Healthcare Takes a Breath After Crowdstrike Scare

Friday’s global software outage caused some headaches for hospitals and health systems across the world, a grim reminder that technical mishaps aren’t always the result of bad actors.

As of Monday morning, most of the affected systems are back up and running, and hospitals across the country are getting back to business as usual, with a few hiccups along the way. Experts say the global effect of the outage, which was still being felt in other industries, especially the airlines, could top $1 billion.

“All too often these days, a single glitch results in a system-wide outage,” Lina Khan, chair of the Federal Trade Commission, said in a tweet on Friday. “The incidents reveal how concentration can create fragile systems.”

The outage originated with the cybersecurity firm CrowdStrike, which reported problems tied to a routine software update to its Falcon Sensor product, which is designed to protect cloud-based data during cyberattacks. The outrage reportedly impacted about 8.5 million Microsoft devices, according to a company blog posted Saturday, more than a million of which are used in healthcare.

“We are working closely with impacted customers and partners to ensure that all systems are restored, so you can deliver the services your customers rely on,” CrowdStrike founder and CEO George Kurtz said in a company blog on Friday, adding that the incident was not a cyberattack but a “defect found in a single content update.”

But he also warned that bad actors could take advantage of the disruption.

“We know that adversaries and bad actors will try to exploit events like this,” Kurtz said. “I encourage everyone to remain vigilant and ensure that you’re engaging with official CrowdStrike representatives. Our blog and technical support will continue to be the official channels for the latest updates.”

David Chou, a healthcare security analyst and chief digital officer for Legacy Community Health, said the incident should give CIOs and CTOs cause to review their cybersecurity setup.

“CIOs typically only auto-update some technology packages but trust CrowdStrike,” he wrote in a Forbes opinion piece posted Sunday. “This scenario is alarming because CrowdStrike’s last update involved a kernel-level change. The concern is that CrowdStrike and its agents have kernel access to nearly every major system and endpoint running Windows worldwide, particularly in healthcare, government, financial institutions, and critical infrastructure.”

The outage affected health systems and hospitals using Microsoft products, as well as airlines, transportation services, banks, schools, and other businesses. A few states also reported that their 911 call centers had been affected.

Several health systems, including Mass General Brigham, Emory Healthcare, Norton Healthcare, RWJBarnabas Health, Penn Medicine, Memorial Sloan Kettering Cancer Center, Baptist Health, CommonSpirit Health, Cleveland Clinic, and Providence, to name a few, postponed some services on Friday.

“Impacted hospitals are working hard to implement manual restoration of systems and the CrowdStrike patch,” he added.  “Affected hospitals have also implemented downtime procedures to ensure that disruptions to patient care are minimized or avoided to the extent possible.”

By Monday, not much remained of the uproar within the healthcare sector. Massachusetts General Hospital, which was among the first to postpone some services on Friday, posted a notice on social media on Saturday that “all scheduled appointments and procedures will happen as planned on Monday.”

“Our response teams are continuing to work diligently throughout the weekend to address the many additional downstream impacts across our system from the CrowdStrike failure,” the notice continued. “We are grateful for the patience and understanding of our patients and we extend our heartfelt gratitude to all our staff who have worked tirelessly to respond to this extremely challenging incident.”

By contrast, more than 700 U.S. flights were still being cancelled on Monday, many of them run by Delta Airlines, as the industry struggled to bounce back.

The outage affected healthcare organizations across the country in different ways. Some postponed all or most procedures, while others reported minor disruptions. There were news reports of clinicians going back to pan and paper because they couldn’t gain access to the EHRs.

Epic reportedly issued a statement saying the outage did not directly affect its software or services, but some services tied to its Nebula platform, which uses Microsoft Azure, were impacted. It also said the outage did cause some healthcare organizations to lose access to their Epic platforms.

In the UK, where the healthcare industry was still trying to bounce back on Monday, one Shropshire doctor called on the public to be “kind” to beleaguered doctors and nurses.

“This is beyond all of our control,” Jess Harvey, who runs the Much Wenlock & Cressage Medical Practice, told the BBC. “Everyone is doing their best to try and make everything work the best they can.”

“We’re working really hard as a team to try and get through it,” she added, saying she and her staff were “getting to grips with our handwriting.”