Jul 27 2022

The Log4j Vulnerability: What Should Healthcare Organizations Do Next to Protect Patient Data?

With medical devices and data at a heightened risk of Log4j exploitation, here are steps you can take to secure your organization and your health IT environment.

As a prime target for cyberattacks and data breaches, healthcare companies must be constantly on guard against new threats. One of the latest and most dangerous vulnerabilities involves a commonly used application tool that resides on many medical devices and in healthcare software solutions.

Log4j is an open-source software that provides logging capabilities for Java applications and offers operational visibility into a range of computer systems, says Ryan Witt, industries solutions and strategy leader for Proofpoint.

“It’s a typical utility you would expect to see in a whole range of systems to track errors and activities,” he adds. “It’s used widely in healthcare and across many industries.”

In November 2021, developers discovered Log4Shell. This zero-day vulnerability had gone unnoticed since 2013 and enabled attackers to execute arbitrary Java code on another computer or server or to access sensitive information. A month later, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 22-02, which ordered federal government agencies to patch or remove all affected applications. While Apache began releasing patches, developers only discovered more vulnerabilities in the following months, including a series involving the Java Naming Directory Interface (JNDI).

Click the banner for access to exclusive HealthTech security content and a customized experience.

In April, CISA advised organizations to continue identifying and remediating vulnerable Log4j instances within their environments and plan for long-term vulnerability management. In June, CISA released a joint advisory to warn network defenders that threat actors have continued to exploit Log4Shell in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds. 

Cybercriminals continually seek new workarounds as patches are released, meaning the Log4j vulnerabilities are evolving, says Doug McKee, principal engineer and director of vulnerability research at Trellix. On the Common Vulnerability Scoring System (CVSS), it’s classified as a 10, the highest and most critically severe ranking.

“It’s typical for any vulnerability in an industry that is of high value. You are going to see it over and over again,” says McKee.

Healthcare organizations must take a proactive approach to addressing Log4j vulnerabilities to protect patient data and critical infrastructure.

The Risk of Log4j Vulnerabilities to Healthcare Organizations

Log4j vulnerabilities present a significant risk to the healthcare industry. In January 2022, the Office of Information Security at the Department of Health and Human Services released a threat brief about the Log4j vulnerabilities in the healthcare sector. It noted that while no healthcare company has yet reported a major compromise, the industry remains “highly vulnerable.”

One reason for the heightened risk is that healthcare institutions typically have a large variety of devices and back-end systems, some of which can be more than a decade old. This complexity and volume of endpoints can make it challenging to find and identify vulnerabilities, says McKee.

“It could be a pump, a patient monitor or a back-end system like Epic,” he explains. “The challenge is understanding where they are vulnerable, where they are using it and how it affects their network.”

READ MORE: Find a path forward from Log4j in healthcare.

As healthcare companies often rely on off-the-shelf software systems and devices, they aren’t always aware of what’s inside, nor do they have complete control over it, says Drex DeFord, executive healthcare strategist at CrowdStrike. Healthcare companies often buy medical equipment and Software as a Service (SaaS) solutions with little clarity on what’s inside, meaning “Log4j is unintentionally hidden in things they use every day,” he says.

Meanwhile, patching isn’t as easy as it may seem, DeFord says. Healthcare organizations typically need to take many steps to patch Log4j vulnerabilities. This often includes collaboration with dozens of vendors; in many situations, healthcare organizations cannot perform patches themselves because it can void manufacturers’ warranties.

“They are often caught between a rock and a hard place. Even if they know a vulnerability, they may not be allowed to patch it or force the manufacturer to do so because it is not written into a contract,” he says. 

How Healthcare Organizations Can Act Against Log4j Vulnerabilities

While Log4j vulnerabilities are difficult to find and address, there are several steps healthcare organizations can take.

The first step is to consult with known SaaS providers to discover how a healthcare organization’s software uses Log4j to ensure patches are updated. Organizations can then put medical equipment devices on a virtual LAN and use firewalls to ensure they are “only talking to things they should be talking to,” says DeFord. They will then need to check for Log4j patches and updates when they acquire new products.

There’s also the option to disable Log4j libraries and disconnect them from other operations, assuming that doesn’t impact the software or device, says DeFord. However, the most viable means of protection may be to patch what can be patched, then rely on threat monitoring and updates. CrowdStrike offers a learning center for Log4j vulnerabilities and actively monitors for Log4j threats based on behavioral patterns. However, as with other cybersecurity threats, it’s ultimately about awareness, says DeFord.

“The last situation you want to be in as a healthcare organization is first hearing about it on the news,” he says. “You need to be plugged in to what’s happening.”

UP NEXT: Learn how to protect your organization by addressing Log4j vulnerabilities.

style-photography/Getty Images

aaa 1

Register