Security Threats are an Ongoing Part of Business Life
Unfortunately, in the past few days the 'record of severity' has been broken when it comes to the level of threat to internet facing applications. A flaw in Log4j, a Java library for logging users and error messages in applications, is the most high-profile security vulnerability on the internet and has earned the severity score of 10 out of 10. The affected software is reported by Apache Software Foundation as running across a variety of platforms including Windows, Linux, and even Apple macOS; powering everything from web cams, navigation systems to medical devices. The top U.S. cybersecurity defense official, Jen Easterly, deemed the flaw “one of the most serious I’ve seen in my entire career..” Vendors who use Log4j include Twitter, LinkedIn, Google, Apple, AWS, Minecraft (game), VMware, Tesla and many more. Bleeping Computer has compiled a useful list of the companies impacted and the recommended patch.
What does this mean for providers? More than likely, you cannot dodge this threat. It is time to get to know your endpoints and applications. If you have an IT person, reach out to them immediately about initiating necessary patches.
- Evaluate all applications and resources that use Log4j; not an easy task as it is often hidden under layers of other software
- Get the latest patch or fix. It is changing daily. See announcement as of December 20,2021, we are on the third version of a patch:
- The fix for the CVE-2021-44228 vulnerability was incomplete, and still allowed remote code execution and data exfiltration in certain non-default configurations. The new vulnerability is tracked as CVE-2021-45046 (CVSS 9.0) and was corrected in version 2.16.0. Since then, a high severity Denial of Service bug (CVE-2021-45105 – CVSS 7.5) has been identified, and a third version has been released to correct the flaw. The latest release is version 2.17.0
- Updating is not the only step. A thorough review of your systems (directory) is necessary because a cyber actor may have previously exploited this vulnerability and is present inside your networks.
If you do not have an IT professional on staff or under contract, we encourage you to reach out to an IT professional immediately that specializes in cybersecurity. In the meantime, do not ignore 'glitches' and suspicious behavior on your devices. As providers of health services, you are the custodian of the medical record and responsible for safeguarding Protected Health Information in all situations and environments.
This is one area in which KMC University cannot directly assist you, we can only alert you. Please take this seriously.