Unencrypted pagers open hospitals to attack, Trend Micro study says.
Yes, people still really use pagers. A study recently released by Trend Micro shows that use of pagers in hospitals is more prevalent than people think, and most pager communications in healthcare settings are unencrypted and vulnerable to hackers.
Jon Clay, senior global marketing manager for Trend Micro, says pagers were first developed in the 1950s and 1960s when security was much less of a priority.
“Today, doctors use pagers not just to page someone or be paged, but to transmit names, birth dates, symptoms, and drug prescriptions,” he says. “In today’s environment, people have to start thinking more about encrypting these communications.
The report, “Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry,” is based on studies conduced in the United States, Canada, and the United Kingdom. The researchers found similar results in all three regions.
They discovered that pager messages could be easily spoofed. Attackers could sabotage prescriptions sent to the pharmacy, hijack a page message that could then send a patient to the wrong operating room, declare an emergency inside a facility, or intercept calls from officiating doctors.
Lee Kim, director of privacy and security at the Heathcare Information and Management Systems Society (HIMSS), says the findings of the study were somewhat surprising. She says many doctors may still use pagers because old hospital buildings may not fully support cellular networks.
“While I can see where spoofing messages would be a possibility, I think when it comes to sending prescriptions, the hackers would also have to get past the insurance companies and there are also very strict dosage requirements for controlled substances,” she says, adding “it would still be hard to intercept and change a prescription.”
The Trend Micro report offers three tips for healthcare organizations looking to tighten up pager communications:
Encrypt communications. Even a simple pre-shared key (PSK) encryption can make hacking pager communications more difficult. Given recent developments with embedded hardware, hospitals can deploy encryption without adding much cost.
Authenticate the source. Much like people need to be more suspicious of emails for phishing attacks, hospital workers also need to think twice about the validity of a message sent over a pager. Pager companies also need to embed authentication right in the firmware.
Stop transmitting multiple factors of PHI. Healthcare workers are sending too much personal health information via pagers. Hospitals may want to consider just sending medical reference numbers and dates of birth in the vast majority of pages.
Clay says the healthcare report was the first in a series on the use of pagers in vertical industries that Trend Micro will release in the coming months.
Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio