Dive Brief:

• FDA on Friday warned that widespread cybersecurity vulnerabilities in Apache's Java-based open source logging library could potentially allow unauthorized users to remotely impact the safety and effectiveness of medical device functionality.
• While FDA said it is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities, the agency encouraged medtech companies to review and follow the recommendations provided on the Cybersecurity and Infrastructure Security Agency's website. "As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software," the FDA said in the notice. 
• Log4j, which is used to log security and performance information, impacts upwards of 3 billion devices that use Java across a variety of consumer and enterprise services, websites and applications, as well as medical devices and supporting systems. FDA said manufacturers who may be affected by the vulnerabilities should communicate with their customers and coordinate with CISA.

Dive Insight:

The cybersecurity world has been on edge since the Apache Log4j vulnerability was first publicly disclosed on Dec. 9. It is one of the most serious cyber risks since the 2017 WannaCry global ransomware attack, with the potential to impact everything from applications and embedded systems to enterprise applications and their subcomponents.

FDA warned there is "active, widespread exploitation" of the Log4j vulnerability across several industries but said it is not aware of any confirmed adverse events affecting medical devices.  

"Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions," FDA said. "As this is an ongoing and still evolving issue, we also recommend continued vigilance and response to ensure medical devices are appropriately secured."

The challenge now is for hospitals and device manufacturers scrambling to assess the impact of the Log4j vulnerability on their respective inventories of devices. 

Nick Yuran, CEO of security consultancy Harbor Labs, said that while the vulnerability has been a "source of great stress" for its medical device clients none of the devices his firm has inspected are affected so far. 

"Hospital IT staffs are performing security scans with a variety of commercial tools indicating that their devices are vulnerable to Log4j, then anxiously seeking guidance from the medical device OEMs on how to mitigate the risk," Yuran said in an emailed statement. "In some cases, these scanning tools are reporting false positives due to a variety of factors, including custom server responses and misidentified versions of Log4j. And in those cases where the device is affected, it is easily patched and there are ample defenses in place to prevent an exploit." 

David Leichner, CMO of cybersecurity firm Cybellum, said he couldn't disclose whether his company's customers have been affected by the vulnerability, though Leichner called the potential concerns for medical devices real. What makes Log4j so dangerous is the popularity of the Java-based open-source logging library and the ease of exploitation, according to Leichner.

"Java is very common in the context of devices because of its cross platform nature and device abstraction capabilities," Leichner said in an emailed statement. "Even inexperienced hackers can successfully launch an attack using this vulnerability and after that they can upload their own code into the application (due to the message lookup substitution function)." 

The Log4j vulnerability again demonstrates the importance of software supply chain security and the potentially devastating effects insecure open-source code could have on medical devices, according to Leichner.

Leichner said this latest cybersecurity vulnerability is a "great case" for the widespread adoption of a Software Bill of Materials that identifies third-party components in a device so that end users can better manage the cyber risks.

SBOM will make it much easier to identify vulnerabilities "at the design and production phase as well as when a new vulnerability is discovered in post-production," Leichner said. 

President Joe Biden's cyber executive order earlier this year called for SBOMs, while FDA wants to require premarket submissions to have an inventory of third-party device components.