Medical Device cyber security vulnerability: Apache-Log4j
On 22 December 2021, the Health Sciences Authority (HSA) of Singapore published a medical device advisory alerting all industry stakeholders about a recent suite of cybersecurity vulnerabilities known as the Apache Log4j Vulnerabilities, that could potentially affect medical devices utilizing the Apache Java Logging Library Log4j. These cybersecurity vulnerabilities allow remote code execution by attackers and may lead to a Denial of Service (DoS) attack.
Please refer to the Singapore Government Agency Website https://www.csa.gov.sg/en/singcert/Advisories/ad-2021-010 by SingCERT (Singapore Computer Emergency Response Team) for immediate actions to protect against exploitation of the Apache Java Logging Library Log4j Vulnerability. Full details of the Apache Log4j Security Vulnerabilities can be found at https://logging.apache.org/log4j/2.x/security.html
All industry stakeholders are expected to report to the HSA if their medical devices are affected and perform the necessary risk assessment and impact analysis concerning the medical device’s intended use. Risk mitigation plans are to be developed including workarounds until patches are ready and communication must be sent to health institutions and end-users stating action to be taken to reduce harm and risk to patients and users.
The HSA will continue to monitor and update on important safety information that might arise. For queries relating to these vulnerabilities, please write to HSA_MD_INFO@hsa.gov.sg
Please contact the Andaman Medical Regulatory Affairs Specialist dealing with your medical device to see if specific actions are to be undertaken.
Registering medical devices in Singapore:
To learn more about registering medical devices in Singapore click here.
To learn more about the medical device market in Singapore click here.
To register your medical device in Singapore, please click the button below.