Tips For Secure Pager CommunicationsTips For Secure Pager Communications
Unencrypted pagers open hospitals to attack, Trend Micro study says.
October 4, 2016
Yes, people still really use pagers. A study recently released by Trend Micro shows that use of pagers in hospitals is more prevalent than people think, and most pager communications in healthcare settings are unencrypted and vulnerable to hackers.
Jon Clay, senior global marketing manager for Trend Micro, says pagers were first developed in the 1950s and 1960s when security was much less of a priority.
"Today, doctors use pagers not just to page someone or be paged, but to transmit names, birth dates, symptoms, and drug prescriptions," he says. "In today's environment, people have to start thinking more about encrypting these communications.
The report, "Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry," is based on studies conduced in the United States, Canada, and the United Kingdom. The researchers found similar results in all three regions.
They discovered that pager messages could be easily spoofed. Attackers could sabotage prescriptions sent to the pharmacy, hijack a page message that could then send a patient to the wrong operating room, declare an emergency inside a facility, or intercept calls from officiating doctors.
Lee Kim, director of privacy and security at the Heathcare Information and Management Systems Society (HIMSS), says the findings of the study were somewhat surprising. She says many doctors may still use pagers because old hospital buildings may not fully support cellular networks.
"While I can see where spoofing messages would be a possibility, I think when it comes to sending prescriptions, the hackers would also have to get past the insurance companies and there are also very strict dosage requirements for controlled substances," she says, adding "it would still be hard to intercept and change a prescription."
The Trend Micro report offers three tips for healthcare organizations looking to tighten up pager communications:
Encrypt communications. Even a simple pre-shared key (PSK) encryption can make hacking pager communications more difficult. Given recent developments with embedded hardware, hospitals can deploy encryption without adding much cost.
Authenticate the source. Much like people need to be more suspicious of emails for phishing attacks, hospital workers also need to think twice about the validity of a message sent over a pager. Pager companies also need to embed authentication right in the firmware.
Stop transmitting multiple factors of PHI. Healthcare workers are sending too much personal health information via pagers. Hospitals may want to consider just sending medical reference numbers and dates of birth in the vast majority of pages.
Clay says the healthcare report was the first in a series on the use of pagers in vertical industries that Trend Micro will release in the coming months.
About the Author(s)
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Everything You Need to Know About DNS Attacks
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
How Enterprises Are Managing Application Security Risks in a Heightened Threat Environment