The exterior of the U.S. Department of Health and Human Services is seen Aug. 15, 2006, in Washington. (Photo by Alex Wong/Getty Images)

The public health and healthcare sectors are being urged to prioritize remediation of critical Apache Log4j vulnerabilities, an add-in in nearly all Java applications, according to an alert posted on the new Department of Health and Human Services 405(d) threat mitigation resource.

And yet, security experts note that the legacy systems, which most health organizations rely on for patient care, may remain vulnerable.

Log4j is an open-source tool widely used in developer, IT, and vendor solutions to enable application logging features. But the open-source nature is both easily accessible and free to use; downloaded by various organizations to support error logging.

Two “potentially catastrophic vulnerabilities” are found in a wide range of products based on Java software, inclusive of Linux and Windows operating systems, which are susceptible to hackers.

A successful exploit would enable any code to be executed, leading to complete server compromise, while enabling the download of malicious binaries or the propagation of additional cyberattacks like malware, ransomware, and the download of additional attack tools. The flaw can also be used by an attacker as a foothold onto the broader network.

“The popularity and accessibility of the Log4j software makes it a potential risk to all healthcare organizations regardless of size,” according to the alert. “This vulnerability is becoming more widespread every day.”

The full impact on the sector has yet to be determined, as researchers are continuing to assess the various ways an attacker could exploit the vulnerability. At the moment, it’s been estimated the flaw could possibly impact hundreds of millions of devices, networks, and software programs.

For the healthcare sector, the flaw could have a devastating impact as organizations are wholly dependent on readily accessible devices and software, which are also supplied by vendors and thus, “connected to an external network to operate.” 

Reliance upon these complex and interconnected devices affect patient safety and privacy, as all vulnerabilities are potential attack targets. These flaws can be found in medical equipment, like patient monitors or infusion pumps.

“If an attacker gained access to the network through a vulnerability such as Log4j, they would be able to gain control of the software and could potentially disconnect devices from the network, therefore, causing a disruption to daily procedures and putting patient safety at risk,” according to the alert.

Even if the healthcare organization itself is not leveraging Log4j software, they’re connected to vendors using the technology. For HHS, the concern is that cloud services vendors rely on Log4j software, including cloud applications used by some provider organizations for their electronic health records or outsourced security services.

Healthcare organizations should take immediate action to secure these vulnerable platforms, by applying the patch where possible or segmenting the impacted platforms from the network in order to protect patient safety and secure the enterprise network.

Systems administrators should review the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s Log4j vulnerability guidance, as researchers are still evaluating the potential implications of the vulnerability. CISA also urged organizations to review the frequently updated list of vendors and products impacted by the vulnerabilities. Sister publication MSSP Alert also has a list of Log4j vulnerability scanners to help identify and address the vulnerability.

Although a patch was released, it may not secure the Log4j risk due to the heavy use of legacy platforms in the healthcare environment. As such, it’s imperative these organizations put preventative measures in place to ensure the vulnerable devices aren’t accessible to the internet or unwanted access.

All healthcare organizations should work with their third-party service provider, vendor, or outsource security services provider to determine their risk of exposure, in addition to reviewing CISA guidance to strengthen defenses.

CISA recommendations include blocking inbound traffic to vulnerable products until mitigation or patches can be applied to create a shield between trusted and untrusted network traffic, as well as conducting vulnerability scans and reviewing inventories. The HHS and CISA insights contain invaluable insights to support remediation, which should be a top security priority.