Health Care Continues to Recover from CrowdStrike Outage 

Following the July 19 CrowdStrike IT outage, Fortune 500 companies in the health care sector are expected to suffer the largest direct financial losses. Seventy-five percent of firms in health care and banking experienced direct financial impacts, according to an analysis by Parametrix Solutions, a cloud monitoring, modeling, and insurance service provider.  

The outage was caused by CrowdStrike, a cybersecurity company, releasing a flawed software update that crashed Microsoft Windows operating systems globally.  CrowdStrike issued a preliminary report on the outage, which it said occurred because its faulty code-testing procedures failed to prevent a bad software update from being distributed to customers’ Falcon endpoint detection and response agents. 

CrowdStrike’s Outage Impacted Health Care  

• Several health systems postponed surgeries and appointments and closed outpatient facilities amid the outage while keeping emergency services functional. 

• The health systems hit hardest activated backup plans and adjusted workflows while IT systems were manually restored.  

• Epic and Meditech EHRs (Electronic Health Records) experienced a disruption of around 15,000 of the health systems’ servers and 25% of their 140,000 computers. 

Within a week of the outage, CrowdStrike CEO George Kurtz said that more than 97% of Windows sensors had been restored. Still, the extent of the outage’s repercussions on hospitals and health systems “may not be known for weeks,” according to John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. “We continue to work closely with Microsoft and CrowdStrike leadership to assist in focused efforts for restoration,” he said in a statement. 

CrowdStrike’s Outage Highlights Vendor Risks 

“Using third-party tools to enhance our security is vital to protecting the health care systems we are responsible for,” said PrivaPlan CIO Ron Bebus. “However, these occurrences where the very tools we employ to help with security end up being the cause of the event are very disconcerting. We must protect against the bad actors and keep a close eye on our good actor tools.”  

CommonSpirit CIO Daniel Barchi told the Wall Street Journal. “In some cases, we benefit by having vendor partners who are proactive in updating and upgrading. Sometimes, in this case, it goes differently. And so the question is, what’s the trade-off?”  

Lessons from the CrowdStrike Outage 

The outage highlighted the world’s dependence on technology and raised questions about protecting patient care. Other incidents, like the COVID-19 pandemic and the Change Healthcare attack, also showcased system fragility. The recent outage further underscores the critical need for health care organizations to prepare for vulnerabilities caused by heavy reliance on a few key technology vendors.  

• IT and AI (Artificial Intelligence) systems enhance efficiency and accuracy but are vulnerable to outages. 

• Rigorous testing, robust backup systems, and continuous monitoring are essential. 

• Implementation of a robust and resilient infrastructure is vital to ensure the seamless functioning of essential services. 

• Digital incident backup procedures should be updated to ensure patient care access during outages. 

• Vendor Risk Management is crucial, such as reviewing your Business Associate Agreements (BAAs) to learn how third-party vendors are prepared to handle incidents that impact your data. 

• Minimize dependence on a single vendor by engaging multiple providers for critical services. 

• Technologies simulating unlikely scenarios can help prepare and build resilience. 

“These scenarios should be added to tabletop disaster planning scenarios so we are prepared for these situations,” said Bebus. They are real, and while they should be a low-likelihood event, they can be very serious when they occur.”