CDR DICOM Security Information

Background

Creating a faster and easier experience of installing CDR Dicom software has always been important to us. For this reason CDR Dicom uses default passwords so that customers can start working with the software quickly. In well-protected network environments, the use of default passwords poses limited risk to the patient data stored by CDR. Improper, internal access to this information can exist, however, and a recent report by the CERT Vulnerability Analysis Team at Carnegie Mellon University has confirmed this as a potential issue.

Vulnerability

A potential risk exists where unauthorized individuals with knowledge of the default passwords, and internal access to CDR’s SQL database, could retrieve the patient information stored by CDR exams.

The following default credentials in CDR are listed below:

  • sa - This is the system administrator account and is required when installing SQL Server. It has administrative rights to the entire SQL instance.
  • cdr - This is the user account created by CDR and is typically used by clients to connect to the server.

Mitigation

Customers can mitigate the risk caused by this issue in several ways. Any (or all) of these approaches would be appropriate:

  • Change the default passwords in CDR (see link below).
  • Ensure that the network storing patient information is secure and up-to-date with the latest security patches.
  • Ensure patient information is accessed only when necessary and only by those who have a valid reason for doing so.
  • Protect your passwords and keep them secured.

Related Pages

The links below will direct you to other pages on our website for additional steps on how to protect the patient information stored by CDR.

Changing Default Passwords

Performing Custom Installation of SQL Server