Skip to main content
Sister Publication Links
  • ModernHealthcare.com
Subscribe
  • My Account
  • Login
  • Register
  • Consumer Centric
  • Provider/Payer Centric
  • Funding/M&A
  • Policy
  • Data
  • Opinion
  • MORE+
    • Webinars
    • Advertise
MENU
Breadcrumb
  1. Home
  2. Information Technology
December 15, 2021 04:42 PM

What you need to know about the Log4j vulnerability

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Copy of 012521-Regionals-cybersecurity-data-hacking_2_i.jpg
    MH Illustration / Getty Images

    Hospital and health system executives should assess the software they're using and monitor their networks as businesses across the U.S. grapple with a recently discovered cybersecurity vulnerability found in enterprise applications and cloud services, experts say.

    "What makes this vulnerability so dangerous is the fact that it is ubiquitous," said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, of the Log4j vulnerability. "It's third-party software that's embedded in other devices or programs, which has wide-spread use across all sectors—including healthcare."

    The flaw is found in a widely used open-source piece of software known as Log4j, a logging framework that records activities that take place in an application, often to log performance and security information. It's used in Java, a popular programming language that underpins many software programs.

    Hackers could exploit the vulnerability to remotely send a command to a system using the software and subsequently take control of the system. From there, a hacker could potentially to exfiltrate patient data or deploy ransomware.

    The vulnerability is already being "widely exploited by a growing set of threat actors," said Jen Easterly, director of the Homeland Security Department's Cybersecurity and Infrastructure Security Agency, in a statement posted online this weekend. "To be clear, this vulnerability poses a severe risk."

    CISA is working with public- and private-sector partners, including the Federal Bureau of Investigation and the National Security Agency.

    The volunteer not-for-profit group that develops the software, Apache Software Foundation, has released upgraded Log4j versions that addresses the vulnerability, which in some cases organizations may be able to update on their own.

    But organizations using software with the vulnerability mainly will be reliant on vendors to identify and patch their products, Easterly said. She said organizations should identify all external-facing devices that have Log4j installed and ensure their security team is updating those devices as vendors make fixes available.

    She urged vendors to inform customers about whether products contain the Log4j vulnerability.

    The Log4j logging framework has been used for years, said Bryan Orme, a principal at cybersecurity consulting firm GuidePoint Security.

    "A lot of modern application architectures have been built on top of it," Orme said.

    The vulnerability has affected many cloud companies.

    Amazon's cloud arm released a list of services affected by the vulnerability and whether they've been updated. IBM said it's "actively responding" to the vulnerability, investigating products and services that could be exploited and sharing a running list of products it determines aren't effected by the bug.

    VMware has said the vulnerability affects multiple products for which it's working on patches.

    This scenario is an example of why the AHA has pressed the federal government to require medical devicemakers to disclose a "software bill of materials" for their products, Riggi said.

    The Food and Drug Administration in 2018 released a draft of pre-market guidance for managing cybersecurity in medical devices, which included asking developers of internet-connected medical devices to provide customers with a bill of materials, or rundown of commercial and off-the-shelf technologies in the device. That could help customers assess whether a product is susceptible to vulnerabilities.

    The FDA hasn't released final guidance.

    "One of the biggest challenges we have is just trying to understand what devices and what technologies incorporate this software," Riggi said. "Hospitals and health systems right now are scrambling to identify how they might be exposed to this vulnerability and are making tremendous efforts to patch."

    "Of course, that can be quite the distraction for our hospitals and health systems right now, especially as they're facing a surge of COVID-19 and flu patients," he added.

    Even after applications are patched and updated, it's important to monitor the network for unexpected activity, in case the organization's environment has already been compromised, said Mac McMillan, CEO of cybersecurity consulting firm CynergisTek. The Log4j vulnerability was disclosed late last week, but hackers had reportedly been trying to exploit it since earlier in December, he said.

    "There's a period of time there where somebody could have taken advantage of this vulnerability … and infiltrated [an organization's] system without them knowing it," McMillan said.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it online.

    Recommended for You
    Allscripts logo_i copy_i.png
    Allscripts new CEO looking for payer, life sciences acquisitions
    Copy of 012521-Regionals-cybersecurity-data-hacking_2_i_i.jpg
    Ransomware spurs weeks, months of IT downtime
    Sponsored Content
    Get Newsletters

    Newsletters for providers, payers, investors and innovators across the digital health ecosystem. Sign up to get breaking digital health news including digital health deals, M&A, finance, IPOs. as they happen, right to your inbox.

    Buy Q2 Report Today
    Quarterly Report Cover Image

    The Digital Health Funding and M&A Q2 report delivers the most comprehensive insight and data around the financial health of the sector.

    Purchase Today
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Digital Health Business & Technology delivers news, data, insights and analysis covering the entire digital healthcare ecosystem.

    Logo
    Contact Us

    (877) 812-1581

    Email us

     

    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    Resources
    • About Us
    • Contact Us
    • Staff
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Digital Health Business & Technology
    Copyright © 1996-2022. Crain Communications, Inc. All Rights Reserved.
    • Consumer Centric
    • Provider/Payer Centric
    • Funding/M&A
    • Policy
    • Data
    • Opinion
    • MORE+
      • Webinars
      • Advertise