Urgent: Critical cyber vulnerability alert

December 15th 2021

The Department of Health and Social Care (DHSC) is issuing an urgent note setting out the current situation and advice on a critical cyber vulnerability, CVE-2021-44228, also known as Log4Shell or LogJam.

NHSX asks that all adult social care providers, and all those running or providing digital services in the sector consider the information below and act accordingly.

What is happening?

A critical cyber vulnerability has been found within Apache Foundation Log4j2 (‘Log4j2’) that could enable attackers to access IT systems from where they could deploy cyber attacks such as ransomware. This is a global vulnerability which will be important for many organisations around the world to address.

The vulnerability is almost certain to be in most, if not all organisations in some way. Although NHSX are, as yet, unaware of any incidents in health or care, cyber criminals are scanning for this vulnerability. This means the cyber criminals are conducting reconnaissance, so they are taking a look to see which organisations have the vulnerability and where those vulnerabilities are.

What is Log4j2 and how does the vulnerability work?

Log4j2 is used by software developers as they create applications. It processes logs of activity and is embedded into many systems, including those in use in adult social care. It is highly likely that most, if not all, IT and digital systems used by adult social care providers will be affected.

Why does it matter?

The ultimate concern is that attackers may seek to use the vulnerability in Log4j2 to encrypt or damage your digital systems, such as your digital care plans.  Furthermore, after gaining access confidential sensitive or financial data can be stolen and potentially sold on-line. Cyber attackers could also hold you to ransom in what is known as a ‘ransomware attack’.

What should you do about it?

Notify your IT team or the person responsible for IT, and ensure actions are taken.

NHSX suggests the following:

1. Check your digital suppliers’ website and follow their advice about mitigating cyber vulnerabilities. In this case, the most important action is to install the latest version as soon as practicable.
2. If your software suppliers do not have guidance, you may wish to contact them and ensure they are acting accordingly, and scanning for Log4j2 vulnerabilities in particular.
3. Your Local Support Organisation, through DSC’s Better Security, Better Care Programme, will be on-call to help or escalate issues you have. This may be especially helpful if you do not have IT support.
4. For technical advice and further details, you may find the following updates and guidance useful: National Cyber Security Centre (NCSC), NHS Digital, Microsoft.
5. If there are any indications of a compromise, please report this as soon as possible to the NCSC via https://report.ncsc.gov.uk/.
6. Follow Digital Social Care on Twitter for sector-specific and relevant updates.

NHSX also strongly encourages you to use this alert to review your continuity plans, run a data back-up, and consider purchasing cyber insurance, if you have not done any of those recently.