[chimeracoder]

> Hospitals in my area of the US still use POCSAG pagers, totally unencrypted. They do mention patient information, but I guess the obscurity makes it ok.

Nope, the obscurity doesn't make it okay. If it takes place over the phone lines, it is arguably exempt from encryption requirements under HIPAA (much like a fax).

Otherwise, they're just turning a blind eye and hoping nobody notices (which is surprisingly common when it comes to HIPAA).

The good news (for them, not for patients) is that, even if they get caught, the maximum fine is $2 million per calendar year per category of violation, so if they're flush enough they don't even need to bother being compliant in this area.

[fein]

It's over the air, not even phone lines. PDW, SDRSharp, and an rtl-sdr dongle is all that's needed. And yes, there is a lot of patient info in that traffic. It's not illegal for the hospital to broadcast this, and it's not illegal to listen in and decode the signals, but it is very much illegal to do anything with the information gathered.

[chimeracoder]

> It's over the air, not even phone lines. PDW, SDRSharp, and an rtl-sdr dongle is all that's needed. And yes, there is a lot of patient info in that traffic. It's not illegal for the hospital to broadcast this, and it's not illegal to listen in and decode the signals, but it is very much illegal to do anything with the information gathered.

I'm not familiar with this particular technology, which is why I didn't make a definitive claim in my previous comment. But I am quite intimately familiar with HIPAA and related regulations, and I am extremely skeptical of the third sentence you wrote.

[hunter2_]

Maybe it uses particular spectrum that is considered illegal to tamper with, just like analog cell phone signals, and HIPAA (inappropriately IMHO) leans on that to explain away an exemption from encryption?

[upofadown]

Probably: https://www.fcc.gov/consumers/guides/interception-and-divulg...

[op00to]

There’s not much to do knowing that a patient pooped and needs to get cleaned up in room 604.

[fein]

I don't think I have any logs of these any more, but when I was listening on the local hospital's pager traffic, I seem to recall messages that were along the lines of [last name][room number][sexually transmitted disease test is complete]. Surprised me at the time too because I used to do work dealing with processing CDA documents into fhir data and I know how crazy HIPAA can be with PHI/PII, but at the same time these legal frameworks often have carveouts or super serious adoption deadlines that keep getting pushed to next year (and then next year, and then next year).

[paradox460]

Not even that much. A flipper can do it