A global cyber outage that disrupted industries including healthcare, aviation and the media July 19 shows how interconnected IT systems are and the reliance on third-party vendors, health system leaders say.
The interruptions originated from a flawed software update from cybersecurity company CrowdStrike that hit computers running on Microsoft Windows. Health systems such as Somerville, Mass.-based Mass General Brigham and Phoenix-based Banner Health and Seattle Children's had to delay nonemergency procedures and appointments. Numerous hospitals around the country were affected to varying degrees.
"If you are not impacted by the global IT outage you are STILL impacted by the global IT outage," Will Weider, CIO of Wausau, Wis.-based Aspirus Health wrote July 19 on LinkedIn. "We are all dependent on 3rd party services. Stand up incident command and start assessing the impacted trading partners and how that impacts your organization. Communicate proactively."
The incident comes five months after a cyberattack claims processing vendor Change Healthcare left many hospitals and health systems unable to get paid for weeks to months.
The CrowdStrike update caused affected hospital workstations to not start up properly so each one has to have the faulty software removed and be rebooted, which takes around 10 minutes or less depending on the complexity of the digital solutions involved, according to Jack Kufahl, chief information security officer of Ann Arbor-based Michigan Medicine. CrowdStrike provided instructions for users.
During the recovery process, hospitals and health system employees should keep a running list of questions and concerns for the post-incident review, Mr. Kufahl told Becker's.
"The most important processes to continually improve are communication-related, so that IT, third-party vendors, affiliates, hospital operations, and care providers can act with coordination and reduce miscommunication wherever possible," he said. "Things move fast in events like this so there is a constant revision and tracing of new information, impacts, and outcomes."
A CIO at a large health system told Becker's he was too busy responding to the incident to comment.
"Everything from the EHRs to scheduling and coordination software, to even safety and quality reporting platforms are fully technology-dependent," said Mitesh Rao, the former chief patient safety officer of Palo Alto, Calif.-based Stanford Health Care and the founder and CEO of data company OMNY Health, in an emailed statement. "Most desktops across U.S. health systems run on Microsoft; this disruption will unfortunately affect every aspect of patient care."