Widely-used patient care app found to include hidden 'backdoor' access

Anyone with the hard-coded credentials can obtain and modify sensitive patient data — many of which are about to, or have recently been in surgery.
Written by Zack Whittaker, Contributor

(Image: stock photo)

An application suite designed to help clinical teams manage patients ahead of surgical operations includes a hidden username and password, which could be used to access and modify patient records.

The hard-coded credentials in Medhost's Perioperative Information Management System (PIMS) have not been publicly disclosed, but if known could allow an attacker to "backdoor" the app to read or change sensitive information on patients, who are about to or have just recently been in surgery.

The bug prompted the CERT security advisory team at Carnegie Mellon University, which tracks bugs and security issues, to issue an advisory, warning administrators to upgrade to a newer version of the software that removes the credentials.

Users of the app -- typically clinical staff and physicians -- are able to get wide-ranging data on patients. On its website, the company touts how the app enables anesthesiologists "access to critical patient information in real-time and allows them to ensure patient condition and status are good," as well as "detailed information on patient health medical history, physical exam, etc. and is readily available to all clinicians throughout the department."

The advisory said that the attacker must have the ability to "communicate directly with the server." However, PIMS can be remotely hosted and managed, the application's documentation states.

According to Medhost's website, its PIMS application delivers "real-time access to patient data and clinical systems," from "initial consult, complete anesthesia and nurse charting through decision support and post-surgery discharge."

It's not known how many installations or how many users and patients are affected. The company is said to serve around 1,000 healthcare facilities.

A Medhost spokesperson declined to comment further when contacted late-Thursday.

Daniel Dunstedter, who was credited with finding and privately disclosing the flaw, could not be reached for comment.

Editorial standards