Man's antenna picks up PHI from pagers at 5+ hospitals

A Johnson County, Mo., man using an antenna to pick up TV channels on his laptop received unencrypted patient information from several local and distant hospitals, according to The Kansas City Star.

The man, whom the Star did not name but referred to as a "tech worker," saw patient information from five nearby hospitals, including Kansas City-based University of Kansas Health System, Cass Regional Medical Center in Harrisonville, Mo., Liberty (Mo.) Hospital, Children's Mercy Hospital in Kansas City, Mo., and St. Mary's Health Center in Blue Springs, Mo. — as well as some hospitals in Kentucky and Michigan.

According to the Star, the man — who downloaded the software for free and purchased the antenna commonly used by radio or tech hobbyists for just $30 — began seeing messages like the one below, with the patient's and physician's names included:

RQSTD RTM: (patient's name) 19 M Origin Unit: EDOF Admitting: (doctor's name) Level of Care: 1st Avail Medical Diagnosis: TONSILAR BLEED, ANEMIA, THROMBOCYTOPENIA

The man did not purposely seek out the data, which would be a violation of the the Electronic Communications Protection Act that prohibits the tapping of phone lines to to intercept other electronic communications, but is calling on hospitals to pay attention to the importance of data encryption. He also expressed concern that the failure to encrypt pager data is violation of privacy that constitutes a HIPAA breach.

Not all of the hospitals responded to the Star's requests for comment, and the responses the Star received were varied.

Officials from the University of Kansas Health System were thankful the pager issue was brought to their attention and told the publication they resolved "a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances," adding that no financial information or Social Security numbers have been compromised.

Children's Mercy officials said they worked with their communications vendor to move to a secure pager system, but noted the pager data was only available to "local hackers with specific scanning and decoding equipment — and technical knowledge of how to use it for this specific purpose."

Attorney and HIPAA expert Julie Roth told the Star she couldn't track down any federal rules pertaining to hospital pager data but noted any healthcare organization using airwaves to transmit personal health information should ensure it is encrypted. John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, agreed, noting all hospitals should deploy secure, encrypted pager systems.

"When sending or receiving personal health information, the AHA recommends all hospitals and health systems use secure data transmission platforms that are in full compliance with standards of the HIPAA Data Privacy and Security Rules," Mr. Riggi told the Star.

Editor's Note: This story was updated June 25, 2018 at 8:10 p.m. A previous version of this story inncorrectly stated St. Mary's Hospital in St. Louis had been affected. However, St. Mary's Hospital was not affected and instead, St. Mary's Medical Center in Blue Springs, Mo., had been affected.  organizations are. 

More articles on cybersecurity:

Top cybersecurity vendors, as ranked by KLAS
Med Associates reports computer hack compromising 270K patient records
Arizona man sentenced for launching cyberattacks on Wisconsin emergency communications system

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months