Why Modern Hospitals Need Encrypted Paging
August 01, 2017
Say what you want about pagers, but they are not going the way of the fax machine, at least in healthcare. The reality is that they’re still the de facto standard for communication at U.S. hospitals and health systems: A study published in the Journal of Hospital Medicine this month found that 80 percent of clinicians use hospital-provided pagers.
Pagers continue to dominate for several reasons, which the researchers noted. First, they’re low cost, especially compared with investments in new technologies. Second, their reliability is currently unmatched: Messages can be received even in areas with no cell phone service or Wi-Fi signal. The researchers also note that providing pagers allow hospitals to manage “oversight, directory creation, and the potential for integration into other information systems.”
The Problem With Unencrypted Pagers and PHI
Nearly half (49 percent) of clinicians also reported that they most commonly receive patient care-related messages by pager. While it wasn’t noted by the researchers, this can be an issue if the pagers are not encrypted because messages can be intercepted, as can data being sent to and from smartphones on unsecure applications. In today’s modern hospital, many care team members need to share protected health information (PHI) within messages for accuracy and efficiency as they deliver patient care. If paging is part of your device mix and your clinicians are receiving and sending PHI in their pages, you need encrypted pagers.
PHI on unencrypted 1-way and 2-way pagers can be a security risk due to the possibility of unauthorized interception of the RF broadcast portion of the message path. This practice is a violation of federal law, but we have seen it: Just last year there was a case where someone was intercepting unencrypted paging messages and publishing them online. Although this matter is being addressed by law enforcement, healthcare organizations should take note and consider the use of encrypted pagers.
A New Era: Encrypted Paging
As the example above demonstrated, unencrypted paging, for all its benefits, is not HIPAA compliant. Unencrypted pagers may be ideal for transport staff, housekeeping, and other care team members where PHI does not need to be sent. Physicians and other roles that routinely send and receive PHI as part of their workflows to deliver care, however, do need that security to protect patient privacy.
This is the primary reason we invested in encrypted paging: We heard from our customers that they love paging as a communication method, but they really wanted that peace of mind that all of their mobile communications would be secure. In 2015 we rolled out our one-way encrypted pager, the T5, and then our two-way encrypted pager, the T52, the following year. Now, if one doctor is using a secure messaging application like Spok Mobile and another prefers a pager, they can both send and receive messages containing PHI with confidence in the safety and security of their communications.
These four items are required for encrypted paging:
- Encrypted message support: AES-128 encryption algorithm
- Display lock: Passcode required after five minutes of inactivity
- Remote data wipe: Wipe command can be sent to a lost or stolen device
- HIPAA compliant: In addition to encryption, Spok signs HIPAA Business Associate Agreement (BAA) with our healthcare customers―you have the commitment from Spok as a company that our policies, procedures, and environments support HIPAA compliance
The Spok Difference
While there are other encrypted pagers on the market, the T5 and T52 pagers are exclusive to Spok, and the encryption we deploy has some key advantages.
- Unique encryption key: We took the tact that every pager should have a unique encryption key. We use an algorithm to create a key associated with the capcode to encrypt and decrypt messages on that pager. For some other encrypted pagers on the market, it’s a common or shared key across all of the pagers in the ecosystem. As a security professional, this is not a good way to handle encryption keys, and Spok’s approach is much more robust. We generate a unique encryption key every time we provision a pager—if that device comes back to us, we re-key it before its reissued.
- Two-way encryption, in and out bound: Spok’s encrypted pagers are encrypted forward and reverse channel, meaning messages sent to and from the device. Even though it’s encrypted at the capcode level, we took the approach that all messages to an encrypted pager will be encrypted. In other words, you can’t mix and match encrypted and unencrypted messages. This is true for inbound messages to 1-way pagers as well.
- Keep it simple for the customer: Some other encrypted pagers on the market offer their customers the ability to change encryption settings and keys through a customer portal. To make it easy for our customers and maintain a robust approach to security, we take on that responsibility.
A Powerful Tool for Healthcare Communication
The T5 and T52 encrypted pagers were created by Spok based on customer demand, and we’re certainly seeing that demand begin to accelerate as more healthcare organizations learn about encrypted paging and move to make it the standard.
Many of our large hospital, health system, and academic medical centers are adding encrypted paging to their device mix, and some are even going a step further by replacing all pagers within their facilities with encrypted pagers. One of the top academic medical centers in the country recently replaced more than 7,500 of their pagers in circulation with encrypted pagers to enhance the security of their entire communication network.
It's clear that healthcare organizations are recognizing the importance of secure, encrypted, and HIPAA-compliant communications throughout their organization. By making encrypted paging part of the equation, they can couple HIPAA-compliant, PHI-safe messages with the unbeatable reliability, convenience, and low cost of a pager. That’s what we would call a win-win for workflow-driven communications.
By Tom Saine
Tom Saine is Spok’s Chief Information Officer, a role he’s held since 2008. As CIO, he provides executive leadership for the company’s Information Technology and Wireless Messaging Network teams. He is a Certified Information Systems Security Professional (CISSP). He holds a Bachelor of Science in Management from California Coast University and a Master’s of Science in Engineering Management from Columbus University.