our researchers also outline actionable recommendations for healthcare organizations that are still using pagers in an unsecure way today.