CrowdStrike, a growing cybersecurity firm, unwittingly triggered a massive IT outage on Friday, disrupting businesses, including healthcare, after issuing what was supposed to be a routine software update.
The firm attempted to update its Falcon Sensor product, which protects data encrypted on the cloud from cyberattacks. However, there was a bug during deployment, with some Microsoft users experiencing a critical “blue screen” error, or what is known as the “blue screen of death,” blocking attempts to reboot.
CrowdStrike CEO George Kurtz took to X early Friday morning in an attempt to ease clients’ concerns, stating the problem had been identified, isolated and a fix was in the works.
“Mac and Linux hosts are not impacted. This is not a security incident or cyberattack,” Kurtz stressed. “Our team is fully mobilized to ensure the security and stability of CrowdStrike customers.”
But havoc had already ensued. The company serves over half of the Fortune 500 companies, 8 in 10 top financial services firms and tech firms, and 6 in 10 of the top healthcare providers, according to its website. Clients ranging from airlines to hospitals have reported disruptions.
As of press time, at least 11 health systems contacted by Healthcare Dive were experiencing problems related to the outage.
West Orange, New Jersey-based RWJBarnabas Health, Atlanta-based Emory Healthcare, Boston-based Mass General Brigham and Louisville, Kentucky-based Norton Healthcare are among the health systems delaying some procedures until the outage is resolved. A spokesperson for RWJ called the decision a move made out of “an abundance of caution.”
Other facilities, including Buffalo, New York-based Kaleida Health and Burlington, Massachusetts-based Tufts Medicine are open. However, they’re operating under emergency management downtime procedures.
The American Hospital Association is aware of the outage and in touch with health systems as well as the federal government about the situation, John Riggi, the AHA’s national advisor for cybersecurity and risk, told Healthcare Dive via email.
Most systems are reporting disruptions related to communication systems, such as scheduling and check-in procedures. Billing procedures may also be impacted.
Patient care could be affected as well, said Dan Denno, senior architect in West Monroe’s technology and experience practice.
“I wouldn’t see somebody handling patients without being able to boot up their Windows system,” he said. “[...] If your healthcare company did not have the IT staff to figure this out and handle it for you, I could see a lot of companies impacted by this, and patient care.”
The outage is the largest in a decade, according to Neil MacDonald, vice president and distinguished analyst at Gartner. And despite Kurtz’s assurances on social media that a fix is in the works, MacDonald isn’t optimistic the recovery process will be smooth.
“I've seen some CrowdStrike comments [that] it’s fairly straightforward to fix, but it's not in the sense that you have to get Windows into safe mode, which bypasses the CrowdStrike driver, then remove the offending file and then do a reboot,” Kurtz said. “In many cases, it’s going to require the end user to do that — maybe an IT person. Yes, it’s simple, but it doesn't lend itself well to automation. … It will take time.”
The manual nature of the recovery process will likely make it even harder for smaller, rural health systems that lack a formal IT department to get back online.
Kurtz said getting systems up and running will require familiarity with maneuvering systems in and out of safe mode — a process most users don’t know how to do.
“You can talk them through it, but it’s not something people do on an everyday basis. It is a somewhat laborious [task],” he said. “IT people know how to do this, but not the typical end user.”
Meanwhile, bad actors could attempt to take advantage of health systems’ desperation to get systems back online, warns Steve Cagle, CEO of cybersecurity firm Clearwater.
“We [are] aware that malicious actors are taking advantage of the CrowdStrike situation and are posing as CrowdStrike support reaching out and offering assistance in restoring systems,” Cagle told Healthcare Dive over email.
He said nefarious actors might pose as call center agents and told impacted systems to be wary of inbound calls related to the outage, especially if agents attempt to direct callers to visit websites, which could drive malware.
As the healthcare industry grapples with the full scope of the outage, Kurtz said the deployment should never have occurred.
“It comes down to the development and testing and QA and release process. And this should not have been released,” he said.
Emily Olsen contributed to this report.