(Image: stock photo)

An clinical application suite designed to help clinical teams manage patients ahead of surgical operations includes a hidden username and password, which could be used to access and modify patient records.

The hard-coded credentials in Medhost’s Perioperative Information Management System (PIMS) have not been publicly disclosed, but if known could allow an attacker to “backdoor” the app to read or change sensitive information on patients, who are about to or have just recently been in surgery.

The bug prompted the CERT security advisory team at Carnegie Mellon University, which tracks bugs and security issues, to issue an advisory, warning administrators to upgrade to a newer version of the software that removes the credentials.

Users of the app — typically clinical staff and physicians — are able to get wide-ranging data on patients. On its website, the company touts how the app enables anesthesiologists to “access to critical patient information in real-time and allows them to ensure patient condition and status are good,” as well as “detailed information on patient health medical history, physical exam, etc. and is readily available to all clinicians throughout the department.”

The advisory said that the attacker must have the ability to “communicate directly with the server.” However, PIMS can be remotely hosted and managed, the application’s documentation states.