HHS 405(d) Urges Healthcare Sector to Prioritize Log4j Vulnerability

December 22, 2021 - The HHS 405(d) Task Group issued a brief outlining the risks associated with the recently discovered Apache Log4j vulnerability that could have catastrophic security implications for healthcare and other sectors.

Apache Log4j is an extremely common Java framework used in a variety of applications, including Linux and Windows operating systems. Log4j is an open-source tool and is universally used by developers and vendors to enable logging features.

According to a previous brief from the Health Sector Cybersecurity Coordination Center (HC3), researchers first discovered the remote code execution (RCE) vulnerability in November.

However, proof-of-concept exploit code has been circulating on social media recently, making the vulnerability more widely known to threat actors.

“The exploitation allows the execution of any code which could result in compromise of the server, download of malicious binaries, or propagation of further attacks such as ransomware or a zero-day attack,” the 405(d) brief explained.

“Healthcare and Public Health (HPH) organizations are being urged to review the recently released Apache security patch with their security team and take immediate action to secure their organization and protect their patients.”

Although the Cybersecurity & Infrastructure Security Agency (CISA) already released a patch, there are still many unknown implications of this vulnerability, the brief warned. In addition, the patch may not be a cure-all, especially for organizations with legacy systems.

“The popularity and accessibility of the Log4j software makes it a potential risk to all healthcare organizations regardless of size. This vulnerability is becoming more widespread every day,” the brief emphasized.

“At this time, the true impact of this vulnerability is unknown because the various ways of exploitation are still being identified. It is estimated that this vulnerability could potentially affect hundreds of millions of devices, networks, and/or software platforms.”

Many cloud applications that healthcare organizations use for EHR services and other outsourced security services use the Log4j software and may be vulnerable. CISA will continue to maintain a list of vendors and products that are affected by the vulnerability via GitHub.  

The 405(d) Task Force recommended that healthcare organizations work closely with third-party service providers, vendors, and outsourced security services to contain the vulnerability.

In addition, organizations should block inbound internet-based access to vulnerable products until patching is possible. Securing all network entry points and enforcing network traffic restrictions are crucial steps to cybersecurity as vendors rush to patch systems.

Organizations should also update firewall security rules and conduct vulnerability scans against the environment to discover vulnerable assets.

Most importantly, organizations must apply the Apache patch if possible. The brief reminded organizations to test any patches in a test environment before applying them to the production network. If organizations find that they cannot apply the patch on certain legacy systems, they should decommission the solutions or research other tools that provide the same log feature.

Healthcare organizations should also prioritize ramping up incident response functions and reviewing the organization’s software inventory to determine asset vulnerabilities.

“Healthcare organizations are dependent on readily available devices and software that are vendor supplied and connected to an external network to operate. These complex and interconnected devices affect patient safety and privacy,” the brief reiterated.

“They represent potential attack vectors across an organization like medical equipment such as bedside monitors that monitor vital signs during an inpatient stay. Or, they may be more complicated, like infusion pumps that deliver specialized therapies and require continual drug library updates. If an attacker gained access to the network through a vulnerability such as Log4j, they would be able to gain control of the software and could potentially disconnect devices from the network, therefore, causing a disruption to daily procedures and putting patient safety at risk.”