CrowdStrike update nightmare gives hospitals 'disaster prep' pop quiz
For benefits brokers and benefits managers, one revelation may be the lack of a system recovery tracker.
Most U.S. hospitals and other health care providers seem to have recovered from the CrowdStrike update failure within a few hours, but benefits brokers and managers who want to know how healthy is healthy may have a hard time tracking the recovery.
Tools like the Downdetector and Is The Service Down? websites can help benefits professionals see when health care providers are flat on their backs with cyber problems. Once the acute crisis has passed, the only small, blurry window available is knowing health care information technology professionals or trying to find search terms like “hospital computer” into Google Trends.
CrowdStrike, a cybersecurity company, gave health care providers a surprise technology disaster preparedness test starting early Thursday morning by pushing out a content update for Microsoft Windows-based computers that crippled the ability of many of those computers to wake up.
Many experienced computer users could fix the glitch themselves. Information technology could fix most of the other computers. But live humans had to apply the fix computer by computer. CrowdStrike could not simply send out a fix and wake the sleeping computers up.
The impact
The CrowdStrike update glitch affected about 8.5 million Windows devices, or about 1% of all devices that run Windows, according to Microsoft.
Some of the major health care systems that posted notices about CrowdStrike-related disruption of operations Friday included Banner Health in Phoenix, Mass General Brigham in Boston, Penn Medicine in Philadelphia and RWJBarnabas in New Jersey.
Most of the hospital systems reported that operations were largely back to normal by Friday afternoon.
The glitch does not seem likely to cause the kind of widespread, long-lasting paralysis that the big February ransomware attack on UnitedHealth’s Change Healthcare systems caused. The impact of that attack was amplified by companies’ worries about ongoing security as much as by any technical problems with access to data.
Related: Hacking at UnitedHealth’s Change Healthcare is still crippling the U.S. health system
But the CrowdStrike outage was like a mild dress rehearsal for the kind of cyberattack or powerful storm that professional groups, federal disaster preparation teams and state disaster prep teams seem to think of when developing their disaster response materials.
Most health care providers seemed to be able to keep essential operations going, but, in spite of all of the recent encounters with cyberattacks, at least one New York hospital suffered enough disruption that it put off performing any procedures that required anesthesia, according to press reports.
Cyber Glitch Prep
You may not be able to do much about the kind of cyber stability information available from hospitals and group health practices in your market.
One place to look for ideas about how to harden your own practice is the questionnaire the New York Department of Financial Services asks the top executives of the health care organizations it oversees to fill out every year.
Here are examples of some of the kinds of questions the department asks about firms’ business continuity plans:
Has your BCP (business continuity plan) been updated within the past year?
Does Your BCP address all significant business activities, including;
- financial functions;
- underwriting/claim functions;
- telecommunication services;
- data process;
- network services; and
- security/remote access.
- Does your BCP assign a restoration priority to all significant business activities?
Does your BCP set forth adequate manual processing procedures for use until the electronic data process functions can be restored?