CERT warns of hardcoded creds in medical app
Darren Pauli reports:
The US computer emergency response team has issued a warning after admin credentials were found in a popular medical application used for acquiring patient data.
The MEDHOST application is designed for handling the perioperative three stages of surgery including patient tracking, and patient conditions. It can be hosted and managed remotely.
About 1,000 healthcare facilities use the company’s various technology products.
The flaw meant attackers could key in the details and access patient data on servers that did not restrict logins from unknown locations.
Daniel Dunstedter reported the hardcoded credential flaw (CVE-2016-4328) in MEDHOST Perioperative Information Management System in versions older than 2015R1.
Read more on The Register.
If this sounds vaguely familiar, it may be because it’s precisely the same issue another security researcher had reported to CERT about Henry Schein Dental’s Dentrix software. And it’s the same issue he reported to CERT in February about Patterson Dental’s Eaglesoft software. The biggest difference I can see so far is that MEDHOST responded and pushed out a fix within one month, whereas Henry Schein did not effectively fix the problem in Dentrix for years and Patterson Dental hasn’t even responded to CERT’s notification.
This vulnerability is well-known and puts consumers and patients at risk of substantial injury. Maybe it’s time for FTC and HHS to issue some press release or warning or guidance? Entities that expose patients to risk of data theft or compromise of their records due to this vulnerability should be held accountable.