The CrowdStrike internet meltdown that wrecked havoc with some health systems’ procedures and billing on Friday could be a harbinger of future threats and disruptions to medical facilities, experts said.
Why it matters: The U.S. health system is still dealing with fallout from the massive Change Healthcare ransomware attack and other incidents that have underscored the sector’s reliance on a few key technology companies to meet their IT needs.
- In today’s interconnected world, one large-scale outage like Friday’s can cancel elective procedures, take down pharmacy orders, disrupt telehealth and 911 communications, and idle medical devices and electronic health records.
Driving the news: The immediate concern is that bad actors will exploit the chaos. The federal Cybersecurity and Infrastructure Security Agency said it had already observed threat actors taking advantage of the situation for phishing and other malicious activity.
- The American Hospital Association said the effects of the outage varied widely, with the most-stricken health systems activating backup plans and adjusting workflows while IT systems were manually restored.
- Boston’s Mass General Brigham canceled all non-urgent visits and procedures. Memorial Sloan Kettering Cancer Center halted procedures requiring anesthesia. Other hospitals delayed some services or routed patients to other facilities.
- Electronic health records giant Epic told Becker’s that the outage idled some laptop and desktop workstations used to access Epic systems, and that problems with data center software kept some facilities from using multiple systems including Epic.
Looking ahead, some health systems may have to consider how vulnerable they are relying on a single large vendor — and whether solutions can be found in-house.
- CrowdStrike is used on more than 1 million individual devices in health care organizations across the country to secure data and detect cybersecurity risks, per the company’s website.
What they’re saying: “Maybe your business isn’t affected, but the ones you depend on to do your business are. It just shows the interconnectivity and dependency of our overall technology world,” said Sam Levine, a senior vice president at risk solutions company CAC Specialty.
- “It’s going to continue to raise issues for systems or businesses wholly dependent on Microsoft — this issue of concentration risk,” former White House cybersecurity coordinator Michael Daniel, who’s the current head of the Cyber Threat Alliance, told AFP.
- “How do you balance the benefits of having everybody on the same operating system with the concentration risk that poses?”
Catch up quick: The outage resulted early Friday morning from a faulty software update pushed out by CrowdStrike.
- The issue, which CrowdStrike said was not a malicious cyberattack, affected devices using Microsoft Windows operating system. Users saw the dreaded “blue screen of death” and were essentially locked out of their systems until they found another way in.
The big picture: Health care’s long quest to become more technologically forward and interoperable has created the potential for more crashes, because so many health care facilities rely on the same platforms.
- Even those hospitals that cover their bases by hiring two companies for the same service could be out of luck if the vendors use the same software and there’s a single point of failure, said Toby Gouker, an executive at First Health Advisory.
- “We just don’t understand our supply chains, really,” said Eric Noonan, CEO of cybersecurity company CyberSheath.
- The federal government has the ability and infrastructure to create resiliency, cybersecurity and data privacy standards that could minimize the impact of cyberattacks or outages, he said
“I think the world is too far down the interconnectivity train to completely pull it back, but I think more organizations might give consideration to handling and managing certain aspects in house,” CAC Specialty’s Levine said.
What we’re watching: It remains to be seen whether regulators and policymakers respond to Friday’s crash with new guidance or standards.