- A county IT worker recently discovered that certain hospitals in Missouri and Kansas had poor PHI data security for their pagers.
Using an antenna he purchased to receive TV channels on his laptop, the worker was able to pick up unencrypted pager data, reported the Kansas City Star newspaper on June 22.
The PHI was coming from unsecured pagers at the University of Kansas Hospital in Kansas City, Cass County Regional in Harrisonville, Liberty Hospital in Liberty, Children’s Mercy Hospital in Kansas City, St. Mary’s Medical Center in Blue Springs, and Missouri Baptist Medical Center in St. Louis, all in Missouri, and Wesley Medical Center in Wichita, Kansas.
The unencrypted PHI includes patient name, doctor’s name, level of care, and diagnosis.
"When I first saw it I thought, 'How does this happen? Why is it not fixed?' This is 2018," the unidentified IT worker told the newspaper. "One, We're still using pagers? And two, we're sending unprotected patient data to them?"
The worker said that he wanted to bring attention to the fact that these hospitals were not encrypting their pager data and that cybercriminals could easily intercept the information and use it for identity theft. He thought it also may be a HIPAA violation.
Officials from Children’s Mercy Hospital told the newspaper that they had worked with their communications vendor to deploy a secure pager system after they learned about the potential data breach.
The hospital claimed that the pager data was only available to local hackers with specialized scanning and decoding equipment and that intercepting the data was illegal under the Electronic Communications Protection Act.
The IT worker responded that he was not a hacker, but a radio hobbyist, and that he didn’t intentionally intercept the data.
Kansas University Hospital officials said that they had resolved a “specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances.” They told the newspaper that no financial information or Social Security numbers were compromised because of the breach.
Missouri Baptist did not respond to a request for comment from the newspaper.
American Hospital Association (AHA) Senior Advisor for Cybersecurity and Risk John Riggi recommended that all hospitals move to encrypted pager systems.
"When sending or receiving personal health information, the AHA recommends all hospitals and health systems use secure data transmission platforms that are in full compliance with standards of the HIPAA Data Privacy and Security Rules," Riggi said in an emailed statement.
The newspaper contacted some of the patients involved to verify the veracity of the pager data. One woman from St. Charles, Missouri, confirmed that she had been hospitalized at Missouri Baptist Medical in St. Louis on May 28.
"You're sitting there telling me exactly what happened to me, so what the hell?" she told the newspaper.
A woman from Kansas City whose son’s visit to Children’s Mercy was included in the pager transmissions picked up by the IT worker said she felt violated.
"I think something needs to be changed," she told the newspaper. "Who knows what else is going on, if it's that easy for that information to get out there? There's a big security breach there and it needs to be stopped."
According to a study published in the Journal of Hospital Medicine, nearly 79 percent of 620 hospital-based clinicians said they are provided pagers for communications, while 49 percent said they receive patient care–related communication through pagers.
A recent survey of 300 healthcare organizations by Spok found that 56 percent use onsite pagers, 45 percent use wide-area pagers, 74 percent use smartphones, 69 percent use Wi-Fi phones, and 54 percent use tablets.
Unfortunately, half of respondents rely on passive mobile device security such as policy and education, rather than technology such as encryption and secure wireless networks.
The Spok survey found a 19 percent increase in security team involvement in mobile device policy enforcement from last year, but only 39 percent of respondents indicated mobile policies are enforced extremely well or consistently.