NHS has been at the centre of politics, but politicians have so far been unable to protect its privacy and security. A radio rig discovered by a security researcher exposed how NHS' outdated way of using pagers may have led to the broadcasting of users' private data across the UK.
The rig was operated out of a house in North London and basically picked up pager radio waves and transliterated them into text. Medical emergencies across the region were broadcast on this private radio, according to TechCrunch.
The rig was further connected to a PC and an internet-enabled camera, which broadcast this text across the internet. There was no password on the webcam so this information was widely broadcast.
The bug was discovered by Florida-based security researcher Daley Broda, who stumbled upon the exposed webcam.
"You can see details of calls coming in — their name, address, and injury," he told TechCrunch about his findings, which were further verified by the publication. Messages were streamed from the 999 emergency services ambulances. Once the information was decoded, it was found to be routed from a London-based NHS Trust.
The fact that the data could be leaked using some cheap, basic software for hobbyists is really an issue that could largely impact the privacy of millions of citizens who use NHS services.
All this is owed to the NHS still sticking to using pagers instead of new devices, with defense mechanisms and data privacy and security software. While pagers have a wider reach in terms of networks since they operate in low frequencies, the security issues seem to be palpable as pager protocols POCSAG and FLEX are not encrypted unlike cellphone-based services such as WhatsApp.
Anybody can tune in to radio waves using a £15 plug and play device.
According to the report, 130,000 NHS pagers are at the risk of leaking data – 10 percent of the pagers currently in use around the world. PageOne, the last remaining pager network in the UK told TechCrunch that it only provides encryption, if and when it is asked for by customers.
There's still an year to go before the NHS pager ban goes into place, so it remains to be seen what actions the organisation takes to ensure data security. This is important, because until Britain is part of the EU, it will be in violation of GDPR norms on data security and the organisation may be severely punished for leaking such data.