A software vulnerability is threatening the internet. Experts explain why a fix for healthcare is not easy

The HHS Cybersecurity Program warned last week of a software vulnerability actively being attacked. Yet, while it takes a few minutes to exploit, correcting the problem could take weeks or longer, experts say.

The cyberattack, which relies on software Log4j, is an especially acute threat because of how widespread it is—affecting not only the healthcare sector but potentially the whole internet. “It’s the who’s who of everybody in technology,” Mac McMillan, CEO of CynergisTek, a cybersecurity firm, told Fierce Healthcare. 

That’s because Log4j, the library in question, is open source. Open source is something CynergisTek Chief Innovation Officer Ben Denkers terms “a blessing and a curse.” While open-source code or software can save developers time when building applications, it also means it is very commonly used and easily accessed, and therefore more widespread than proprietary software. Any organization with web-based applications is likely to encounter the Log4j vulnerability, McMillan said. An attacker can leverage Log4j in a given app to remotely write malicious code that can unlock access to underlying systems.

RELATED: Ransomware attacks impact patient care, including increased mortality rates, report finds

A big problem for healthcare organizations is that they don’t necessarily have visibility into what applications or systems use Log4j, which makes identifying where the vulnerabilities are in their environment a massive undertaking, Denkers explained. 

“Generally speaking, you’re not going to have a database of every time you installed this Log4j,” he said. 

Though developers or cloud software companies like Okta identified the vulnerability in their products that use Log4j and developed a patch—or an update—to fix it and also notified their customers, healthcare organizations may not know where to apply that update. They should also be wary of false negatives when using a vulnerability scanner, Denkers noted, and have a method in place for validating security another way.

These types of large-scale vulnerabilities happen every year or two, according to Denkers. As app development becomes more complex, it becomes harder to validate all the relevant security controls and spot mistakes. Going forward, he expects these threats to continue. 

RELATED: HHS warns of increasing zero-day attacks in healthcare

When buying an application, healthcare organizations should demand that the products be security tested, Denkers advised. Knowing what their threat landscape looks like and what apps are vulnerable are key to correcting these types of errors. In most cases, developers don’t provide clients with a list of every library used in a particular app, McMillan said, and an organization might have thousands or hundreds of thousands of apps. But all it takes is one vulnerability—like Log4j—to compromise them all.