Hospital Paging Systems Security
I spoke with Mark Nunnikhoven, VP of Cloud Research at Trend Micro talking about their recently published paper: Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry which were designed and built in an era when it took a lot of resources and technology to access the system but now all it takes a couple hundred dollars and a pc add-in and you are in.
“When pagers first came out the effort to interact with the system was high”
“When pagers first came out the effort to interact with the system was high”
TL;dr Pagers in the Clinical setting are unencrypted and represent a security risk for breach of Personal Health Information
Mark’s Incremental step – don’t include PHI in any pager traffic, then get rid of pagers and replace with mobile devices that have end to end encryption
In their study they found that the transmissions are not encrypted and contain multiple elements of PHI – they saw lots of examples – (you can download the report here) but the summary of the exposure of PHI information in the unencrypted messages being sent analyzed by TrendMicro offers a peek into the potential breaches taking place on a daily basis
Mark also mentioned another report on Securing Connected Hospitals that looked at connected devices highlighting the huge increase in attacks on healthcare information systems in particular with Ransomware
Incremental Steps for Securing Your Pager System
- Don’t Include Personal Health Information in Pages but rather ask for a Call Back
- Replace the Old Style Pagers with New Technology and Devices, and
- When Building Devices you must build security into the product