Re: McKesson Horizon Clinical Infrastructure (HCI) version 7.6/7.8/10.0/10.1 hardcoded passwords

[Shawn Merdinger <shawnmer () gmail com>]

Hi Michael,

On Wed, Oct 21, 2009 at 9:36 AM, Michael Krymson <krymson () gmail com> wrote:
> Oh shit, accounting () mckesson com bounced, too! That must mean they don't
> even have any accounting!

Hehe...who knows?  Maybe you needed to do @internal.mckesson.com ;-P

Bringing this back to the issue at hand, a security POC at any vendor
is, I suggest, a good thing (tm).

As an fyi, and specifically pertaining to medical device security,
some efforts are underway; and I humbly suggest that this community
could make further recommendations.

Please see the following:

"Manufacturer Disclosure Statement for Medical Device Security" by the
Healthcare Information and Management Systems Society (HIMSS)

Healthcare Information and Management Systems Society (HIMSS) --
http://www.himss.org

HIMSS Manufacturer Disclosure Statement for Medical Device Security --
http://www.himss.org/ASP/topics_FocusDynamic.asp?faid=99

"In light of increased focus on medical device security, the HIMSS
Medical Device Security Work Group created the Manufacturer Disclosure
Statement for Medical Device Security (MDS2)." --
http://www.nema.org/stds/hn1.cfm

Direct PDF download of HIMSS/NEMA HN 1-2008 guidelines:
http://www.jira-net.or.jp/commission/system/04_information/files/HN1_MDS2_final.pdf

MDS2 Excel worksheet:
http://www.nema.org/stds/complimentary-docs/upload/MDS2%20Worksheet.xls

Cheers,
--scm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/