In April, CISA advised organizations to continue identifying and remediating vulnerable Log4j instances within their environments and plan for long-term vulnerability management. In June, CISA released a joint advisory to warn network defenders that threat actors have continued to exploit Log4Shell in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds.
Cybercriminals continually seek new workarounds as patches are released, meaning the Log4j vulnerabilities are evolving, says Doug McKee, principal engineer and director of vulnerability research at Trellix. On the Common Vulnerability Scoring System (CVSS), it’s classified as a 10, the highest and most critically severe ranking.
“It’s typical for any vulnerability in an industry that is of high value. You are going to see it over and over again,” says McKee.
Healthcare organizations must take a proactive approach to addressing Log4j vulnerabilities to protect patient data and critical infrastructure.
The Risk of Log4j Vulnerabilities to Healthcare Organizations
Log4j vulnerabilities present a significant risk to the healthcare industry. In January 2022, the Office of Information Security at the Department of Health and Human Services released a threat brief about the Log4j vulnerabilities in the healthcare sector. It noted that while no healthcare company has yet reported a major compromise, the industry remains “highly vulnerable.”
One reason for the heightened risk is that healthcare institutions typically have a large variety of devices and back-end systems, some of which can be more than a decade old. This complexity and volume of endpoints can make it challenging to find and identify vulnerabilities, says McKee.
“It could be a pump, a patient monitor or a back-end system like Epic,” he explains. “The challenge is understanding where they are vulnerable, where they are using it and how it affects their network.”
As healthcare companies often rely on off-the-shelf software systems and devices, they aren’t always aware of what’s inside, nor do they have complete control over it, says Drex DeFord, executive healthcare strategist at CrowdStrike. Healthcare companies often buy medical equipment and Software as a Service (SaaS) solutions with little clarity on what’s inside, meaning “Log4j is unintentionally hidden in things they use every day,” he says.
Meanwhile, patching isn’t as easy as it may seem, DeFord says. Healthcare organizations typically need to take many steps to patch Log4j vulnerabilities. This often includes collaboration with dozens of vendors; in many situations, healthcare organizations cannot perform patches themselves because it can void manufacturers’ warranties.
“They are often caught between a rock and a hard place. Even if they know a vulnerability, they may not be allowed to patch it or force the manufacturer to do so because it is not written into a contract,” he says.
How Healthcare Organizations Can Act Against Log4j Vulnerabilities
While Log4j vulnerabilities are difficult to find and address, there are several steps healthcare organizations can take.
The first step is to consult with known SaaS providers to discover how a healthcare organization’s software uses Log4j to ensure patches are updated. Organizations can then put medical equipment devices on a virtual LAN and use firewalls to ensure they are “only talking to things they should be talking to,” says DeFord. They will then need to check for Log4j patches and updates when they acquire new products.
There’s also the option to disable Log4j libraries and disconnect them from other operations, assuming that doesn’t impact the software or device, says DeFord. However, the most viable means of protection may be to patch what can be patched, then rely on threat monitoring and updates. CrowdStrike offers a learning center for Log4j vulnerabilities and actively monitors for Log4j threats based on behavioral patterns. However, as with other cybersecurity threats, it’s ultimately about awareness, says DeFord.
“The last situation you want to be in as a healthcare organization is first hearing about it on the news,” he says. “You need to be plugged in to what’s happening.”