When California was one of the first states to act, issuing a stay-at-home order in March that covered its roughly 40 million residents. At the time, there wasn’t much public information on just how badly COVID-19 was affecting hospitals.gripped the US,
Hospital staff from San Diego to Los Angeles discussed these issues internally on a pager network. But Troy Brown, a security researcher, said at his presentation at Defcon’s Internet-of-Things village that the messages didn’t stay private. Brown was able to see it all, including personal details about patients, like patient names and their COVID-19 status, as well as how often patients were transferred from the coronavirus wing to the morgue.
The sensitive details were being sent without encryption over hospital pagers, Brown said, allowing him to eavesdrop on private conversations from March to August.
“Those unencrypted pager messages include a lot of COVID information,” Brown said. “It was kind of shocking to know that was being broadcast literally in plaintext for a really long distance.”
Brown pointed out that hospitals should do a better job of securing their wireless communications.
Hospitals having insecure messaging protocols isn’t new. Researchers have warned about the problem for decades. A news report in October of 2019, for instance, focused on one researcher in London who found that pagers used by the country’s National Health Service had been leaking medical data on emergency calls.
Pagers can be encrypted, but about 80 percent of hospitals are still using insecure devices, Brown said. He was able to use a $20 software defined radio to listen in on one radio tower near his home, which can broadcast messages from up to 70 miles away.
Once he started eavesdropping, Brown saw a flood of information about COVID-19 from hospitals, including the types of requests patients were making. The details offered a glimpse of how people were viewing the coronavirus outbreak and how perceptions changed as conditions got worse.
“A lot of people were tested positive and asymptomatic, and asking doctors when they could go back to work,” Brown said.
He saw sensitive information including patients’ name, gender, age, diagnosis, COVID-19 status, what treatment they were getting, as well as the hospital’s PPE supply status and inventory of beds and ventilators.
Brown was also able to see when people died from the infectious disease.
“There was a specific floor in hospitals where they kept COVID patients,” the wireless engineer said. “A lot of the morgue transfers did come from there.”
As the pandemic got worse, COVID-19 went from an emerging concern to a heavy cloud in every single message.
In the beginning, the messages included notes about fever or shortness of breath, or other symptoms related to the disease. By April, every message had questions about COVID-19 added by default, even if the patient’s health issue didn’t have anything to do with the disease.
“If they were on any call, let’s say a car wreck, they would add COVID at the end as a status,” Brown said.
The security researcher said his intention wasn’t to call out a specific hospital. Rather, he wanted to highlight the problems of hospitals using unencrypted systems and unintentionally violating patient privacy.
During a pandemic, privacy in health care is crucial, because patients need to trust that hospitals will keep their information secure when they go in for tests or provide their data for contact tracing. For that very reason, lawmakers have called for privacy protections for coronavirus treatment, and Brown’s research shows that hospitals are still leaking information in a very simple way.
“Anyone can tune in to these towers and see all these messages,” Brown said. “There needs to be a nationwide conversation.”