OnPage Report: Pager security in healthcare
The threats posed by unencrypted pagers
We recently had a chance to interview Adam Greene, a lawyer in Washington D.C. with the firm Davis Wright Tremaine LLP. One of Adam’s most intriguing cases occurred in 2014 with a hospital client. This hospital’s doctors and staff used pagers to routinely communicate about a patient’s status or immediate needs. This type of communication is quite routine. However, unbeknownst to the hospital, the sensitive information employees exchanged on pagers was monitored and recorded by individuals outside of the hospital.
The paging landscape
Pagers are a dying breed outside of the hospital. However, pagers are still very much alive in medicine. Approximately 90 percent of hospitals still use pagers and on average spend around $180,000 per year on maintaining and updating them. Hospitals continue to alert, message and communicate with doctors by using pagers because administrators find it difficult to replace legacy technologies.
Yet the risks of pagers are underappreciated as technology has escalated faster than the pace of pager development. Pager security in healthcare was designed long before cybercrime and hacking became issues. Due to the lack of encryption or authentication in paging systems, it’s near impossible to verify messages and thwart spoofing attempts.
HIPAA compliant messaging
Hospitals need to consider secure messaging as part of their overall HIPAA compliant strategy. While using a pager is not a HIPAA violation per se, the information exchanged on pagers has to be extremely circumspect and non-descriptive to ensure compliance.
For example, doctors could exchange simple information such as a phone number they should call or the need for cleaned sheets in a hospital room. However, any information that describes something specific about the patient’s condition such as:
The patient in room 2 is HIV positive
could not be exchanged as it represents too high of a risk if the information were intercepted. Even knowing this information though seems to have little impact on doctor behavior as doctors are focused on treating patients. They are not focused on the security of the messages they exchange.
Read our white paper to learn more about pager security in healthcare and how this hospital had its pagers hacked and patient information exposed.
To learn more download our white paper which covers:
- Why healthcare stays with pagers
- The HIPAA risk of using pagers
- The impact of a hacked pager