More than a week after a global IT outage caused by a faulty update from cybersecurity company CrowdStrike, hospitals and health systems have largely returned to business as usual. So CIOs are focused on what comes next.
After CrowdStrike sent the bad update July 18 into July 19, many health systems' computers with Microsoft Windows started up that morning with a blank screen. But after the company delivered a fix Friday, July 19, most health systems got things back to normal over that weekend, with largely only a day of patient care interruptions at most.
Health system IT leaders told Becker's they're working on preventing a similar outage in the future by guarding against incidents caused by outside technology partners and boosting their backup capabilities.
"The CrowdStrike failure guides us to ensure we do not have too much reliance upon one technology platform or vendor partner," said Michael Restuccia, CIO of Philadelphia-based Penn Medicine. "With a growing global shortage of talented, service-oriented personnel, these types of events seem to be occurring in a more frequent manner across all industries. Introducing diversity in our platforms and additional layers of redundancy is a continued focus to ensure our technologies continue to enable our end-users to provide world-class patient care."
Jeffrey Ferranti, MD, chief digital officer of Durham, N.C.-based Duke University Health System, wondered in a July 24 Becker's story why CrowdStrike didn't release the update in stages to make sure it was working properly. "The question every CIO in the country has is, 'Why was this pushed out so broadly?'" Dr. Ferranti said. "Why wasn't it pushed out to a smaller group to make sure everything's OK and do a rolling update?"
In a July 24 update, CrowdStrike said it plans to implement a "staggered deployment strategy" for its updates and collect feedback during the process to "guide a phased rollout."
"Those are the kinds of things that are going to have to be commonplace in the industry," Dr. Ferranti said. "The stakes are just too high to be pushing things out at that scale."
Health systems affected by the outage told Becker's that most of their workstations with the bad update were repaired over the initial weekend, but a small percentage remain unfixed (say, individuals who were on vacation).
However, the extent of the outage's repercussions on hospitals and health systems "may not be known for weeks," according to John Riggi, national advisor for cybersecurity and risk at the American Hospital Association. "We continue to work closely with Microsoft and CrowdStrike leadership to assist in focused efforts for restoration," he said in a statement. "We also acknowledge and appreciate CrowdStrike's prioritization to assist hospitals for recovery, in the interest of public health and safety."
CIOs mostly emphasized how the event continues to show that health systems must better protect themselves against IT outages caused by third-party vendors. Typically, those happen via cyberattacks, like the February hack of UnitedHealth Group subsidiary Change Healthcare that disrupted claims and payment processing across the industry.
"We have to reduce our reliance on a single vendor by incorporating multiple providers for critical services," said Zafar Chaudry, MD, chief digital and information officer of Seattle Children's. "We have to evaluate the security practices of third-party vendors and implement measures to manage supply chain risks and prioritize the protection of patient data through robust encryption and access controls."