Vitalii Gulenok/istock via Getty
What health IT pros can learn from the CrowdStrike outage
Following the CrowdStrike outage, experts recommended that health IT security practitioners focus on building resilience and tackling third-party risk.
In the aftermath of the CrowdStrike outage, companies worldwide have been working to regain business continuity and improve resilience for future incidents. Hospitals, airlines and a variety of other businesses saw the blue screen of death on Friday, July 19, 2024, when a faulty content update resulted in crashes for approximately 8.5 million Windows devices.
Less than 1% of all Windows machines were affected by the outage, but it resulted in notable delays and appointment cancellations at hospitals. For example, Mass General Brigham hospitals and clinics canceled all nonurgent visits the day the outage began. Healthcare organizations, such as Memorial Sloan Kettering Cancer Center, Cleveland Clinic and Mount Sinai, also experienced disruptions.
The outage was not the result of a malicious cyberattack. Rather, the incident resulted from a defective content configuration update to CrowdStrike's Falcon threat detection platform, the company stated in its preliminary post-incident review. A bug in the content validator allowed the faulty update to pass validation despite the errors.
"What we're hearing is that the recovery is well underway. Most healthcare organizations I've been talking to are back up and running," David Finn, executive vice president of governance, risk and compliance at First Health Advisory, said in an interview with TechTarget Editorial.
"The scope was much smaller than some of the other issues we've seen in the recent past in healthcare, but the response was healthy. Still, I think there are a lot of lessons learned."
Health IT security practitioners can use this incident to inform future response and recovery efforts, experts suggested.
Bad things will always happen
"The bad thing is always going to happen," Finn said, speaking from 40 years of experience in the health IT security and privacy space. "The trick is to plan for it and be prepared and be able to recover and be resilient."
Whether it is a massive cyberattack like the one that occurred in February 2024 at Change Healthcare or a global IT outage without malicious origins, healthcare organizations of all sizes must be prepared to respond to a variety of cyberincidents that could affect critical systems.
Finn stressed the importance of upfront due diligence and careful incident response planning to account for single points of failure. Taking time upfront to address and plan for potential operational challenges that could result from a cybersecurity event or IT system failure will pay off when that event actually occurs.
"We have to change the way we think about deploying this stuff," Finn added. "Software, fortunately or not, is written by human beings, and human beings will always make mistakes, and it's our job to protect against those kinds of mistakes."
Resilience is key
Cyber-resilience is essential to enabling organizations to quickly recover and restore operations. Organizations operating with the knowledge that incidents like this outage are bound to occur can then focus on resilience in the face of those incidents.
Finn stressed the importance of resiliency and redundancy in the face of incidents like the CrowdStrike outage.
"I still trust CrowdStrike, but that trust does not mean that they are going to be perfect every time out of the box," Finn noted.
Healthcare organizations were quick to respond to the incident amid appointment cancellations and delays. For example, in a public statement, Mass General Brigham said that it activated its incident command to manage its response to the incident.
"The hard work since the very early hours by our response teams and staff allowed our clinics and emergency departments to remain open today for those with urgent health concerns, in addition to the many patients currently admitted in our hospitals," Mass General Brigham said on July 19.
By Monday, July 22, Mass General Brigham hospitals and clinics resumed scheduled appointments and procedures.
To Erik Weinick, co-head of the privacy and cybersecurity practice at New York-based law firm Otterbourg, the CrowdStrike incident further demonstrated the need for organizations of all sizes to reevaluate their legal and technical risk protocols.
"Although initial reports indicate that the incident was an accident, not an attack, on the technical front, organizations should use this incident as motivation to conduct information audits and penetration testing, update system mapping/organization and software -- including most importantly security patches -- and issue reminders to users about best security practices, like multifactor authentication and frequent changing of difficult to guess passwords," Weinick said.
Essentially, organizations can learn from incidents such as the CrowdStrike outage to bolster their risk management efforts and improve cyber-resilience.
Third-party risk management remains a challenge
Even with internal systems under strict security controls, organizations are exposed to additional risks related to third-party vendors. As the interconnectedness of healthcare increases, that risk area also expands.
The global IT outage once again highlighted the importance of third-party risk management and the challenges that come with it. In 2023 and 2022, some of the largest healthcare data breaches (by records affected) stemmed from third-party vendors.
"People probably did a lot of risk analysis and stuff around CrowdStrike, but I'll bet no one ever asked what tools they use to produce their software," Finn posited.
"Until we get standards in place for software development and certifications for software that gets sold to critical infrastructure sectors, we are going to have to dig a little deeper."
In response to the incident, CrowdStrike said it would improve its software resiliency and testing by adding additional validation checks to its Content Validator for Rapid Response Content, which would prevent faulty content from being deployed.
The company also said it would conduct multiple independent third-party security code reviews to prevent an incident like this from occurring again.
"On the legal front, organizations should check their vendor agreements, to remind themselves of, among other things, their own obligations to others when it comes to privacy and data security, who their partners are doing business with and what obligations do and do not flow through those relationships, and what limitations there are on liability for incidents such as CrowdStrike," Weinick advised.
"It is also a good time to check on business disruption insurance coverage. Finally, organizations should consider tabletop exercises so they can rehearse business continuity and recovery procedures in the event of a systems outage, no matter the cause."
Overall, the global IT outage reinforced essential IT and security considerations for organizations worldwide, especially in the areas of resilience, third-party risk and incident response and recovery.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.