Whengripped the US, California was one of the first states to act, issuing a stay-at-home order in March that covered its roughly 40 million residents. At the time, there wasn’t much public information on just how badly COVID-19 was affecting hospitals.
We’d soon come to learn how medical staff struggled with a lack of protective equipment, a life-or-death ventilator shortage and.
Hospital staff from San Diego to Los Angeles discussed these issues internally on a pager network. But Troy Brown, a security researcher, said at his presentation at Defcon’s Internet-of-Things village that the messages didn’t stay private. Brown was able to see it all, including personal details about patients, like patient names and their COVID-19 status, as well as how often patients were transferred from the coronavirus wing to the morgue.
The sensitive details were being sent without encryption over hospital pagers, Brown said, allowing him to eavesdrop on private conversations from March to August.
“Those unencrypted pager messages include a lot of COVID information,” Brown said. “It was kind of shocking to know that was being broadcast literally in plaintext for a really long distance.”
Brown pointed out that hospitals should do a better job of securing their wireless communications.
Hospitals having insecure messaging protocols isn’t new. Researchers have warned about the problem for decades. A news report in October of 2019, for instance, focused on one researcher in London who found that pagers used by the country’s National Health Service had been leaking medical data on emergency calls.
Pagers can be encrypted, but about 80 percent of hospitals are still using insecure devices, Brown said. He was able to use a $20 software defined radio to listen in on one radio tower near his home, which can broadcast messages from up to 70 miles away.
Once he started eavesdropping, Brown saw a flood of information about COVID-19 from hospitals, including the types of requests patients were making. The details offered a glimpse of how people were viewing the coronavirus outbreak and how perceptions changed as conditions got worse.
“A lot of people were tested positive and asymptomatic, and asking doctors when they could go back to work,” Brown said.
He saw sensitive information including patients’ name, gender, age, diagnosis, COVID-19 status, what treatment they were getting, as well as the hospital’s PPE supply status and inventory of beds and ventilators…Read more>>