Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Blogs
    • AI
    • Deals
    • Layoff Tracker
    • HIMSS 2023
  • Opinion
    • Breaking Bias
    • Commentaries
    • Letters
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - AI and Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Sponsored Video Series - One on One
    • Sponsored Video Series - Checking In with Dan Peres
  • Data & Insights
    • Data & Insights Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Cybersecurity
December 15, 2021 03:42 PM

What you need to know about the Log4j vulnerability

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Copy of 012521-Regionals-cybersecurity-data-hacking_2_i.jpg
    MH Illustration / Getty Images

    Hospital and health system executives should assess the software they're using and monitor their networks as businesses across the U.S. grapple with a recently discovered cybersecurity vulnerability found in enterprise applications and cloud services, experts say.

    "What makes this vulnerability so dangerous is the fact that it is ubiquitous," said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, of the Log4j vulnerability. "It's third-party software that's embedded in other devices or programs, which has wide-spread use across all sectors—including healthcare."

    The flaw is found in a widely used open-source piece of software known as Log4j, a logging framework that records activities that take place in an application, often to log performance and security information. It's used in Java, a popular programming language that underpins many software programs.

    Hackers could exploit the vulnerability to remotely send a command to a system using the software and subsequently take control of the system. From there, a hacker could potentially to exfiltrate patient data or deploy ransomware.

    The vulnerability is already being "widely exploited by a growing set of threat actors," said Jen Easterly, director of the Homeland Security Department's Cybersecurity and Infrastructure Security Agency, in a statement posted online this weekend. "To be clear, this vulnerability poses a severe risk."

    CISA is working with public- and private-sector partners, including the Federal Bureau of Investigation and the National Security Agency.

    The volunteer not-for-profit group that develops the software, Apache Software Foundation, has released upgraded Log4j versions that addresses the vulnerability, which in some cases organizations may be able to update on their own.

    But organizations using software with the vulnerability mainly will be reliant on vendors to identify and patch their products, Easterly said. She said organizations should identify all external-facing devices that have Log4j installed and ensure their security team is updating those devices as vendors make fixes available.

    She urged vendors to inform customers about whether products contain the Log4j vulnerability.

    The Log4j logging framework has been used for years, said Bryan Orme, a principal at cybersecurity consulting firm GuidePoint Security.

    "A lot of modern application architectures have been built on top of it," Orme said.

    The vulnerability has affected many cloud companies.

    Amazon's cloud arm released a list of services affected by the vulnerability and whether they've been updated. IBM said it's "actively responding" to the vulnerability, investigating products and services that could be exploited and sharing a running list of products it determines aren't effected by the bug.

    VMware has said the vulnerability affects multiple products for which it's working on patches.

    This scenario is an example of why the AHA has pressed the federal government to require medical devicemakers to disclose a "software bill of materials" for their products, Riggi said.

    The Food and Drug Administration in 2018 released a draft of pre-market guidance for managing cybersecurity in medical devices, which included asking developers of internet-connected medical devices to provide customers with a bill of materials, or rundown of commercial and off-the-shelf technologies in the device. That could help customers assess whether a product is susceptible to vulnerabilities.

    The FDA hasn't released final guidance.

    Download Modern Healthcare’s app to stay informed when industry news breaks.

    "One of the biggest challenges we have is just trying to understand what devices and what technologies incorporate this software," Riggi said. "Hospitals and health systems right now are scrambling to identify how they might be exposed to this vulnerability and are making tremendous efforts to patch."

    "Of course, that can be quite the distraction for our hospitals and health systems right now, especially as they're facing a surge of COVID-19 and flu patients," he added.

    Even after applications are patched and updated, it's important to monitor the network for unexpected activity, in case the organization's environment has already been compromised, said Mac McMillan, CEO of cybersecurity consulting firm CynergisTek. The Log4j vulnerability was disclosed late last week, but hackers had reportedly been trying to exploit it since earlier in December, he said.

    "There's a period of time there where somebody could have taken advantage of this vulnerability … and infiltrated [an organization's] system without them knowing it," McMillan said.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    cybersecurity
    Health insurance data breach exposes Congressional members' personal info
    cybersecurity-data-hacking_2_i.png
    Following alleged cyberattack, Tallahassee Memorial resumes some services
    Most Popular
    1
    CMS tries luring providers to revamped Medicare ACOs
    2
    Oregon joins other states in setting ratios for nurse staffing
    3
    Blue Shield CA taps Amazon, Mark Cuban, CVS for new PBM model
    4
    A health innovation hub grows in Lake Nona Medical City
    5
    Hospital-at-home providers push for Medicaid coverage
    Sponsored Content
    Digital Health Intelligence Newsletter: Sign up to receive a twice-weekly (T, F) morning newsletter featuring the latest reporting on technologies, trends, players and money fueling the rapid changes in how healthcare is developed, paid for and delivered.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Help Center
    • Advertise with Us
    • Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Blogs
      • AI
      • Deals
      • Layoff Tracker
      • HIMSS 2023
    • Opinion
      • Breaking Bias
      • Commentaries
      • Letters
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - AI and Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Sponsored Video Series - One on One
      • Sponsored Video Series - Checking In with Dan Peres
    • Data & Insights
      • Data & Insights Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing