Hospital Security Fears as Pagers Come Under Spotlight

Healthcare organizations have been urged to immediately re-evaluate their use of pagers after a new report claimed unencrypted messages can be intercepted and spoofed with potentially life-threatening repercussions.

Trend Micro claimed in its new Leaking Beeps report that a software-defined radio (SDR) and a $20 USB dongle is all that’s needed to decode pager messages.

Doing so would enable remote hackers to spy on sensitive protected health information (PHI) being sent to and from facilities, including names and medical diagnoses.

The Trend Micro researchers were also able to inject their own pages, using just basic info about the systems used. Their lack of encryption or authentication make such a task simple to achieve and fake messages impossible to verify.

The only factor limiting this would be the transmitting power of the radio and antenna, the report claimed.

Hypothesizing various attacks, Trend Micro claimed hackers could sabotage medical prescriptions by spoofing messages intended for pharmacies; direct patients to the wrong operating room; create havoc by declaring emergencies inside facilities; and even steal the identities of dead patients.

The report concluded:

“Healthcare organizations must immediately re-evaluate the use and maintenance of pagers. They should find more secure alternatives and procedures to avoid violating HIPAA regulations. Meanwhile they can observe some good paging content practices that uphold the security of PHI, like limiting the transmitted information to what is necessary without revealing too much. On the other hand, vendors must find ways to encrypt pager communication to protect customer privacy and should authenticate the source to prevent spoofed messages.”

They could do this by including simple pre-shared key encryption (PSK) in pager services. However, authentication needs to be designed into the firmware, it argued.

Best practice from a medical professional’s point of view should be to send pages “that cannot be identified without relevant documentation on the receiving end,” the report continued.

By failing to take any of these precautionary measures, healthcare providers could be exposing themselves to serious fines imposed by regulations like HIPAA in the US. 

What’s Hot on Infosecurity Magazine?