A number of years ago, I got ahold of an software radio and started to do some research using it. In late 2016, I began to listen in on POCSAG and I learnt of a problem that affects one of the local health authorities in Metro Vancouver. It faded from memory soon as I started to figure out what to do due to some health concerns that arose simultaneously.
What is POCSAG?
POCSAG (“Post Office Code Standardisation Advisory Group”) is a protocol which dates back to the 1970s, allowing for data to be transmitted to pagers. That’s right: the devices that we once referred to as “beepers” are still alive and well and are used by medical professionals. They’re cheap and because there is always a desire to cut healthcare by successive provincial governments over the past two decades, we’re left with using them because “they work”.
These devices are used by many health authorities and even private services in the United States. They rely on the data not being readily accessible because they’re not sent over commodity services like Wi-Fi.
However, it’s still easy to listen if you have some technical knowledge. They’re also readily supported by Bell and Rogers, although in 2015, Telus shutdown their network.
Why are you talking about this?
Open Privacy put out a news release stating that during an unrelated project, they discovered that Vancouver Coastal Health had been broadcasting personal details about patients using an unencrypted network.
The absurd timeline between November 11, 2018 and today (September 9, 2019) means that VCH is woefully aware of how compromised patients are. This quote from VCH’s Privacy Office to Open Privacy’s Sarah Jamie Lewis really pissed me off:
We are committed to ensuring our clients’ privacy is upheld. At this time, we have not identified any paging system used at VGH that compromises client privacy. Our investigation findings leads us to believe that patient information is protected and not being intercepted.
VCH has failed to understand the gravity of the matter despite having been presented by Lewis with how simple it was to grab that data from thin air. Just because one person is bringing it up doesn’t mean that nobody else has seen it.
In 2016, I was working on listening to POCSAG data using off-the-shelf hardware. It has been talked about for ages that local hospitals use the pager network to send data about various patients and I wanted to see for myself. Data included personal health numbers (PHNs), patient names, patient ailments, rooms that need cleaning, physician details, and so on.
I was confounded on what to do with this because how do you go and tell the health authority to stop using an unencrypted network to send details like that? It’s one thing to tell a team to go clean a room, but it’s another when you’re sending data that is sensitive.
Due to some health matters that came up simultaneously, I shelved this research and any data I inadvertently collected has since been erased–nobody should be recording this information anyway. I did speak about the matter with a few people locally in the information security space, but nothing further was done about it and I forgot about the whole situation.
However as mentioned before, it has been reported by others:
Literally decades. I used to work at a radio shop that supported this system in the early 90s, tuning and testing pagers, as well as console work adding and removing pagers from the system.
This won’t be resolved quickly. There is a mountain of legacy hardware out there and to mitigate it (migrate to encrypted pagers and possibly new transmitting equipment) would involve significant capital expenditure. Budget cycles being what they are, I would be amazed if this gets rectified within 5 years.
Which then segues into this: when Telus closed down their pager network in 2015, Vancouver Coastal Health–including Providence HealthCare and Provincial Health Services Authority (PHSA)–switched to PageNet:
TELUS is terminating its paging services across Canada effective March 31, 2015. This means all existing TELUS pager users in our health organizations will need to replace their paging device before that date. After March 31, PageNet will be our primary paging service provider across Providence Health Care, PHSA, and Providence Health Care.
Who is affected?
All existing users of TELUS pagers. Providence Health Care uses PageNet paging services and is not impacted. If you are unsure whether you use a TELUS pager, simply call your service. A TELUS pager will be answered by TELUS.
I have a TELUS pager. What should I do?
To ensure uninterrupted paging service, please initiate the pager replacement process immediately.
Presented with an opportunity to switch off of a system that is insecure, our health authorities were forced to choose the cheaper option because years of cutbacks by the BC Liberals. Funny how that all works right?
How simple is it to listen?
You can listen to POCSAG transmissions for cheap using parts from Amazon with any computer made in the past decade will be able to work with whatever you get.
For just under $50 CAD, you can get details about who is sick with what ailment, personal health numbers, and all sorts of information you shouldn’t have. You can do it for even cheaper if you know what DVB-T tuners use the chipset used in the NooElec device I linked to and salvage an antenna from a radio scanner.
It’s really not all that hard.
With respect to the software, I was going to include details on how to tune in using open source software, but I do wish to add a layer of obscurity to protect patients. This doesn’t require any certification and can be done with some intermediate computer knowledge, with a little bit of research skills as well.
Is this legal?
Yes. Although I am not a lawyer, this has been constantly discussed in the radio scanning community.
Except if you share the data. If you haven’t noticed yet, I haven’t posted any sort of data I’ve received because that is in fact illegal.
Under the Radiocommunication Act under section 4, it states:
4 (1) No person shall, except under and in accordance with a radio authorization, install, operate or possess radio apparatus, other than (a) radio apparatus exempted by or under regulations made under paragraph 6(1)(m); or (b) radio apparatus that is capable only of the reception of broadcasting and that is not a distribution undertaking.
This means that it is perfectly legal to have a device (such as an RTL-SDR, a radio scanner, or even just a regular TV) to receive signals provided that you are not rebroadcasting. It is impossible to stop people from receiving signals because signals do not discriminate where they reach, but it is possible to stop people from sending signals because that is a human-controlled action.
Rebroadcasting is effectively covered under section 6:
6 (1) The Governor in Council may make regulations […] (n) prohibiting or regulating the further telecommunication, other than by persons operating broadcasting undertakings, of radiocommunications;
There are further laws that cover this but basically you can happily listen in and do whatever for your own personal enjoyment but you cannot go about rebroadcasting it. Being that this is just a lousy blog on the Internet, that counts as “further telecommunication”.
What is next?
This is up to VCH to fix but ultimately they will probably address this at a glacial pace. Privacy around data handling will have to be considered at the same time.