Innovations in Encrypted Paging Protect PHI
December 01, 2016
“Unfortunately, we have discovered that pager communication is not adequately secure. Because pager messages are unencrypted, third parties can view pager messages even remotely.”
That was the conclusion of a report, “Leaking Beeps: Unencrypted Pager Messages in the Healthcare Industry,” by Trend Micro, a global security software company. The problem is, this isn’t actually accurate when it comes to paging and the encryption options now available.
The white paper highlights the amount of protected health information, or PHI, that is routinely sent to pagers and the ease with which messages can be decoded off the air. Trend Micro is correct: Hospitals sending PHI through unencrypted means, whether that’s via an unencrypted pager or a consumer-grade messaging app on a smartphone, are likely violating the Privacy and Security Rules of HIPAA and exposing themselves to possible penalties. Spok has always asked its customers to avoid sending PHI in unencrypted pages, especially messages with multiple PHI identifiers. Trend Micro advises hospitals using pagers to implement safeguards like user authentication or simple pre-shared key (PSK) encryption to raise the bar for attackers, but even that may not be enough when healthcare data breaches are reported on a regular basis.
Much has been written about secure communications via smartphone applications, as smartphones have proliferated in healthcare. But what about pagers? Pagers remain a mainstay of hospitals’ device mix because of their unbeatable reliability and cost-effectiveness. However, sending PHI via paging wasn’t an option until recently. Now there are options for encrypted paging, including one-way and two-way encrypted pagers.
Several years ago, hospital IT staff were most concerned about internet encryption, and over the air encryption was an afterthought at best. As organizations began to implement secure messaging solutions, they started examining their other communication methods, including paging. As customer demand for encrypted paging grew, Spok reached a critical crossroads: Should we invest in innovation and reengineer a device that has largely stayed the same for decades?
The answer was unequivocally ‘yes.’ Pagers have been used in healthcare for over 60 years, and Spok has long been committed to innovation that keeps devices current with customer needs. Our customers consider us a full partner in critical communications and therefore depend on us to give them the tools they need to keep up with changes in the industry. Many of our customers still see pagers as a critical element of their communications going forward.
So, we combined the reliability of paging with the security features needed to protect PHI in care team communications. We took everything that customers liked about our previous flagship pager, the T3 Plus, and enhanced it. With fit, form, and function established, we incorporated the message encryption support (industry standard AES-128 encryption algorithm), display lock, and remote data wipe features, and the T5 encrypted one-way pager was born.
After the successful release of the T5, we continued to innovate by developing and releasing the T52 pager, which supports encrypted two-way paging. Spok has exclusive rights to both the T5 and T52 pagers.
With the T5 and T52 deployed alongside secure messaging solutions for smartphones, tablets, and Wi-Fi phones, hospitals can now have a fully secure mobile device mix across the organization. Clinicians can send all of the context they think is necessary in their message without worrying about compromising PHI, which allows them to better focus on what matters most and what they do best: delivering excellent patient care.
By John Deboer, Vice President of Technology Engineering
John joined Spok in 1999 and has more than 25 years of experience in the telephony, paging, and wireless technology fields. At Spok he has held numerous positions, including Vendor Manager and Director of Program Management. Prior to joining Spok, he worked at Alcatel and Glenayre Technologies in international sales engineering and project management roles. He holds a Bachelor of Engineering degree in electrical engineering from Lakehead University in Ontario, Canada.