The nonprofit group Open Privacy Research Society recently publicized in a press release that the confidential medical and personally identifiable information (PII) of patients across Vancouver, Canada, is being leaked through the paging systems of hospitals in the area. Open Privacy reported that the data is being transmitted without encryption and can thus be intercepted by threat actors. This has prompted the Office of the Privacy Commissioner of Canada to further look into the incident.
The leaked data of patients includes their respective names, ages, genders, diagnoses, attending physicians, and room numbers. The Open Privacy Research Society validated whether the sensitive data being broadcast is that of actual patients by matching it with available information from public obituaries.
Open Privacy discovered the security issue on Nov. 11, 2018, and notified Vancouver Coastal Health (VCH) about it the next day. The group publicly reported the breach only on Sept. 9, after several correspondences with VCH.
In a statement, the health authority said: “VCH takes patient privacy very seriously and is actively working to mitigate the privacy risks you have identified. Please note, however, that VCH has no information to suggest that patient information has been compromised or used for a malicious purpose.”
Pagers provide a way for healthcare organizations to maintain inter-facility communications without having to use technologies, such as cellular phones, that may disrupt their mission-critical operations. However, this incident shows the implications of leaving them unsecure or exposed.
Messages sent over the air via pagers, which have been in use since as early as the 1950s, are rarely encrypted. This is further demonstrated by several case studies conducted in a Trend Micro research, which found that the pagers were leaking unencrypted data. By using tools like software-defined radio (SDR) and USB dongles, which can be easily bought online for as little as US$30, threat actors can, for instance, intercept, steal, and even spoof medical and personally identifiable data and transactions in plain text. This can expose patients to identity fraud and put healthcare organizations at risk of incurring penalties from noncompliance with healthcare data privacy regulations, such as those imposed by the Health Insurance Portability and Accountability Act (HIPAA) in the U.S.
The use of pager technology isn’t just confined to hospitals. In the U.S. and Canada, for example, pagers (and the legacy protocols they use to transmit messages) are also used in industrial control systems (ICSs) and building automation systems, such as those in nuclear power and chemical plants, defense contractors, and semiconductor manufacturing facilities. In related case studies, the Trend Micro researchers Stephen Hilt and Philippe Lin were able to see information, such as facility-related statuses and diagnostics data, being unintentionally leaked. While this information may seem innocuous, they can be used by threat actors to reconnoiter a target’s critical infrastructure and perform lateral movement in order perpetrate cyberespionage or cybercrime.
The same security risks are also present in IT environments, some of which were found by Hilt and Lin to still be using pagers. The researchers observed, for instance, how threat actors can steal leaked data, such personal and corporate information such as email addresses and credentials. The stolen information can then be used to eavesdrop on business transactions or be abused to send socially engineered threats like spear phishing and man-in-the-middle (MitM) attacks.
The use of unsecure, not to mention outdated, communications technologies (or any form of technology, for that matter) in today’s era of smartphones, cloud platforms, and digital transformation has daunting security risks and, in turn, significant impact. Organizations should therefore migrate to using more secure means of communication that comply with data privacy standards. And if using pagers is unavoidable, encrypting messages sent via pagers is a must.
Cybersecurity and incident response policies should also be reassessed and reinforced, what with the potential impact of a data breach on an organization’s bottom line and the stringent penalties that it can incur. Employees, for their part, should not just limit their application of cybersecurity best practices to desktops, laptops, or mobile phones, but also extend it to devices used to store or process sensitive information.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).