Many affected providers are reporting that they are back up and running after a global IT outage that caused access to EHRs and other systems to be lost, surgeries and treatments to be canceled, and ambulance diversions on Friday. Getting computers past the blue screen of death required troubleshooting machine by machine in many cases and was also accomplished through large-scale deployments coordinated by Crowdstrike, Microsoft, and others.
In addition to the liabilities resulting from delays in care, the event raises questions about the technological gaps that underpin interoperable system design and the vendor’s operational preparedness during outages.
Risks to patient care
Over the weekend, Mass General Brigham patient portal users were pleased to see that “Mass General Brigham hospitals are open and accepting patients. All scheduled appointments and procedures will take place as scheduled on Monday, July 22.”
Messages about a critical incident at the Royal Surrey NHS Foundation Trust in England disappeared on Saturday morning as the critical incident was resolved.
While Massachusetts General Hospital remained open throughout the worldwide IT outage to care for patients with urgent health issues in the hospital’s clinics and emergency department, all previously scheduled non-urgent surgeries, procedures and visits were canceled on Friday.
Hopefully the reopening will bring some relief to patients like Doreen Richards, who told ABC Boston Channel 5 that she traveled to the city but had her pre-surgery appointment canceled due to the power outage, while others who had life-saving surgeries and treatments scheduled were delayed in the hospital or at home.
Unlike in banking, unexpected power outages pose risks to consumer safety.
“This was a technology issue, not a cyberattack, so there is no risk to the safety of your funds. Even the issues accessing funds are temporary until a fix is deployed,” Greg McBride, financial analyst at Bankrate.com, told AARP.
Service Credits and Potential Lawsuits
It appears that compensation from CrowdStrike will likely be in the form of back payments for services, according to by Business Insider Review the third-party vendor’s contract terms.
Consumers who are not treated fairly when it comes to refunding payments due to lost service are advised to contact the companies directly, for example when a cancelled flight cannot be rebooked for a later date and the airline will only issue a credit.
While no major patient lawsuits were filed quickly after Friday’s outage—and it could take time, like the lawsuit filed last week over the Jan. 31 cyberattack on Lurie Children’s Hospital—patients have sued over other types of outages.
To speed up the process of getting back online, Microsoft has worked with CrowdStrike and others to address approximately 8.5 million affected devices.
“Since this event began, we have maintained ongoing communication with customers, CrowdStrike, and external developers to gather information and expedite solutions,” the company said in an online statement Saturday.
“We recognize the disruption this issue is causing to businesses and the daily routines of many individuals. Our focus is on providing customers with guidance and technical support to safely bring disrupted systems back online.”
Microsoft said it has taken the following steps:
- Partner with CrowdStrike to automate solution development.
- Deploy hundreds of Microsoft engineers and experts to work directly with customers to restore service.
- Collaborate with cloud providers and other stakeholders, including Google Cloud Platform and Amazon Web Services, to share awareness of the impacts we are seeing across the industry and inform ongoing conversations with CrowdStrike and customers.
- Post documentation and manual remediation script.
- Keep customers updated on the latest status of incidents via the Azure Status Dashboard.
Microsoft said CrowdStrike helped it develop a scalable patch that expedited “the fix for CrowdStrike’s flawed update” to customer cloud assets, which was critical to restoring services at healthcare and other organizations on Azure.
Too big to fail?
The CrowdStrike outage could be the worst IT disaster in history, although major cloud providers have had outages in the past. In 2017, the Amazon S3 cloud went down, affecting the functionality of websites and applications in the healthcare sector.
“This incident demonstrates the interconnected nature of our vast ecosystem — global cloud providers, software platforms, security vendors and other software providers, as well as customers,” Microsoft acknowledged in its statement on Saturday,
“This is also a reminder of how important it is for all of us in the technology ecosystem to prioritize operations with secure deployment and disaster recovery using existing mechanisms.”
This event, which did not affect systems that did not use CrowdStrike like most systems in China, is not unthinkable.
Modern social systems “were designed to optimize hyperconnectivity, not decentralized resilience,” and this event should be seen as a warning, according to Atlantic.
For the healthcare industry, with its dominance of third-party providers, this is another opportunity to test contingency plans to minimize disruption to patients’ lives.
Andrea Fox is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
