FDA alerts medical device makers to cybersecurity risk in popular Apache Log4j software tool

A hacking risk discovered last month within the widely used Apache Log4j logging tool has been labeled “the single biggest, most critical vulnerability of the last decade” by the CEO of cybersecurity firm Tenable—and medtech developers aren’t immune.

Log4j is an open-source, Java-based framework used by services, websites and apps—including those linked to medical devices and software—to log information about their security and performance. The vulnerability, dubbed “Log4Shell,” makes it unnervingly easy for hackers to take control of cloud-based servers, allowing them to find and leak sensitive user information, remotely control connected devices, mine for cryptocurrency and more.

According to estimates from Wiz and Ernst & Young, more than 90% of all enterprise cloud environments are vulnerable to the Log4Shell flaw. It was given the highest rating of 10 on the standard cybersecurity risk scale by its developer, the Apache Software Foundation.

In a Dec. 17 safety notice, the FDA warned, “These vulnerabilities may introduce risks for certain medical devices where the device could be made unavailable, or an unauthorized user could remotely impact the safety and effectiveness of device functionality.”

RELATED: FDA names its first medical device cybersecurity director

To date, no adverse events have been reported to the FDA regarding the cybersecurity issue’s impact on medical devices. In the meantime, the agency suggested that medical manufacturers “assess whether they are affected by the vulnerability, evaluate the risk and develop remediation actions.”

In addition to securing their own software, the FDA said devicemakers should also evaluate any third-party systems connected to their own platforms, since they could be vulnerable to attacks, too.

Remediation currently includes upgrading the Log4j system to one of two safer versions already released by Apache. The new versions of the software restrict the servers and protocols that can be used for lookups, the pathway through which hackers were able to exploit Log4Shell.

Users unable to install either of the two recommended updates are able to manually remove access to lookups, per Apache’s specifications.

RELATED: Olympus investigating 'potential cybersecurity incident' on American IT systems, its 2nd in a month

The vulnerability went undetected for the better part of a decade, until it was spotted by the Alibaba Cloud Security Team in late November and immediately flagged for Apache. The issue was publicly disclosed Dec. 9, after Apache had developed and released the updated Log4j software.

Though the patch was available by the time Apache made Log4j users aware of the issue, as of 10 days after the disclosure, Wiz and EY found that only about 45% of vulnerable resources had been secured—leaving the door wide open for hackers.

Millions of attacks are believed to have already been launched via Log4j, including some that forced Microsoft to issue an emergency update to the Java edition of its Minecraft video game and Belgium’s defense ministry to completely shut down some parts of its computer network.