Vancouver health system ignored warnings that its wireless paging system transmits sensitive patient data in the clear

Originally published at: https://boingboing.net/2019/09/09/sgt-schultz-privacy.html

I’m honestly a bit surprised that the hospital system is being this dense.

Pagers are great stuff, criminally underrated compared to cell phones in terms of power consumption and performance in marginal signal zones; but it’s…not exactly…unknown that they are a broadcast system, cleartext(barring a few nonstandard arrangements that transfer ciphertext and have some sort of keying system set up for the receiving pagers to decode it; anything that can transmit cleartext can transmit ciphertext; but confidentiality is not provided by the spec); and at this point pretty well understood and cheap to intercept (some pager models are well known for being moddable; specialist vendors sell bulk capture equipment; and cheap SDR gear is adequate to the job).

I’d like to think that anyone who proposed “let’s transmit patient data via postcards!” would be beaten down with whatever office supplies the conference room had to offer for such a transparently stupid plan; but that’s pretty much the same security model as sending it out via pager, except RF is easier to intercept in bulk without being noticed.

I would have hoped that there was at least some pitifully weak and broken system, that suggested soomeone thought about the problem and tried; rather than blank ignorance.

3 Likes

This is a regional paging system for an organization that serves the cities of Richmond, Vancouver, North Vancouver, West Vancouver, the Sunshine Coast and Powell River. VCH is the healthcare provider for several million people.

1 Like

Of course there wasn’t a breach; don’t be daft. That would have required a layer or layers of protection to be in place!

5 Likes

Literally there’s nowhere I’ve lived that I couldn’t pull down tons of medical pages. Used to tap the discriminator output on a scanner, and now it’s even easier doing it all with SDR. These days, most pages are either medical in nature, or automated sysadmin notices.

But my point is that this is hugely widespread, and not in the slightest bit restricted to Vancouver.

2 Likes

In my experience, when speaking to anyone from the “rules” side of the organization (privacy officers, legal department, regulatory compliance etc.), the people who build and implement these kind of systems don’t always provide full and frank details of their capabilities. There’s a sense that if they do the paper-pushers might take the cool toys away, so worrisome details are omitted or glossed over. So it doesn’t surprise me at all that the privacy office wouldn’t know about the radio broadcasting component of the system.

I hope this is OK, redacting names and phone numbers. It’s nuts the extent to which these medical discussions are occurring unencrypted.

2 Likes

This topic was automatically closed after 5 days. New replies are no longer allowed.