Custom Quick Reference Information Directories
GCC Blog

We hope you find our articles informative and interesting. If you'd like to receive our monthly newsletter with articles like these, please take a minute to sign up.

FDA Warns of Apache Log4j Cybersecurity Vulnerabilities in Medical Devices

February 1st, 2022 by Guest Communications

FDA Warns of Apache Log4j Cybersecurity Vulnerabilities in Medical Devices

Written by: Amy Rock Senior Editor, Campus Safety

The U.S. Food and Drug Administration (FDA) warned Friday that widespread cybersecurity vulnerabilities in commonly used software could affect medical devices by allowing unauthorized users to take control.

On Dec. 9, it was publicly disclosed that Log4j, Apache’s Java-based open source logging library, had a severe remote code execution (RCE) vulnerability affecting versions 2.0-beta9 to 2.14.1. The software is used in a variety of consumer and enterprise services, websites and applications. It logs security and performance information and is used on nearly three billion devices. The following day, Apache released Log4j 2.15.0 for Java 8 users to address the vulnerability, according to the Cybersecurity and Infrastructure Security Agency (CISA).

Although the FDA is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities, the agency is encouraging medical device manufacturers to communicate with their customers and follow the recommendations provided on CISA’s website for addressing the vulnerability.

“As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software,” the FDA wrote in a notice. “Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions. As this is an ongoing and still evolving issue, we also recommend continued vigilance and response to ensure medical devices are appropriately secured.”

The announcement comes a week after the Department of Health and Human Service’s (HHS) Health Sector Cybersecurity Coordination Center (H3) advised healthcare and public health organizations to survey their infrastructure to ensure they are not running the vulnerable versions, according to Gov Info Security. On Dec. 14, HHS’ Office for Civil Rights, which enforces HIPAA, also issued an advisory.

Erik Decker, co-chair of an HHS cybersecurity advisory task force, said it “cannot be downplayed how quickly organizations need to respond.”

“It allows for a bad actor to execute remote code against servers, or downstream servers, that are vulnerable over the internet. Bad actors use vulnerabilities like these as their first step in large-scale compromises,” he continued, adding that the intention could be data theft, ransomware, or intellectual property theft.

Hospitals and device manufacturers are now working to assess the impact of the vulnerability on their inventory of devices, reports Healthcare Dive. Nick Yuran, CEO of medical security company Harbor Labs, said although the vulnerability has been a “source of great stress” for its clients, none of the devices his firm has inspected so far have been affected.

“Hospital IT staffs are performing security scans with a variety of commercial tools indicating that their devices are vulnerable to Log4j, then anxiously seeking guidance from the medical device OEMs on how to mitigate the risk,” he wrote in an email. “In some cases, these scanning tools are reporting false positives due to a variety of factors, including custom server responses and misidentified versions of Log4j. And in those cases where the device is affected, it is easily patched and there are ample defenses in place to prevent an exploit.”

David Leichner, CMO of cybersecurity firm Cybellum, told Healthcare Dive the vulnerability demonstrates the importance of software supply chain security and the potentially devastating effects insecure open-source code could have on medical devices.

This article appeared on Campus Safety and is shared with consent: https://www.campussafetymagazine.com/hospital/fda-apache-log4j-cybersecurity-medical-devices/

 


Guide to Guest Services
Fully customized vinyl information directories for your patients and their visitors. They are easy to update and easy to use.
Guide to Emergency Preparedness
Fully customized quick reference guides to help keep your staff prepared for emergencies.
Guide to Infection Control
Fully customized quick reference guide to help keep your staff prepared for safe infection prevention and control procedures.
Accessories for your guides
Protect your investment by utilizing one of our various mounting systems.
Other Popular Products
Customized products including 3-Ring Binders, Sports Memory Books, Menus, Hotel Directories, and more…