
Unencrypted patient medical information is being broadcast across Vancouver - gregmac
https://openprivacy.ca/blog/2019/09/09/open-privacy-discovers-vancouver-patient-medical-data-breach/
======
noodlesUK
In my part of the US, I can overhear loads of PII by just tuning my VHF
transceiver to various public safety frequencies. I hear drivers license
numbers, medical info, all sorts. I hesitate to think that there’s a better
alternative though. I’m terrified that the UK is moving to LTE rather than the
current trunked radio. The amount of damage caused by comms failing in a major
emergency (or even just dead zones) massively outweighs the risk of a little
data loss at present. If there are more reliable communication methods that
preserve privacy, then we should be using them, but I’m not sure they exist at
the moment.

edit: to be fair, it should be possible to encrypt some of the traffic, but
things should fail open, not closed, or people will die.

~~~
tinus_hn
Meanwhile the rest of the world has moved on to digital, encrypted
communication.

Mobile phones continue to work during a disaster as long as the base station
batteries hold out and that’s with cheap base stations serving very large
amounts of idiot users using the cheapest of the cheap handsets limited by
regulations. Why wouldn’t you be able to make this work indefinitely with a
limited amount of trained users using selected, powerful expensive handsets.

In other words, a bunch of poor excuses made by coincidentally those same
people who love to profess that privacy doesn’t matter as long as it’s someone
else’s privacy.

~~~
leghifla
Agreed about privacy, but the "Mobile phones continue to work during a
disaster" is a very optimistic view.

It was no a disaster, far from it. In Belgium, few years ago, a fire under a
bridge broke an bunch of fibers from the main telco operator.

Result on a region of about 200,000 inhabitants:

    
    
      - no radio (on my usual station), first thing I noted that morning.
      - no internet
      - no TV (comes via internet)
      - no cell phone coverage
      - no land-line either
      - emergency calls impossible (by cell-phone or land-line)
    

This started early in the morning and was only solved in the afternoon for
most people. We are over-reliant on some technology with many single point of
failure we do not even know about.

~~~
sandos
That sounds insane. Any network other than very basic ones should have
physical redudancy, ie. not being in the same duct or even travelling close to
eachother. Hell, our local MAN network here does it! Thats in a city with 130k
inhabitants, they actually made the network backbone out of redundant rings.

I would hope most telco networks would be somewhat resilient.

~~~
briffle
A former employer of mine tried to have redundant connections. They had two
fibers from two different providers, going separate paths from their Dallas
office, etc. However, the 2nd provider utilized a 3rd provider as a regional
carrier. And for about 100 miles between Dallas and Chicago, the fibers were
run in conduits that were side by side. We discovered that when a single
backhoe took down phones, data, etc, to all our southeast Region offices. (it
also affected many others). Found out the hard way, that the 2nd providers
redundant uplink also went through the same connection. Good luck tracing your
fibers all the way from end to end.. Most of this stuff is all contracted to
3rd parties, and most don't want to give you detailed maps.

~~~
mordechai9000
Companies often sell services to each other, too. So what you think is a
redundant connection may just be a link on the same fiber, resold.

------
bigiain
I saw Balint Seeber give a fascinating talk about discovering the use of
unencrypted pagers in hospitals, with messages full of personal information
available too anyone with an SDR (and his particular brand of persistence to
work out how to discover the modulation/encoding to get the text out.)

It's mentioned in passing in this talk description from 2011:

[https://2011.ruxcon.org.au/2011-talks/all-your-rfz-belong-
to...](https://2011.ruxcon.org.au/2011-talks/all-your-rfz-belong-to-me-
hacking-the-wireless-world-with-gnu-radio/)

" ... and security-through-obscurity in hospital pager systems."

I'm 99% certain I saw him give that talk at Dorkbot in Sydney, which make it
maybe 5 or more years earlier than that...

~~~
myself248
"discovering" is an odd word to use there. I'd say "noticing".

PDW has been going since 2003 and I only mention it because I can't remember
the name of the DOS software that preceded it...

[https://www.discriminator.nl/pdw/index-
en.html](https://www.discriminator.nl/pdw/index-en.html)

~~~
bigiain
I only worded it like that because of the way he described his long and often
unfruitful efforts over several years before he finally hit upon the right
keywords and documentation to describe what he was seeing over the air...

~~~
myself248
That's a confusion born of not spending enough time hanging out with sneaky
folks doing shady shit.

I remember that in the 90s, the local PD had learned that some folks would
listen to scanner traffic to figure out when their rowdy parties were going to
be broken up, so everyone could hide and make the scene look calm by the time
officers arrived. So they stopped using voice radios for this sort of call,
and instead switched to their Mobile Data Terminals.

Which was even better, because MDTMON had an alert feature where it'd sound
the PC speaker when your keywords (say, your street name) showed up in the
decoded traffic. That freed up one partygoer from scanner duty!

POCSAG/FLEX were even more of a treasure trove, but that's a story for another
day.

------
Herodotus38
I'm a hospitalist (internal medicine employed by a hospital). I'm fairly
certain that what they are intercepting are pages from the ER to admitting or
consulting physicians.

In the US, this would be a HIPAA violation but I'm not sure of the Canadian
law. We still use pages at my hospital, but no PHI, only room numbers in the
ER for admissions are paged and then you log into the EMR. We use HIPAA
compliant texting apps to communicate PHI.

~~~
blaisio
HIPAA is such an awesome law. I have to work with it daily as an engineer, and
I'm continually amazed that the US government requires so much security.
Normally the US is extremely hands off when it comes to privacy and security.
Congress almost never passes laws that have such far reaching scope. And HIPAA
actually has teeth, with significant penalties for companies who don't comply
(and of course people can sue as well over the violation).

I think aspects of it could definitely be improved. I see HIPAA violations at
doctor's offices all the time - but they are usually still fairly minor, and
doctors and nurses grow concerned quickly as soon as you mention a possible
violation.

~~~
corebit
How are you fond of this law? It's so obviously a pointless waste of money. As
a fellow engineer who has worked with it I cant wait ffg or its repeal - and I
see that coming.

~~~
chooseaname
I'll bite. What would be the options for keeping our PHI from being freely
shared everywhere? You have to know that Facebook would love a piece of that.

~~~
clinta
First of all, I don't think HIPPA actually prevents PHI from being shared. If
Facebook were to become a business partner of a hospital, and maintain HIPPA
compliance themselves, hospitals can share data with Facebook.

To tackle the problem HIPPA tries to solve, that is making sure that data
sharing is secure and only with the intended parties, I want to see stronger
enforcement of liability. Granted, the US doesn't have a great track record on
that, seeing Equifax get away with what their doing. But I think that's the
system that needs to be improved.

Instead of government dictating what "secure" means, different approaches can
be experimented with on the market with strong enforcement of liability
providing the necessary incentives.

~~~
briandear
> hospitals can share data with Facebook

Then Facebook would become a Business Associate and would have to protect
information in a variety of very strict ways and could face a fine of up to
$10,000 per patient record, per violation. If they had 25 million health
records and decided to target advertising to those people on two separate
occasions, then they are liable for a fine of up to $500 billion. So sure, let
Facebook get into health, it wouldn’t take long for them to run afoul of the
law given their move-fast-break-things attitude.

~~~
clinta
Is targeting advertising based on health data a violation if the advertiser is
a business associate and is not directly exposing the data to any non-covered
entities?

------
Scoundreller
Pagers are great.

They're a lot more resilient than the cell phone network, especially if
there's a mass disaster.

They tend to work better in basements or deep in buildings.

They don't get annoying amber alerts (important in Canada where they're all
sent as Presidential/ICBM), constant "IRS" or "Dell" call spam from your
area+exchange code (ie: lookalike numbers that seem internal to your hospital)
or SMS spam.

These are excellent features if you're on-call, but _must_ respond to
anything.

~~~
t34543
One way pagers are also privacy friendly - base stations are not aware of your
location.

------
smudgymcscmudge
> VCH was unaware of the radio broadcasting component of the pager system(s)
> in question until several weeks ago

I’d like to know how they think pagers operate.

~~~
dmix
Hopefully the privacy commissioner is aware of this stuff works as well

------
trishmapow2
Happens in Australia too, probably the easiest signals to find (i.e.
strongest) using my $10 RTL-SDR besides broadcast FM. Plenty of names, emails,
addresses, phone numbers, medical conditions, security alarms being triggered
etc. Other interesting finds are SCADA messages, some from Pizza Hut etc.
Regulations here allow reception as long as you don't take any action based on
what you receive so that's nice.

------
dredmorbius
Sarah Jamie Lewis's Twitter thread (unrolled):

[https://threadreaderapp.com/thread/1171148964264992768.html](https://threadreaderapp.com/thread/1171148964264992768.html)

------
motohagiography
Key management between emergency services remains a hard problem. Paramedics
often don't have hands free to type information into a terminal, so they use
radio, which means keying their handsets, and then classifying the keys for
different security levels. e.g if you need to talk to SWAT and other teams,
you are going to need a separate channel and key. Police have an interesting
case with that as well, where techs that use or distract their hands during
stops are a safety issue.

Military communications for a given mission are mainly all in the same
security domain so key management is relatively easy. Co-ordinating key
management for daily use between police forces, ambulance services, hospitals,
fire stations, and other responders is non-trivial.

I do suspect the best possible privacy solution would be a regulation that
made personal and health information acquired without explicit consent
inadmissible in a civil court case, regulatory tribunal, or other government
process, and heavy fines for using it for insurance and credit and licensing
other decisions by regulated/protected businesses. Not so much GDPR regs, but
just removing legal leverage from the data.

We still need technical security and privacy controls, but creating legal
liability for the people who hold and exploit it is the real solution.
Agencies can't hide behind, "machine learning," and "random checks," for
targeting people. There will be some hard cases, but if you use PII/PHI
without explicit informed consent and collection, use and disclosure for
specific purposes, you should be handicapped legally, imo.

~~~
tonyarkles
I upvoted you, but want you to consider how there can be dramatically worse
bad actors than the government or legitimate companies (the
insurance/credit/licensing stuff you mention): people end up in the hospital
sometimes because someone else wants to hurt them. Simple example:
spousal/partner abuse. More extreme but easily plausible in Vancouver: gang
violence.

If I failed at a hit, and I can watch the POCSAG traffic and see the that the
guy I tried to take out is in a coma (and not dead), and is in room 404 at
Vancouver General Hospital, that's very valuable information.

~~~
Scoundreller
I've found with most hospitals that finding out a patient's location is as
simple as asking.

Maybe some people get identified as "VIPs" and it's not so easy. Dunno if
every random gun-shot victim makes that, but if your "hit" was more an
"accidental" car wreck, you can probably ask and find out where they are.

~~~
lostlogin
You can do better than that. Put on some blue scrubs and carry something
complicated looking. Look hurried. You’ll be admitted into almost any
healthcare facility.

~~~
tonyarkles
You're both right, and healthcare definitely has a lot of fun threat modelling
exercises you can do. I suppose the big thing that the pager monitoring stuff
gives you is a live stream of some significant fraction of _all_ the patients
coming through, not just a specific target.

------
th0ma5
I had read, and maybe I'm misguided, that the law in the US was that you could
listen to this stuff as an experiment with your amateur radio license and mess
around with all the decoding you wanted... It was just illegal to disclose to
anyone anything you heard or read. Actually I don't think the amateur license
may have had much to do with it at all, but anyway... I played with it for a
minute and mostly saw automated messages about housekeeping needs, but I did
occasionally see names, some kind of ID number but I don't think it was a SSN,
and sometimes little "love you" notes and quite a lot of "please call me
back". I got pretty bored with it pretty quickly that day.

~~~
JshWright
> you could listen to this stuff as an experiment with your amateur radio
> license

A license is only required to transmit. There is no license required to
receive (how would that work, anyway?).

~~~
lsaferite
> how would that work, anyway?

[https://en.wikipedia.org/wiki/Television_licence](https://en.wikipedia.org/wiki/Television_licence)

Ask all of those countries.

------
anfilt
I am not too surprised. A lot of emergency services use analog radio. Pretty
much works with all radios, and no setup before hand unlike with encrypted
radio. No need to negotiate things with other agencies either.

------
pgkyc
A few notes:

* In Canada, we have jurisdictional privacy law. In this case BC FIPPA. This is different than in the US where the few privacy laws that exist are mostly sectoral, such as health (HIPPA). [https://www.oipc.bc.ca/guidance-documents/1466](https://www.oipc.bc.ca/guidance-documents/1466)

* In Canada, only only one party has to agree to agree to record a telephone conversation.

* In Canada, it is not illegal to have a scanner and listen to phone calls even, hence the need to encrypt them faster up here. POGSAC decoding was done in the middle of the 90s with my local #2600 group. It even easier now with RTL-SDR. [https://twitter.com/cqwww/status/1171113297011019781](https://twitter.com/cqwww/status/1171113297011019781)

* I've been in two states of emergency in my life. Cell phone switches go down in minutes. You want to have your amateur radio licence, an amateur radio, and battery, on standby for when this happens. Practice setting up a data connection to is, as the internet goes away quickly as well. Get your ham radio licence, it's free, and you have your call sign for life. It's a nerdy thing to have except in an emergency, where you quickly turn to hero if you're the only person in your area capable of communicating with emergency services.

------
raxxorrax
I wonder how much security issues relate to the data formats that are often
used to exchange medical information. I believe northern American nations
mostly use HL7, while European countries tend to prefer Dicom.

HL7 was around since 1987, while Dicom is older than TCP/IP I believe. I think
requirements for data exchange fundamentally changed in the last 30 years and
at least Dicom is just horrible to handle.

True, you could upgrade it with putting everything in a crypt container, but
that is just a quick fix.

This is a case where I fully support software engineers that say that we need
to fully reimplement these formats. It is good to have standards here, but
many manufacturers of medical devices have their own proprietary adaptations
anyway. It shouldn't mean to throw everything learned from these formats away.
Just maybe it should all be reevaluated.

~~~
criley2
HL7 is just text, if you're not sending it over SSL then it's arguably easier
to decipher than a simple webpage when looking through the packets!

The current thing is called FHIR though and instead of sending text HL7v2
messages directly to a port over SSL now we can use a web service, HTTPS, and
exchange JSON messages.

~~~
raxxorrax
Oh really? I always thought it would mainly be an image container like Dicom,
which is in practice abused to exchange text just as well. Haven't had the
pleasure to work with HL7, I was just tormented by Dicom and have always been
told that HL7 is just the American version of it.

~~~
criley2
All of my legacy interfaces for an EHR vendor are HL7v2 based. It's pretty
simple to work with but our lack of external libraries leaves me tinkering
with opening ports and reading data manually too much.

The beginning of a HL7 (2.4) message with the header and patient ID node might
look like this (this example looks like an ORU^R01 inbound lab result)

MSH|^~\&|GHH LAB|ELAB-3|GHH OE|BLDG4|200202150930||ORU^R01|CNTRL-3456|P|2.4

PID|||555-44-4444||EVERYWOMAN^EVE^E^^^^L|JONES|19620320|F|||153 FERNWOOD
DR.^^STATESVILLE^OH^35292||(206)3345232|(206)752-121||||AC555444444||67-A4335^OH^20030520

Just a list of offsets using |^~\& seperators sent directly over a port.

The JSON/FHIR versions are nicer even if they are more verbose.

~~~
lostlogin
HL7 is so awful. My introduction was is seared into my memory as I hadn’t
realised the various line break methods allowed/used.

I have dealt with a vendor who’s existence began is still heavily propped up
by their HL7 broker service. It seems rather lucrative.

~~~
cabaalis
HL7 is the manifestation of all that is unholy and wrong.

------
hxjfbjxbbc
rtlsdr + gqrx + multimon-ng

pole around 929.600mhz and you'll eventually find a shitload of phi in most
metro areas. you'll probably also find a ton of industrial traffic, and the
occasional weather and sports scores.

it's also not far fetched to think it's used as a means to broadcast to/from
field operatives. most pager lines offer an smtp gateway, so a bit of "spam"
could have a intended recipient anywhere in the region, or possibly country
based on network.

~~~
DrAwdeOccarim
I was just about to buy an SDR rig to play around with, so the timing of your
comment is wonderful. I have been looking off and on for a year now and there
are just too many choices. I have my tech license, but then I had two kids and
haven't been able to go for general yet. I've been bored not getting on HF,
which is where I hear all the "action" is. So what SDR would you recommend I
get if I also wanted the ability to transmit HF one day?

~~~
jrockway
I don't think it's economic to buy an SDR rig with the intention of maybe
transmitting on HF one day. Most HF digital modes are audio-jack based,
meaning that you connect any radio, particularly a used one that you can get
cheaply on eBay, to your computer via a line-in/line-out connection. You do
not need any fancy SDR stuff going on; popular digital modes like FT8 put the
entire band in the space of one normal voice conversation. So no special
equipment whatsoever is necessary to use digital modes.

One time I had my audio misconfigured to use my microphone instead of the
line-in, and I had my radio disconnected from the computer to tune the
antenna. As I was listening through the radio's built-in speaker, my computer
properly decoded a number of FT8 transmissions... through the microphone. You
really don't need anything expensive or interesting to do SDR stuff on the HF
bands.

People that buy the "real" ham SDRs are doing things like contesting, where
they really need to see entire bands, or even multiple bands, at once. And
they're paying over $10,000 for that.

The cheap "hacker" SDRs are largely inadequate for ham work. They are OK, but
not great. They don't have proper frontends, so transmit a lot of out-of-band
garbage. They don't have niceties like an antenna matching network, or even a
power amplifier. I have a KX3 which has a maximum transmit power of 12W. But
these hobbyist boards will max out in the mW range. It is adequate for some
digital modes, but even then, it's pretty low. I typically run FT8 at 1-3W. So
generally, would not recommend these for someone new to the hobby. Buy an RTL-
SDR stick for $20. Listen to some stuff. When you get bored, find a proper HF
radio in the $300 range and use that. If you then decide you want to spend
$10,000 on the hobby, then you can start looking into the SDRs ;)

------
Uhrheber
"didn’t seem to rely on any radio connection"

What did they think it relies on? Fairy dust?

------
Spastche
this is pretty much every hospital in america too

~~~
13of40
Do you know that, or are you speculating?

Edit: Huh, I guess you might be right.
[https://www.beckershospitalreview.com/cybersecurity/man-s-
an...](https://www.beckershospitalreview.com/cybersecurity/man-s-antenna-
picks-up-phi-from-pagers-at-5-hospitals.html) (2018)

~~~
dlgeek
I have absolutely seen this sort of thing in a major US city.

------
beaugunderson
Happening in the majority of the hospitals in Seattle as well.

------
endymi0n
While the findings are solid and the denial is despicable corpspeak, I fear
the data is still way safer this way than letting the same kind of contractors
build a "secure" app and then finding all that data neatly ordered in an open
S3 bucket or MongoDB a year later.

Nobody‘s gonna put up an antenna over years collecting all this noisy stuff.

On top, my condolences for the hospital IT staff having to exchange thousands
of real pagers with real doctors, and train them again over the course of
several months, all for a pretty synthetic finding that took them a couple of
hours.

Builders vs. breakers all again... Well, you got your attention, guys.

~~~
Uhrheber
> Nobody‘s gonna put up an antenna over years collecting all this noisy stuff

What do you think all the antennas on embassy buildings are for?

------
throw0101a
Going over the timeline, I find these things very odd:

> _2018-11-12: Sarah Jamie Lewis reaches out to Vancouver Coastal Health
> Privacy Office (VCH-P) with information about the breach._

> _2019-03-04: Sarah Jamie Lewis meets with two journalists and demonstrates
> the pager breach. This meeting was not recorded and this meeting is never
> followed up on._

> _2019-07-23: During an interview with journalist Francesca Fionda, on Open
> Privacy’s research into Swiss election systems, Sarah Jamie Lewis discusses
> the pager breach._

[...]

> _2019-08-15: Sarah Jamie Lewis reaches out to the Office of the Information
> and Privacy Commissioner for B.C. (OIPC), offering to help aid any
> investigation they wish to undertake in regards to this data breach._

They waited _nine months_ before contacting the provincial Privacy
Commissioner? They contacted journalists before the OIPC?

* [https://www.oipc.bc.ca](https://www.oipc.bc.ca)

~~~
sarahjamielewis
There is no official way for 3rd parties to make breach reports to OIPC-BC
(nor is there a legal requirement for VCH to report to them) - it was only
after Francesca raised the issue during a meeting with the
commissioner(regarding breaches in general) we were informed they would be
interested in this, and were given an avenue to contact them in a way that an
investigation might be authorized.

