With Open Source Comes Responsibility
WordPress is an open source project with a number of contributors from a large community of coders, designers, and organizational and institutional implementers. Being open source, anyone can examine the source code before integrating in an existing information system. Since there is no need for a Non-Disclosure Agreement (NDA) to review the source code, the organization or institution planning on implementing WordPress (i.e. core, themes and plugins), has the responsibility to do line-by-line code review of the WordPress code base, or have a third party service do code review certification, especially when it comes to security.
Although being an open source project, a number of contributing developers have already browsed through the code base, this is not a justification to forgo the code review process, especially when it comes to sensitive and privacy-related applications, like healthcare. In case of security breach, the use of open source components that have not been reviewed or tested internally could be an aggravating factor. Other security measures should also be instituted, such as penetration testing of the application, aside from testing the server infrastructure.
OWASP WordPress Security Implementation Guideline
For implementers who are planning on integrating WordPress in their IT infrastructure, the Open Web Application Security Project (OWASP) guidelines for implementing WordPress can be a useful guide.