Analysis Emphasizes Danger of PHI Revelation from Unencrypted Healthcare Pagers

Several healthcare suppliers have now changed from pagers to more safe types of communication. Safe text messaging platforms permit safeguarded health info to be communicated swiftly and efficiently between doctors and care team associates. Those platforms include the necessary safety features to make sure messages can’t be interrupted and seen by illegal people. However, pagers usually lack safety limits such as encryption. Numerous even lack the practicality to be able to verify users. As such, several pager systems utilized by healthcare suppliers are breaching HIPAA Laws.

The latest study carried out by Trend Micro has obviously shown simply how easy it’s for healthcare pager communications to be interrupted. Examiners found they might interrupt and decode pager communications using just a software-defined radio (SDR) as well as a USB dongle – Apparatus which can be bought for as little as $20. Additionally, it’s not even essential to be in close vicinity to the origin of the pages to interrupt communications. The $20 apparatus is capable of choosing up communications several miles from the origin of transmission.

For the research, examiners checked pager communications for a duration of 4 months from January to April 2016. 54,976,553 pages were examined, of which 11% were dispatched from healthcare suppliers such as clinics, medical centers, hospitals, and rehabilitation centers. As per the report, “unencrypted sheets are a systemic predicament impacting numerous states in the US.”

The examiners observed there were several instances of unencrypted pages dispatched having safeguarded health info, particularly for Interfacility transfers (IFT) – While sick persons are shifted to and from a healthcare service.

PHI pages like patients’ names, dates of birth, contact telephone numbers, and medical analyses were frequently incorporated in the pages. As per the report “We have noted plentiful IFT pages which were either manually entered or produced by software with interfacility synchronization functions, and pages transferred in the EMS (Emergency Medical Services) workflow.”

Nevertheless, unencrypted pages weren’t restricted to patient relocations. “We have observed pages explaining admission to the crisis division, bed applications, in-facility relocation preparation appeals, cure orders, patient position updates till the release or additional transfer procedure.”

During the progress of the study, a wide variety of data categorized as covered health information as per HIPAA Laws were interrupted, as described in the table beneath:

 

Data Element Quantity of Pages Fraction of Total
Email 805,609 28%
Medical words 647,745 23%
English names 510,313 18%
Conditions / Analysis 399,862 14%
Medication on FDA drug list 164,117 6%
Phone numbers 124,949 4%
Date of birth, age, sex 110,708 4%
Medical reference number 90,124 3%

 

In several cases, the kinds of information got from the pages were restricted to patient names, sexes, and short summaries of signs. Nevertheless, in some cases, Trend Micro examiners were capable to utilize the information got from the pages to make “practical expectations concerning medical analyses and cure plans.”

Interruption of pages isn’t the only trouble. It would also be comparatively simple for pages to be deceived. To check the hypothesis, the examiners set up a controlled setting and carried out tests employing ordinary pagers generally used by healthcare suppliers. The examiners were capable to successfully transmit deceived pages that were selected and deciphered by generally used pager decoding software program.

The scientists suggested several possible attack situations for example the transmitting of deceived pages to a drugstore to meddle with patients’ medicines, directing patients to wrong services or operating rooms, announcing medical crises within healthcare services, get information regarding patients from physicians by deceiving pages, thieving identities, as well as frightening SMS messages transmitted to pagers for a wide variety of evil purposes.

To avoid the interruption of pages a system should be applied to encrypt telecommunications, verification controls must be used to make sure mails can only be read by accredited persons and to make sure pages have been transmitted from a reliable source. PHI should only be transmitted if it is impossible for the info to be used to find the patient.

If pagers don’t utilize encryption and require verification controls, they break HIPAA Laws. The Division of Health and Human Services’ OCR has not worked against healthcare suppliers that use unsafe communication systems to transmit PHI. However, it remains a probability.

To abide by HIPAA rules, the easiest answer is to leave the pager and approve a HIPAA-compatible transmission system, for example, a safe, encrypted, text messaging program.

The Trend Micro information can be seen on this link.