Vendor Risk from Backdoors
This month Carnegie Mellon University’s CERT Division issued an advisory regarding a flaw in Medhost’s Perioperative Information Management System (PIMS). PIMS is a widely used suite of applications for surgery departments to manage surgical cases from initial consult through post-surgery discharge. The flaw, for which a patch was issued by Medhost, was the inclusion of a hardcoded “backdoor”, that allows anyone with knowledge of a hardcoded administrative UserID and password to access the system. Vendor risk is an important consideration for organizations subject to HIPAA.
The attacker would need the ability to communicate directly with the server – some organizations deploy the software via internal servers and others use remote systems accessible via the internet.
No specific information from Medhost is available about the reason for this security flaw. Hardcoded access credentials are sometimes included by developers for testing of the application, and due to oversight are not removed prior to releasing the software. Or, it is possible that the software author intentionally included the backdoor so that they could provide ongoing technical support. Regardless of the reason, anyone with access to the server and knowledge of the credential could gain full access to any PIMS system.
There are several takeaways from this situation:
- Pay attention to security patches from your vendor and promptly install important updates.
- It is important to recognize that vendors and their software offerings are imperfect. Any vendor selling software to the healthcare industry will include in their marketing information that the system includes strong security features. This doesn’t mean that all vendors follow established best practices. Your risk analysis should identify vendor flaws as a risk, especially for applications that are accessible via the internet.
- A risk management best practice is an effective vendor risk management program. There are multiple approaches to vendor risk management including the use of vendor surveys, the use of services that quantify vendor security profiles and risks, penetration testing and other approaches. When implementing a vendor risk management program in healthcare any apps that process ePHI should be evaluated, however flaws with other vendors – such as payroll or supply chain management — can compromise a network and ultimately the ePHI.
