IMAGINE THE FOLLOWING scenario. Jane has served as the HIPAA security officer for a 200-bed community hospital for five years. Fortunately, the hospital’s governing board under- stands the importance of HIPAA compliance and provides the health information management (HIM) and information tech- nology departments with the resources necessary for a com- prehensive HIPAA privacy and security program. Written policies and procedures are in place and staff receive HIPAA training at the time of hire, followed by periodic HIPAA updates. Processes are in place to audit workforce members’ access to protected health information (PHI) and the hospital has deployed encryption, firewalls, and other technical safeguards to ensure that electronic PHI (ePHI) is not compromised. While occasional incidents may occur, Jane considers
the hospital’s privacy and security program to be one of the
most robust in the area.
Then, it happens. Jane receives a telephone call from a reporter for the local newspaper who explains that he is in possession of copies of patient information that was communicated via pager messaging between hospital employees. A
concerned citizen who had intercepted the pager messages
provided the reporter with the copies, which include details
such as patient name, age, diagnosis, and location within the
hospital. As the reporter asks for Jane’s comment, she realizes
that he has already contacted some of the patients involved
and that the story will soon be front page news.
Several questions rush to Jane’s mind. Pagers are used to
convey detailed PHI? How were the pager communications
intercepted and who is in possession of the information? What
will the regulatory consequences be? And, most importantly,
how can vulnerability presented by pagers be stopped?
This scenario was recently the alarming reality for several
Midwest hospitals, and highlights the significant security
risks and potential fallout presented by an often-overlooked
communication technology still utilized in many healthcare
facilities: the pager. 1
Pagers Still Used to Communicate PHI
While many people may believe that “old school” radio wave
pagers died out with the introduction of smartphones, they
are actually still used with surprising frequency in healthcare.
Because pagers transmit data via radio waves, they are not dependent on a cellular signal or wireless net work connection to
work. Furthermore, pagers can instantaneously display words
and sentences, as opposed to a mere call-back telephone number. Thus, pagers can serve as an important means of communication for providers in areas of hospitals where a wireless or
cellular signal is weak, slow, or potentially disruptive to medical equipment.
Security Risks Presented by Pagers
Although pagers can be an important means of communication, the unfortunate reality is that many pager messages are
easily intercepted and retained by anyone with a computer, inexpensive hardware, and software-defined radio. Intercepted
messages have not only been posted on the internet, they have
been the subject of research studies, 2 curious “hobbyists,” 3
and even art installations. 4 These instances demonstrate that
pager messages may include details such as a patient’s name,
age, location, treating physician, and diagnosis.
The interception of pager messages containing PHI not only
triggers a hospital’s duty to determine if a breach notification
Don’t Let Pagers
By Julie Roth, JD, MHSA, RHIA