California was one of the first states to act when the new crown pandemic swept through the United States, issuing a home-home order in March that covered about 40 million people,media CNET reported. At the time, there was little public information about how much COVID-19 had affected the hospital. But it soon became clear how medical staff struggled with a lack of protective equipment, a shortage of life-or-death ventilators and an influx of new crown patients. Hospital staff from San Diego to Los Angeles discussed the issues internally on the pager network.
But troy Brown, a security researcher, said in a speech at Defcon’s Internet of Things Village that the messages did not remain private. Brown was able to see all this, including the patient’s personal details, such as the patient’s name and their COVID-19 status, as well as mortality.
Brown said the sensitive details were sent through a hospital pager without encryption, allowing him to eavesdrop on private conversations between March and August. “Those unencrypted pager messages include a lot of COVID information,” Brown said. “It’s shocking to know that it’s a really long-distance broadcast in clear language.”
Brown said hospitals should do a better job of keeping wireless communications safe. Unsafe information transmission protocols in hospitals are nothing new. Researchers have been warning about the problem for decades. For example, a news report in October 2019 followed a researcher in London who found that pagers used by the country’s National Health Service had been leaking medical data on emergency calls.
Brown says pagers can be encrypted, but about 80 percent of hospitals still use unsafe devices. He was able to use a $20 software-defined device to listen to a radio tower near his home that can broadcast information from 70 miles away. Once he began to eavesdrop, Brown discovered a wealth of information from the hospital about COVID-19, including the type of request made by the patient. These details provide a glimpse into how people see the new crown outbreak and how people’s perceptions have changed as the condition worsens.
“A lot of people are tested positive and asymptomatic and ask doctors when they can go back to work,” Brown said. He saw sensitive information, including the patient’s name, gender, age, diagnosis, covid-19 status, what treatment they were receiving, and the hospital’s supply of personal protective equipment and the stock of beds and ventilators.
Brown can also see when people die from the infection. “There’s a specific floor in the hospital where they put COVID patients, ” said the wireless engineer. “A lot of the transfers to the morgue sending did come from there.” At first, the message contains instructions for fever or shortness of breath, or other symptoms related to the disease. By April, each message added a default question about COVID-19, even if the patient’s health problems were not related to the disease.
The security researcher also said his intention was not to identify a particular hospital. Instead, he wanted to highlight the use of unencrypted systems and unintentional invasions of patient privacy in hospitals. Privacy in health care is critical during pandemics because patients need to be confident that hospitals keep their information safe when they do a check-up or provide data for contact tracking. It is for this reason that lawmakers are calling for privacy protections for coronary virus treatment, and Brown’s research suggests that hospitals are still leaking information in a very simple way.
“Anyone can go to these towers and see all this information,” Brown said. “There needs to be a national dialogue.”