Massive CrowdStrike crash poses big issues for hospital and clinic operations

A global technology crash July 19 had a substantial impact on some hospitals, among other industries worldwide.

The crash happened after the CrowdStrike cybersecurity company implemented a flawed update that took down Microsoft Windows operating systems starting early Friday morning.

Whereas the Change Healthcare cyberattack earlier this year was the product of a malicious actor, the latest disruption showed that a basic technical glitch likewise can cause havoc in the digital era. That’s especially the case when an issue affects Windows, which is widely deployed in healthcare and other sectors.

John Riggi, national advisor for cybersecurity and risk with the American Hospital Association, said the impact of the incident appeared to vary widely across the industry.

“Some have experienced little to no impact while others are dealing directly with some disruptions to medical technology, communications and third-party service providers,” Riggi said in a statement. “These disruptions are resulting in some clinical procedure delays, diversions or cancellations.”

Hospitals in a bind

Perhaps most alarmingly for patient care, some 911 call centers nationwide reported being down for a period of time after the outage, especially in the predawn hours Friday. The call centers implemented downtime procedures or shifted personnel to nearby locations.

Many U.S. hospitals reported having to cancel nonemergency services such as elective surgeries and outpatient care for part or all of the day, and possibly beyond. One such organization was Mass General Brigham in Boston, where urgent and emergency services remained available as staff scrambled to implement manual workarounds.  

“Due to the severity of this issue, all previously scheduled nonurgent surgeries, procedures and medical visits are canceled today,” the organization posted on Facebook.

Banner Health in Phoenix had to close all nonhospital locations, reported The Arizona Republic. Other hospitals in the region likewise were facing issues.

In New Jersey, hospitals in the RWJBarnabas Health organization were dealing with issues affecting electronic health records (EHRs) and the phone system, according to a report. However, other facilities in the state had seen little impact, if any.

University of Miami Health System said it was “operating in downtime protocol, using paper orders to disseminate information.” All facilities were open, but patients were told to anticipate delays. Penn Medicine in Philadelphia stated that some clinic appointments scheduled for Friday possibly would need to be canceled. A status update from UVA Health indicated outpatient operations and other nonurgent services were affected.

In the Detroit region, Henry Ford Health System and Michigan Medicine dealt with issues stemming from the outage. An HFHS spokesperson said patient care was proceeding, according to a report. In Atlanta, Emory Healthcare delayed nonurgent procedures at hospitals and ambulatory surgery centers, per a report.

Assessing the damage

“Impacted hospitals are working hard to implement manual restoration of systems and the CrowdStrike patch,” Riggi said. “Affected hospitals have also implemented downtime procedures to ensure that disruptions to patient care are minimized or avoided to the extent possible.”

Epic Systems said its EHR services were not directly affected but that some hospitals were struggling to engage with core services because of the outage. For example, if a health system’s data-center software was out of order, the facility would have no way to access the EHR.

Staff were working with customer IT teams to help facilities regain EHR access, an Epic spokesperson told CNBC.

Even at hospitals that do not have CrowdStrike on their premises, IT teams were assessing whether the hospital’s business partners may have been affected. As seen after the Change Healthcare attack, issues affecting vendors and third parties can have a profound ripple effect.

The CrowdStrike incident was not expected to have anywhere near as prolonged an impact as the Change Healthcare situation, however.

“While fairly widespread across multiple industries, resultant delays are not likely to last for any significant period of time with U.S. NFP [not-for-profit] hospital providers able to resume normal operations relatively quickly,” Kevin Holloran, senior director with Fitch Ratings, said in a written statement (Holloran is on HFMA’s Board of Directors).

Still, as indicated by descriptions on the incident pages for CrowdStrike and Microsoft, implementing fixes could be an arduous process for IT teams at impacted organizations. Required steps potentially included rebooting Windows in safe mode and locating and removing the bad file. It didn’t seem like a systemic fix was available, meaning devices would need to be attended to individually.

Other points of concern

Customers of CrowdStrike and Microsoft were urged to be cautious in the aftermath of the incident. The outage quickly spawned phishing schemes in which cybercriminals posed as representatives of those companies to lure organizations into providing confidential information such as admin passwords, according to various reports.

As part of the federal government’s response, CMS provided an extension of one business day for activity in the No Surprises Act’s independent dispute resolution (IDR) portal that had a due date of July 19. Examples of such processes include IDR dispute initiation or resubmission, certified IDR entity selection and fee payments.