Health Care

Does your hospital still use pagers? Your personal information may be at risk

Hospitals across the country — including some in Kansas City — have been potentially exposing patient data every time they page one of their doctors.

While some hospitals have moved to secure, encrypted pager systems, others are still sending information over open radio waves that could include a patient's name, date of birth and medical diagnosis.

Those transmissions can be intercepted using free computer software and an antenna that costs less than $30, equipment often used by radio or tech hobbyists.

It's a potential security breach that has been documented on tech websites, but most patients don't know about it.

An information technology worker from Johnson County recently told The Star about the issue after he stumbled across hospital pager information while playing with an antenna, which he bought to get TV channels on his laptop computer. With a simple program, the antenna picks up radio signals that can be digitized.

Except instead of picking up local TV stations, he started seeing things like this, with the patient's and doctor's names included:

RQSTD RTM: (patient's name) 19 M Origin Unit: EDOF Admitting: (doctor's name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA

It was the personal patient data of a 19-year-old man, broadcast across the airwaves for anyone to read. And it was coming from a local hospital, which was sending the message to a doctor on a pager.

"When I first saw it I thought, 'How does this happen? Why is it not fixed?' This is 2018," he said. "One, We're still using pagers? And two, we're sending unprotected patient data to them?"

The Star is not naming the IT worker because of legal concerns about the Electronic Communications Protection Act, which extended restrictions on tapping phone lines to the interception of other electronic communications.

Although the man did not purposely seek out the hospital data, he wanted to bring attention to the fact that hospitals are not encrypting this information and it's easy for potential criminals to find and use for identity theft. He also believes that it may violate the Health Insurance Portability and Accountability Act (HIPAA).

John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, said all hospitals should move to secure, encrypted pager systems.

"When sending or receiving personal health information, the AHA recommends all hospitals and health systems use secure data transmission platforms that are in full compliance with standards of the HIPAA Data Privacy and Security Rules," Riggi said in an emailed statement.

But not all have.

The Johnson County IT worker saw patient data from the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary's Medical Center and Wesley Medical Center in Wichita. He has seen some from as far away as Michigan and Kentucky.

The unencrypted data included information on hundreds of patient visits, some of them for particularly sensitive issues like drug overdose, suicidal thoughts and alcohol withdrawal.

The Star contacted a few of the patients to verify that the pager data is real, but is not using their names to protect their privacy.

A woman from St. Charles, Mo., confirmed that she had been hospitalized for lightheadedness at Missouri Baptist Medical Center in St. Louis on May 28.

"You're sitting there telling me exactly what happened to me, so what the hell?" she said.

A Kansas City woman, whose son's visit to Children's Mercy was transmitted over unsecured radio waves, also said she felt violated.

"I think something needs to be changed," she said. "Who knows what else is going on, if it's that easy for that information to get out there? There's a big security breach there and it needs to be stopped."

The St. Charles woman said she has grown somewhat accustomed to hearing about data breaches on social media sites like Facebook, but was shocked to hear of a hospital sending personal medical information over unencrypted airwaves.

"For a hospital to have records out there like that, that's unacceptable," she said. "It's totally unacceptable."

Missouri Baptist did not respond to a request for comment.

Responses from other hospitals were varied.

KU Hospital officials expressed gratitude that the pager issue had been brought to their attention and said they had resolved "a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances." They also emphasized that no financial information or Social Security numbers were compromised.

Children's Mercy officials said they also had worked with their communications vendor to move to a secure pager system after they were alerted to the potential breach.

But they also said that the pager data was only available to "local hackers with specific scanning and decoding equipment — and technical knowledge of how to use it for this specific purpose" and that intercepting it was illegal under the Electronic Communications Protection Act.

The Star's source said he is a "radio hobbyist," not a hacker, and other hospitals should not assume that unsecured pager transmissions are safe.

"It's security by obscurity at this point — and that's scary," he said. "In my line of work you see a lot of, 'Let's hope nobody finds it,' 'It's hard to find, so it's pretty secure.' That's not enough. We can't just trust people won't stumble upon it. We have to assume that they do."

Online tutorials explain how to get pager data and other things that are transmitted over radio waves with a software defined radio, or SDR.

An article published in December by the Vice tech news site Motherboard called it "actually fairly straightforward for even the modestly tech savvy."

According to Motherboard, the SDRs became widely available after 2010, letting almost anyone plug them into a computer, download some software and start collecting data sent over radio waves.

Meanwhile, most hospitals still use pagers.

There are several reasons for that, said Riana Pfefferkorn, cryptography fellow at the Stanford Center for Internet and Society.

Pagers operate on lower frequencies than cell phones, which allows for better reception in places with many walls and underground areas. They're less likely to interfere with medical equipment. And they're more reliable than cell phones in emergency situations, she said.

"If there's a big emergency where cell lines are tied up with emergency calls and staff need to communicate, they can't be dependent on the cell network," she said.

Tech companies across the country have introduced encrypted messaging apps for physicians that are HIPAA compliant. But there's a matter of cost, Pfefferkorn said, particularly for smaller or rural hospitals.

"Do we get new defibrillators or roll out HIPAA-compliant smart phones?"

But many hospitals nationwide may not know that their pager data can be easily intercepted if it is unencrypted.

To illustrate the scope of the problem, an artist and computer programmer set up an art installation at an October conference in Brooklyn that collected and spat out pages of hospital pager data with patients' names removed but medical information intact.

Julie Roth, an attorney with Spencer Fane in Overland Park and an expert on HIPAA, said she couldn't find any federal guidance specific to hospital pager data. But she said that if hospitals are sending personal health information, or PHI, over the airwaves, they should make sure it's not accessible to third parties.

"Encryption really is an industry standard," Roth said. "So if we're transmitting PHI, then we want to be certain it is being transmitted in an encrypted or otherwise secure format."

She noted that just Monday an administrative law judge ruled that the MD Anderson Cancer Center in Houston must pay $4.3 million in fines over a stolen laptop and two lost USB drives, all three of which contained unencrypted patient information.

Roth said hospitals should include their pager systems in regular risk analysis they perform to check for patient privacy vulnerabilities.

Even if it's not illegal, the local IT worker said it feels like a violation of privacy. When he first hooked up his SDR and started seeing pager data, he had family members who had recently been hospitalized.

"What if it's my data out there?" he said.

The St. Charles woman said she was glad the issue was being brought to light.

"It's actually very scary," she said. "I'm appreciative that as a newspaper you're putting it out there. It needs to be known."

Related stories from Kansas City Star