Jul 01 2022

Finding a Path Forward from Log4j in Healthcare

Make sure you stay ahead of the game with cyber vulnerabilities instead of playing catch up.

As 2021 came to an end, breaking news rocketed through the cybersecurity community: Researchers had discovered a serious security vulnerability in the widely used Apache Log4j utility that posed a significant risk to enterprise security.

Activity over the next couple of weeks followed what has become a familiar script for security professionals. Teams rushed to identify places where their organizations were using Log4j and attempted to patch those deployments before attackers had the opportunity to strike. Experienced security professionals who had lived through the 2014 Heartbleed vulnerability experienced déjà vu as organizations struggled to figure out where they were using this popular open-source component.

With that initial flurry of activity in the rearview mirror, healthcare organizations should now use this opportunity to examine their cybersecurity programs to ensure they’ve not only remediated this serious issue but also prepared themselves to respond more efficiently and effectively to the next major vulnerability announcement.

Click the banner below for more HealthTech content on security and zero trust.

What are Log4j and Log4Shell?

Log4j is a piece of software that most computer users will never interact with, but it is present on a tremendous number of systems. It is a Java library that handles logging and reporting of application events, and it’s embedded in many Java applications because developers find it extremely useful to meet security and compliance requirements that they log application activity. The software is maintained by the Apache Software Foundation and has been around for over two decades. It’s hard to imagine a modern organization that isn’t running software that relies on this library somewhere in their technology environment.

Log4j reliably performed its job in relative obscurity until Dec. 9, 2021, when Apache announced the presence of the Log4Shell vulnerability, which posed a critical risk to the security of internet-connected systems that use Log4j. The vulnerability allows an attacker to take complete control of unpatched systems, often by sending a simple HTTP request to a web application running on that server. 

Attackers were quick to exploit this vulnerability, building the exploit into widely used botnet code and compromising systems worldwide. The simplicity of the attack and its devastating consequences led to Log4Shell receiving a score of 10 under the Common Vulnerability Scoring System — the highest severity score possible under CVSS, warranting immediate attention from cybersecurity professionals.

WATCH THE VIDEO: Learn how to address Log4j vulnerabilities and protect your network.

Healthcare Organizations Should Patch Systems Now

Healthcare organizations that have not already done so should immediately scan their network for systems running vulnerable versions of Log4j and patch those systems as quickly as possible.  To assist with this task, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of potentially vulnerable applications that incorporate Log4j. And the CERT Coordination Center offers a Log4j scanning tool that can check the status of specific Java applications.

There’s an added twist for organizations that discover vulnerable deployments of Log4j today.  This vulnerability has been widely publicized and exploited for more than six months. That means that an organization discovering a vulnerable system that has applications exposed to the internet should assume that the system is compromised and immediately activate their incident response plans to perform a thorough investigation and response.

Technologists in healthcare organizations know that it isn’t always possible to update software used in a medical environment and, in fact, some embedded systems simply can’t be updated.  In those situations, vulnerable devices should be placed on an isolated network whenever possible. CISA also offers mitigation measures that may be used to reduce the vulnerability of systems running affected versions of Log4j.

RELATED: Find out how to address the Log4j security issue with DevOps.

Long-Term Strategies to Address Log4j in Healthcare

Healthcare organizations that have already addressed Log4j can use this opportunity to address some of the underlying issues that allowed Log4j to become so disruptive. 

There are four specific actions that organizations can take to have a dramatic impact on their ability to respond to similar incidents in the future:

  1. Develop an inventory of applications and components: When new vulnerabilities come out, one of the fundamental challenges that most organizations face is that they don’t know what software they run and what components that software relies upon. Organizations should develop an inventory of the software that they use and the components that software relies upon to allow them to quickly trace the use of vulnerable components. Software composition analysis tools can help with this work, peeling back layers of production applications to identify underlying components.
  2. Implement a strong patch management program: Most healthcare organizations today do a good job of keeping operating systems patched to current security standards. Application patching, however, often remains an elusive goal. Providers should ensure that their patch management programs cover all of the operating systems, applications and devices used in their environments, paying particular attention to those with public exposure.
  3. Actively manage security vulnerabilities: Cybersecurity teams at modern healthcare organizations almost always have a vulnerability scanning tool in their arsenal. However, that tool is only effective when a rigorous process ensures that those vulnerabilities are promptly resolved. Providers who have not already done so should consider integrating their vulnerability management tools with their IT service management tools to provide visibility into and tracking of remediation efforts.
  4. Obtain and monitor threat intelligence sources: A variety of open-source and commercial products provide insight into rapidly changing threat environments. Cybersecurity teams should actively monitor several diverse sources of threat intelligence to identify potential threats to their operations.

The cybersecurity community is on the tail end of the Log4j vulnerability. We’ve patched most of our systems and restored services that depended on vulnerable components.

Now is the time to get your house in order and ensure that you’re better prepared for the next vulnerability before it comes down the pipe.

UP NEXT: Discover why partnerships are important to healthcare security.

style-photography/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT