NHS pagers expose medical data

Radio hobbyists can intercept sensitive data through emergency communications

NHS Trust building

An amateur radio rig intercepted real-time medical data broadcasts by pagers and ambulances in North London, and leaked the information to the internet.

The rig translated radio waves into text on a hobbyist's computer screen. The display was soon populated with details of real-time medical emergencies in the rig's region of North London. An internet-connected webcam was left pointed at the computer screen and the feed, with no password protection, was accessible online by anyone who knew where to look.

Security researcher and bug bounty hunter Daley Borda viewed the live stream from his home in Florida, and reported to TechCrunch that he could see details from 999 emergency calls, including the "name, address, and injury" of those seeking medical attention.

The hobbyist also intercepted and decoded pager messages from a nearby NHS trust.

"With some cheap, relatively basic software, it is possible for hobbyists to access these frequencies and decode the information being sent, which appears is what has occurred here," a spokesperson from the hobbyist's internet provider said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Although pagers have become mostly obsolete, they remain an integral tool in UK hospitals. About 130,000 pagers are still implemented by the NHS, which account for roughly 10% of pagers regularly used around the world.

Though the one-way communication devices have long been outdated, they still supercede newer tech in a few areas. Pagers operate on low frequencies, so their radio waves travel further and through more obstacles, like a hospital's thickened walls that protect doctors against radiation.

They also work in places mobile phone signal doesn't, which helps make pagers the medical professional's preferred choice over mobiles.

The downside? "They aren't secure," said Andy Keck, an amateur radio hobbyist. In recent years, software-defined radios have allowed hobbyists to decode unencrypted pager networks with just a $20 (15.50) plug-in dongle and an antenna.

Related Resource

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

"It's just enter the command to start the application, sit back, and start decoding in real time on the screen," said Keck.

Advertisement - Article continues below

TechCrunch asked one NHS spokesperson if their trust was aware of the risk of pager message interception and decoding by amateur radio hobbyists, to which they replied: "Yes."

In fact, the susceptibility of these messages to third-party viewing is something NHS trusts agree to when signing up for their network. A representative of the UK's last remaining pager network, PageOne, said: "PageOne ensures customers are aware of the ability to intercept messages in its terms and conditions" and that encrypted services "are available if required".

Failure to protect personally identifiable and health information violates GDPR, meaning trusts that allow such information to be exposed risk steep fines under the strict data protection laws.

An NHS pager ban will go into effect at the end of 2021, but the issue of information security may not go away simply because the pagers will. However, upgrading to cell phones might alleviate some of the vulnerability of data-sensitive messages. Communicating through a smartphone offers more methods for message encryption. Because yes, there's even an app for that.

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/network-internet/broadband/354530/openreach-offers-free-full-fibre-installation-for-thousands-of
broadband

Openreach offers free full-fibre installation for thousands of homes

14 Jan 2020