Feds Issue Warning on Cybersecurity Vulnerability
By Jonathan Springston, Editor, Relias Media
Experts within the Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) have brought attention to a vulnerability within software that likely is used widely across the healthcare industry. If not corrected, bad actors could leverage the flaw to initiate a cyberattack, steal data, and hold it for ransom.
“Log4j” is found in many common cloud applications and enterprise software. Analysts have identified a vulnerability that allows remote access, which means anyone with bad intentions could create serious problems.
“The exact extent to which Log4j is deployed throughout the health sector is unknown,” HC3 wrote in an alert. “It’s highly likely that the health sector is impacted by this vulnerability, and possibly to a large-scale extent. … HC3 recommends treating this vulnerability as a high priority.”
John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association, called this “one of the most serious cybersecurity vulnerabilities in years.”
“It impacts hundreds of millions of devices and is already being actively exploited by our cyber adversaries. Organizations should immediately upgrade to log4j 2.15.0, starting with internet-facing devices. This, however, will not remedy the threat from a cyber actor who may have previously exploited this vulnerability and is present inside your networks,” Riggi explained. “We are working closely with government to understand the impact of this threat to hospitals, health systems, and the many mission-critical third parties that service our field.”
For much more on this and related subjects, be sure to read the latest issues of Healthcare Risk Management.