A number of health systems delayed appointments and surgeries due to the problems related to CrowdStrike’s software update.
Hospitals scrambled to restore systems disrupted by a worldwide IT outage late last week and most say they’ve made progress, but some issues are lingering.
The problems centered around a faulty software update deployed by CrowdStrike, a cybersecurity company. The update affected Microsoft Windows systems that are used widely around the globe, and the problems affected banks, delayed thousands of flights and caused problems for health systems.
As a result, several hospital systems said Friday that they had to postpone non-urgent surgeries and other appointments due to the IT problems, and some weren’t able to access their electronic health records. Still, some systems are working to reschedule appointments that had to be delayed due to the IT issues.
Providence, the nonprofit system operating 51 hospitals and more than 1,000 clinics in seven states, said it was affected by the disruptions and had to postpone some appointments. On Monday, a Providence spokesman said the system was making progress, although some disruptions continue in California and Texas.
“Continuity of patient care continues to be a top priority and clinical teams are working to ensure any cancellations are rescheduled as soon as possible,” the Providence spokesman said.
Providence has been warning patients to be wary of phishing attempts from bad actors claiming they are from CrowdStrike and Microsoft and offering to help.
(Clearwater CEO Steve Cagle talks about the impact of the outages and lessons for hospitals. The story continues below.)
‘Unprecedented challenge’
Mass General Brigham canceled its non-urgent visits at all its hospitals and clinics Friday, but patients were able to maintain appointments Monday.
“Mass General Brigham is fully operational and open to patients. We will be resuming normal clinical volume throughout our system on Monday morning and all scheduled appointments and procedures will proceed as planned,” the system said.
The system said staff worked non-stop to restore services due to the CrowdStrike issue.
“We are grateful for the trust and understanding of our patients and extend our deepest gratitude to all our staff who have come together and have worked so hard to ensure the health and safety of our patients during this unprecedented challenge,” Mass General said.
Memorial Sloan Kettering canceled non-urgent visits at all its hospitals and clinics Friday, but said Monday that all systems and applications have been reinstated.
“All sites remain fully operational, and we continue to provide safe, high-quality care to our patients,” the system said Monday.
The Hospital for Special Surgery said the worldwide outage disabled some of its computers and systems. The system said Friday that it was proceeding with patient care but warned patients that delays should be expected. As of Monday, HSS said patient-facing computers and systems have been fully restored.
A Cleveland Clinic spokesperson said some applications were affected by the outage but they have been restored, although some issues remain at individual workstations. Patient care hasn’t been impacted through the outage, the spokesperson said.
The Harris Health System in Texas also had to delay some elective procedures and appointments Friday, but the system said Monday it is working to reschedule those appointments.
Being prepared
The scope of the disruptions varied, with some hospitals seeing no issues and others seeing more serious problems, John Riggi, national advisor for cybersecurity and risk, said Friday. Some disruptions involved “medical technology, communications and third-party service providers,” Riggi said in an AHA statement.
The hospital association said there were clinical procedure delays, diversions or cancellations. Plus, some also experienced problems due to local emergency call centers going down, Riggi said.
George Kurtz, the CEO of CrowdStrike, said Friday in a post on X that the software problem wasn’t related to a hacking incident. “This is not a security incident or cyberattack,” Kurtz wrote. CrowdStrike deployed a fix to resolve the issues, he said.
Steve Cagle, CEO of Clearwater, a cybersecurity firm, tells Chief Healthcare Executive® that hospitals need to be aware of disruptions beyond ransomware attacks.
“When you're talking about risk analysis, and risk management, we're not only talking about cybersecurity incidents,” Cagle says. “We're looking at other sources of interruption, anything that can affect confidentiality, integrity, or availability of electronic protected health information for the systems that are critical to the mission. There are numerous types of risks that can impact those organizations.”
Hospitals are also vulnerable to breaches or software issues involving their vendors, so it’s critical to reach out to third parties to see what they are doing to reduce risks, Cagle says.
The disruptions tied to the CrowdStrike outage also underscore the need for hospitals to have good response plans in case key systems are down, he adds.
“We need to be resilient … being able to withstand a disruption, being able to operate under duress, to recover quickly,” Cagle says.
Russell Teague, chief information security officer of Fortified Health Security, pointed to lessons for organizations with disruptions in a connected world.
“These situations remind all of us that we must not forget how to manually do the same functions and emphasize the importance of downtime processes and business continuity planning,” Teague said in a statement. “When technology fails, and it will at some point, we must have tech downtime procedures written, tested, and trained on regularly, so we can continue to deliver critical services to our patients even when tech suffers an outage.”