What you need to know about Log4j vulnerabilities
Hospital and health system executives should evaluate the software they are using and monitor their networks, as businesses across the United States are struggling to deal with the recently discovered cybersecurity vulnerabilities Found in enterprise applications and cloud services, The expert said.
John Riggi, senior consultant for cybersecurity and risk of the American Hospital Association, said of the Log4j vulnerability: “The reason why this vulnerability is so dangerous is that it is ubiquitous.” “It is a third-party software embedded in other devices or programs. Used in all fields-including healthcare.”
The vulnerability exists in the widely used open source software Log4j. Log4j is a logging framework used to record activities that occur in applications, usually for recording performance and security information. It is used in Java, which is a popular programming language that supports many software programs.
Hackers can use this vulnerability to remotely send commands to the system using the software, and then control the system.From there, hackers may steal patient data or Deploy ransomware.
Jen Easterly, director of the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said the vulnerability has been “widely exploited by more and more threat actors.” statement It will be posted online this weekend. “It needs to be clear that this vulnerability brings serious risks.”
CISA is working with public and private sector partners, including the FBI and the National Security Agency.
Owned by the Apache Software Foundation, a voluntary non-profit organization that developed the software Release upgraded Log4j version This resolves the vulnerability, and in some cases, the organization may be able to update itself.
Easterly said, but organizations that use vulnerable software will rely primarily on vendors to identify and patch their products. She said that organizations should identify all external-facing devices that have Log4j installed and ensure that their security teams update these devices when vendors provide fixes.
She urged suppliers to inform customers whether the product contains Log4j vulnerabilities.
Bryan Orme, the principal of GuidePoint Security, a network security consulting firm, said that the Log4j logging framework has been in use for many years.
“Many modern application architectures are built on top of it,” Orme said.
Loopholes Has affected many cloud companies.
Amazon’s cloud arm Released The list of services affected by the vulnerability and whether they have been updated. IBM stated that this is “response actively“In response to the vulnerability, investigate the products and services that may be exploited, and share the operating list of products that it has determined not to be affected by the vulnerability.
VMware has indicated the vulnerability Affect multiple products It is processing the patch.
Riggi said this situation is an example of the AHA urging the federal government to require medical device manufacturers to disclose the “software material list” for their products.
The Food and Drug Administration issued the “Draft for Solicitation of Comments” in 2018 Pre-market guidance It is used to manage the network security of medical equipment, including requiring the developer of the networked medical equipment to provide the customer with a list of materials, or an outline of the commercial and off-the-shelf technology in the equipment. This can help customers assess whether the product is vulnerable to vulnerabilities.
The FDA has not yet issued final guidance.
“One of the biggest challenges we face is trying to understand which devices and which technologies incorporate the software,” Riggi said. “Hospitals and health systems are now scrambling to determine how they might be exposed to this loophole, and are making great efforts to fix it.”
He added: “Of course, this may now distract our hospitals and health systems, especially when they are facing a surge in COVID-19 and flu patients.”
Mac McMillan, CEO of cybersecurity consulting firm CynergisTek, said that even after patching and updating applications, it is important to monitor unexpected activity on the network in case the organization’s environment has been compromised. He said that the Log4j vulnerability was disclosed late last week, but according to reports, hackers have been trying to exploit it since early December.
“For a while, someone could exploit this loophole… and infiltrate [an organization’s] System without their knowledge,” McMillan said.