FDA Warns of Apache Log4j Cybersecurity Vulnerabilities in Medical Devices
The FDA encourages manufacturers to communicate with healthcare customers and follow recommendations provided by CISA.
The U.S. Food and Drug Administration (FDA) warned Friday that widespread cybersecurity vulnerabilities in commonly used software could affect medical devices by allowing unauthorized users to take control.
On Dec. 9, it was publicly disclosed that Log4j, Apache’s Java-based open source logging library, had a severe remote code execution (RCE) vulnerability affecting versions 2.0-beta9 to 2.14.1. The software is used in a variety of consumer and enterprise services, websites and applications. It logs security and performance information and is used on nearly three billion devices. The following day, Apache released Log4j 2.15.0 for Java 8 users to address the vulnerability, according to the Cybersecurity and Infrastructure Security Agency (CISA).
Although the FDA is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities, the agency is encouraging medical device manufacturers to communicate with their customers and follow the recommendations provided on CISA’s website for addressing the vulnerability.
“As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software,” the FDA wrote in a notice. “Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions. As this is an ongoing and still evolving issue, we also recommend continued vigilance and response to ensure medical devices are appropriately secured.”
The announcement comes a week after the Department of Health and Human Service’s (HHS) Health Sector Cybersecurity Coordination Center (H3) advised healthcare and public health organizations to survey their infrastructure to ensure they are not running the vulnerable versions, according to Gov Info Security. On Dec. 14, HHS’ Office for Civil Rights, which enforces HIPAA, also issued an advisory.
Erik Decker, co-chair of an HHS cybersecurity advisory task force, said it “cannot be downplayed how quickly organizations need to respond.”
“It allows for a bad actor to execute remote code against servers, or downstream servers, that are vulnerable over the internet. Bad actors use vulnerabilities like these as their first step in large-scale compromises,” he continued, adding that the intention could be data theft, ransomware, or intellectual property theft.
Hospitals and device manufacturers are now working to assess the impact of the vulnerability on their inventory of devices, reports Healthcare Dive. Nick Yuran, CEO of medical security company Harbor Labs, said although the vulnerability has been a “source of great stress” for its clients, none of the devices his firm has inspected so far have been affected.
“Hospital IT staffs are performing security scans with a variety of commercial tools indicating that their devices are vulnerable to Log4j, then anxiously seeking guidance from the medical device OEMs on how to mitigate the risk,” he wrote in an email. “In some cases, these scanning tools are reporting false positives due to a variety of factors, including custom server responses and misidentified versions of Log4j. And in those cases where the device is affected, it is easily patched and there are ample defenses in place to prevent an exploit.”
David Leichner, CMO of cybersecurity firm Cybellum, told Healthcare Dive the vulnerability demonstrates the importance of software supply chain security and the potentially devastating effects insecure open-source code could have on medical devices.