CERT warns of hardcoded creds in medical app

The US computer emergency response team has issued a warning after admin credentials were found in a popular medical application used for acquiring patient data.

The MEDHOST application is designed for handling the perioperative three stages of surgery including patient tracking, and patient conditions. It can be hosted and managed remotely.

About 1,000 healthcare facilities use the company's various technology products.

The flaw meant attackers could key in the details and access patient data on servers that did not restrict logins from unknown locations.

Daniel Dunstedter reported the hardcoded credential flaw (CVE-2016-4328) in MEDHOST Perioperative Information Management System in versions older than 2015R1.

"An attacker with knowledge of the hardcoded credentials and the ability to communicate directly with the application database server may be able to obtain or modify patient information," US CERT vulnerability analyst Joel Land says.

"As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from using the hard-coded credentials from a blocked network location."

The vendor pushed out a fix about a month after the March disclosure. ®