The FDA is raising awareness of a cybersecurity vulnerability in Apache’s Log4j software library, versions 2.0-beta9 to 2.14.1.
Log4j is broadly used in a variety of consumer and enterprise services, websites, and applications—as well as medical devices and supporting systems—to log security and performance information. There is active, widespread exploitation of the vulnerability across various industries. These vulnerabilities may introduce risks for certain medical devices where the device could be made unavailable, or an unauthorized user could remotely impact the safety and effectiveness of device functionality. At this time, the FDA is not aware of any confirmed adverse events affecting medical devices related to these vulnerabilities.
The Cybersecurity and Infrastructure Security Agency (CISA) agency has established a website with additional information that the FDA encourages medical device manufacturers to review and follow the identified recommendations to address the vulnerability.
Manufacturers should assess whether they are affected by the vulnerability, evaluate the risk, and develop remediation actions. As Apache Log4j is broadly used across software, applications, and services, medical device manufacturers should also evaluate whether third-party software components or services used in or with their medical device may use the affected software and follow the above process to assess the device impact. Manufacturers who may be affected by this most recent issue should communicate with their customers and coordinate with CISA. As this is an ongoing and still evolving issue, we also recommend continued vigilance and response to ensure medical devices are appropriately secured.
Report any adverse events or suspected events through MedWatch, the FDA Safety Information and Adverse Event Reporting program. Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. For more information, please see the guidance for manufacturers on medical device reporting.
Source from: https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity