How providers were affected by the outage

The outage occurred after CrowdStrike attempted to update its Falcon Sensor product, which protects encrypted data on the cloud from cyberattacks. However, during deployment, there was a bug, and some Microsoft users experienced a "blue screen" error that blocked their attempts to reboot their computers.

According to the company's website, CrowdStrike is used on more than 1 million individual devices in healthcare organizations throughout the United States.

The outage affected many hospitals and health systems. According to the American Hospital Association, the effects of the outage varied, and the health systems hit hardest activated backup plans and adjusted workflows while IT systems were manually restored.

Epic, the electronic health records company, said the outage idled some laptop and desktop workstations that were used to access Epic systems, and problems with data center software kept some facilities from using multiple systems, including Epic.

According to Rian Kabir, a psychiatry resident at the University of Louisville, "every single computer was down" at the school's outpatient mental health clinic. He said he couldn't review electronic patient records, access his drug monitoring program, or submit prescriptions to pharmacies electronically. He and his staff reverted to handwriting everything on paper.

Mass General Brigham said the outage "affected many of our systems" and led the health system to cancel all previously scheduled nonurgent surgeries, procedures, and medical visits. However, Mass General remained open to provide patient care.

Cone Health in North Carolina also canceled many treatments, procedures, and surgeries.

Tufts Medical Center remained open and on Friday was "operating under an emergency management structure as we await resolution of this disruption," according to a spokesperson.

RWJBarnabas said some clinical and patient computer systems at its hospitals were not working correctly. And according to Robert Cavanaugh, a spokesperson for RWJBarnabas, the outage also disrupted the telephone system at Robert Wood Johnson University Hospital.

Meanwhile, St. Joseph's Health said its computer systems were affected by the outage, but that "patient care has not been impacted and our hospitals, physician practices, and outpatient facilities remain open," according to a spokesperson.

UVA Health, a health system associated with the University of Virginia, was also impacted by the outage and closed its ambulatory clinics except for its Cancer Center, as well as outpatient radiology and imaging.

Martha's Vineyard Hospital canceled nonurgent surgeries, procedures, and medical appointments on Friday. Harris Health System in Texas also canceled elective procedures but said that some services would remain open.

Most of the computer systems at MultiCare Health System were also hit by the outage, according to a hospital statement, but the hospital's ED and its Indigo urgent care centers remained open on Friday.

B.J. Moore, CIO and EVP at Providence, which was affected by the outage, said the scope of the event made it more difficult than some cybersecurity attacks.

"If there's a cyberattack underway, you've got alerts that are going off," he said. "You can begin turning off networks, you can turn on firewalls or things that kind of contain it. Whereas this, we didn't know it was deployed by CrowdStrike. So, none of our warning systems would catch it and by the time we knew it happened, all of our computers are down."

The outage initially took 15,000 of Providence's application servers offline. However, Moore said all services were functioning by Sunday and procedures were taking place as planned. Moore added it will take Providence up to four weeks to finish bringing around 20,000 of its computers back online.

Even labs such as Labcorp said the outage impacted their ability to deliver lab results to physicians and patients, which could potentially delay hospital discharges or admissions, as well as treatment.

Reaction

According to Neil MacDonald, VP and distinguished analyst at Gartner, the CrowdStrike outage was the largest in a decade, and despite assurances from CrowdStrike, MacDonald said he doesn't believe the recovery process will be smooth.

"I've seen some CrowdStrike comments [that] it's fairly straightforward to fix, but it's not in the sense that you have to get Windows into safe mode, which bypasses the CrowdStrike driver, then remove the offending file and then do a reboot," he said. "In many cases, it's going to require the end user to do that — maybe an IT person. Yes, it's simple, but it doesn't lend itself well to automation. … It will take time."

Sam Levine, an SVP at CAC Specialty, said the outage is an example of the interconnectivity of technological systems around the world.

"Maybe your business isn't affected, but the ones you depend on to do your business are," he said. "It just shows the interconnectivity and dependency of our overall technology world."

Levine added he believes "the world is too far down the interconnectivity train to completely pull it back, but I think more organizations might give consideration to handling and managing certain aspects in house."

The outage is "going to continue to raise issues for systems or businesses wholly dependent on Microsoft — this issue of concentration risk," said Michael Daniel, former White House cybersecurity coordinator and current head of the Cyber Threat Alliance. "How do you balance the benefits of having everybody on the same operating system with the concentration risk that poses?" (Toole/Rex, CBS News, 7/19; Fallon, NorthJersey.com, 7/19; Goldman, Axios, 7/22; Kekatos et al., ABC News, 7/19; Vogel, HealthcareDive, 7/19; Morris, Fast Company, 7/19; Takahama, Seattle Times, 7/19; Turner et al., Modern Healthcare, 7/22; Mathews, Fortune, 7/19)

Third-party risk management is not a one-time process; rather it is a cycle of conversations, risk assessments, adjustments, and internal discussions. Explore our resources to kick-start your program or assess your current approach to third-party risk management.