Your artwork is not HIPAA compliant

Chicago art exhibit displays problems of pager use – Non HIPAA Compliant

At OnPage, we have long rallied against pagers, highlighting the problems they cause when used as a form of communication between doctors. In many blogs and whitepapers, we have described how:

• pagers are not secure
• pagers are easily hacked
• pagers enable the leaking of protected patient information(PHI).

Our goal, in persistently extending this message is to encourage physicians and hospital staff to use secure, HIPAA compliant communications instead of pagers. But little that we write could be as powerful as the art instillation created by Brannon Dorsey called Holypager.

One man’s pager is another man’s art

We read about Dorsey’s exhibit in an article that was forwarded to us. His exhibit, Holypager is designed to intercept all POCSAG pager messages sent in the city of Chicago. Once intercepted, the messages are all anonymized and then printed out at the exhibit on one of three rolls of receipt paper. The display makes for a large paper pile-up for gallery visitors to view.

While this might not be everyone’s definition of art, Holypager does none-the-less seem to always elicit a reaction. People seem genuinely surprised that pagers’ messages are so easily hacked. Perhaps, they think, patient information should be held to a higher level of security.

An artist’s message of privacy

Perhaps as surprising as the ease with which the pages are hacked is the source of the messages. Almost all of the messages are sent between doctors and hospital staff. According to Brannon, messages almost all contain:

• Patient’s first name
• Patient’s last name
• Patient’s date of birth
• Patient diagnosis

I’m sure visitors to the exhibit expressed thoughts such as ‘Isn’t that sort of information supposed to be protected’? Shouldn’t there be some form of encryption on that information?

Yes, pieces of information like name and diagnosis are clearly PHI. Exchanging the information in a manner which is so easily hacked is a clear HIPAA violation. Doctors are violating HIPAA norms when they exchange this information over pagers rather than using HIPAA compliant messaging.

According to HIPAA Standard 164.306 “doctors must ensure the confidentiality of all electronic PHI they transmit and protect against any reasonably anticipated threats or hazards to the security or integrity of such information”.  As the Holypager exhibit demonstrates the standard of confidentiality is far from maintained.

According to Brannon,

Given the severity of the HIPPA Privacy Act, one would assume that appropriate measures would be taken to prevent this information from being publicly accessible to the general public.

The seemingly obvious answer to Brannon’s assumption is that appropriate measures are not being taken. Brannon hopes to show his results to the hospitals whose pages he has intercepted and let them know they need to embrace more secure messaging methods.

Conclusion

The artist believes that his project is meant to serve as a reminder that as the complexity of digital systems increases, humans don’t always develop a corresponding level of literacy about the systems.

Maybe.

But what I think is easy to get across here is that pagers are a technology whose ship has long ago sailed. Perhaps we’d all be much better off if we recognized the need for our physicians to use and maintain HIPAA compliant communications.