With Stephen Hilt and Philippe Lin
Today, the Trend Micro Forward-Looking Threat Research team released the paper Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry, our research about a weakness we identified in pager technology. If you are concerned about keeping your health information private, I would highly recommend you read through it. I, for one, was not expecting the findings we made. Pagers are secure, right? We’ve used them for decades, they are hard to monitor, and that’s why some of our most trusted industries use them, including the healthcare sector.
Nope. Wrong. All it took to see hospital information in clear text from hundreds of miles (or kilometers if you are a non-US person like me) away is an SDR software and a USB dongle. Frankly, I was stunned. The problem with pagers—like many other technologies—is that they were designed and developed in a bygone era, and very few people go back to see if current technologies easily break the trust we had in these older ones or not (by virtue of making ease of monitoring—accidental or intentional—something easily done by a common person).
Our team has gathered a lot of really great data analysis of the types of data leakages that were seen during our testing. Here are a few points I would like you to take away from it.
- In some instances, we could observe patient information including name, diagnosis, treatment, test results, and even the timing of accidents in treatment being transmitted in the clear. This raises the question with regard to various global healthcare privacy laws such as Health Insurance Portability and Accountability Act (HIPAA). Even though in some cases shorthand and medical terms were being used, it only took a basic level of medical knowledge (can anyone say webMD?) to understand the treatment and care a patient—including the patient’s name—was receiving.
- Healthcare practices, as well as products in use in hospitals, could be easily aggregated. If I were a healthcare technology developer or a drug manufacturer, I certainly would be interested in finding out about the technologies being used. Knowing the products in use or the types of drugs certain hospitals typically like to give patients, could be used to better position my own products in the market.
- Diagnosis and treatment practices of individual patients were easily traceable, including cases where it was very obvious that likely unnecessary and very expensive lab or medical tests were being performed for patients with a diagnosis that didn’t necessarily call for such types of tests (let’s say, nuclear medicine tests and diagnostic radiology MRIs for a patient with influenza).
- There were many different types of criminal activity that we could see happening with this type of data. The most notable and likely criminal activity would involve identity theft given the vast quantity of personal information that could be seen. Another could be the injection of false tests and lab results through spoofed pages, which were fairly easy to create by ourselves during our testing.
Now remember, this research was done with tools easily purchased from Amazon for less than US$30. This tells us that monitoring is literally within the reach of children, a bored teenager or a criminal mind with a monetary interest. We saw this problem across the globe, including Asia, Europe, and North America, which means it’s not an isolated occurrence that we by chance witnessed in one country or a singular organization. It really is a result of a belief in the idea that technology never ages, though some might say this ‘belief’ is, in fact, a form of negligence of the implications of outdated technologies in a new environment.
To learn more about the use of pagers in the healthcare industry and the pitfalls of this usage, see our report Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry. We talk about the potential ways an attacker might be able to exploit this technology to their advantage and prompt healthcare organizations to re-evaluate the use and maintenance of pagers and consider more secure options. In our paper, we also offer recommendations for best practices in the event that the use of pagers cannot be entirely curbed right away.