Canadian Privacy Researcher Discovers Pagers Broadcasting Sensitive Patient Information on Unencrypted Channels
Healthcare has long relied on pagers as the most secure, reliable way to communicate between clinicians. But new evidence suggests that this time-tested communication method may actually be causing HIPAA violations for unwitting hospitals.
Last year, Vancouver Coastal Health was alerted to the fact that alphanumeric pagers were consistently exposing patients’ protected health information (PHI) in pages sent over unencrypted radio frequencies. Privacy researcher Sarah Jamie Lewis discovered the breach when she accidentally intercepted some of these messages—using only her laptop and an antenna that’s available online for under $30. The information running across her screen included patient names, ages, medical conditions, trauma details, and hospital room numbers.
Lewis immediately reported her findings to Vancouver Coastal Health. Once the facility began taking the breach seriously, they took steps to minimize the amount of patient information sent over pagers. Four other health systems in the province who use similar paging systems were notified and asked to investigate the security of their pager systems. Combined, Vancouver Coastal Health, Fraser Health, and Island Health serve approximately 3.8 million people. “I wouldn’t be surprised to find this everywhere in Canada,” said Lewis.
The problem is not limited to Vancouver Coastal Health, though, or even to Canada. Pagers present a security risk for hospitals across North America. In 2018, a nearly identical case occurred in Kansas City, Missouri, when an anonymous IT worker was using an antenna to pick up TV channels—and found himself receiving patients' protected health information instead. Like Lewis, he immediately reported the breach. "When I first saw it I thought, 'How does this happen? Why is it not fixed?' This is 2018," he said. "One, we're still using pagers? And two, we're sending unprotected patient data to them?"
After the recent breach, Vancouver Coastal Health has committed to reviewing its pager practices, providing training on the privacy risks presented by pagers, and is considering using encrypted pagers. While these measures are steps in the right direction, they are surface-level solutions that don’t address the deeper issue. The problem is not necessarily with the health systems in questions, but with the technology.
Pagers have been a mainstay in healthcare communication since the 1980s, and have remained in use for a variety of reasons. They operate on a lower frequency than cell phones, which historically has meant fewer connectivity issues. Most pagers only receive messages and don’t send them, which makes them less likely to interfere with medical equipment. They also aren’t subject to the delays caused by traffic on cellular networks. And in the short term, pagers are also cheaper, which makes them an attractive option for hospitals.
For a long time, pagers were the most secure, reliable method of communication. Now, though, the technology’s age makes it vulnerable to newer technologies that can more easily intercept transmissions.
Mobile technology has come a long way in the last ten years, too, dominating communication in every other area of life. Video calls and text messaging allow for quicker, clearer communication, saving time and frustration. Connectivity has greatly improved. Mobile technology can enable instant, timestamped, group communication. And with the rise of telehealth, all these capabilities are easily available to hospitals. Platforms like Pulsara have been specifically designed for healthcare communication, bringing secure, HIPAA-compliant solutions to acute care spaces.
While pagers served healthcare well for many years, it may be time to consider that what has worked in the past will not continue to protect patient information quite as well as it used to. Mobile technology can provide superior, secure communication that serves patients by protecting one of their most important possessions: their protected health information.
In the UK, the NHS is requiring hospitals to do away with pagers by the end of 2021. Learn more here: UK Hospitals to Replace Pagers by End of 2021