A very good read from a respected source!
STAT. Microsoft global outage forces health systems to cancel appointments, delay procedures
Katie Palmer Brittany Trang Casey Ross By Katie Palmer , Brittany Trang , and Casey Ross
July 19, 2024
On Thursday, a widespread outage to Microsoft systems took down computers in health systems around the globe, leading many to cancel non-urgent medical appointments and surgeries as they encouraged patients to make plans for disrupted travel and delays in care.
“A major worldwide software outage has affected many of our systems at Mass General Brigham,” the hospital system shared in a statement on Friday. “Due to the severity of this issue, all previously scheduled non-urgent surgeries, procedures, and medical visits are canceled today.” Dana-Farber Cancer Institute instructed all patients with scheduled appointments to stay home, and at Memorial Sloan Kettering Cancer Center, procedures requiring anesthesia were suspended.
An email notification to staff at Duke University Health System said the outage has impacted “computers and clinical systems” throughout the health system. The issue appears to have stemmed from a software update from the cybersecurity firm CrowdStrike, which disabled computers running Microsoft Windows.
“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts,” the company said in a statement, saying the issue did not stem from a cyberattack. A Microsoft spokesperson said the company was “supporting customers to assist in their recovery.”
The security meltdown is particularly ill-timed — and stunning — because it comes just weeks after Biden administration struck an agreement with Microsoft to help safeguard health systems against cyber security incidents. That agreement is aimed at helping rural hospitals avert ransomware attacks. Although Friday’s incident was caused by a glitch, and not a ransomware attack, it nonetheless points to Microsoft’s own entrenched security vulnerabilities.
Several health systems reported that the outage affected their electronic health record systems. The National Health Service reported issues with its patient record system EMIS, while U.S. hospitals said similar software systems from both Epic and Cerner experienced issues. Other impacted health health systems include Mount Sinai Health System, University of Vermont Health, RWJBarnabas Health, and Virginia Commonwealth University Health.
CrowdStrike is a cybersecurity software vendor that scans devices on a network to make sure they’re updated and compliant. Ironically, that means that health systems that invested in cybersecurity measures were more likely to get hit by the CrowdStrike outage, said experts. Despite the fact that this outage was not caused by a hack, it’s still a cyber issue, said Joshua Glandorf, chief information officer at UC San Diego Health, which was not affected by the outage.
“This issue is essentially created by our need for these cybersecurity tools,” said Glandorf. “We need tools like CrowdStrike and endpoint detection to prevent cybersecurity attacks. But we’ve now created other vulnerabilities because of that.”
Similar to the Change Healthcare cyberattack from February that disrupted many healthcare operations when it went offline, the magnitude of the CrowdStrike outage stems from the fact that it’s the most prominent provider of these cybersecurity services, experts told STAT.
“CrowdStrike is just one of 100 companies that manage these tiny little components that are everywhere. And if any of the other 99 go down, we’re going to have the same effect…This is just a sign that we can’t wait anymore. We need to stop the bleeding,” said Kevin Fu, a professor of electrical engineering and computer science at Northeastern University. “The White House needs to appoint a blue ribbon commission to look at what were the contributing factors, and how can we make sure we’ll be resilient in the future so it doesn’t happen again.”
Most health systems have plans for such outages, which can result from planned software updates, unanticipated bugs, and a growing number of cybersecurity attacks. Penn Medicine, where some outpatient appointments and procedures were subject to cancellations today, said the health system was implementing these kinds of “downtime” procedures.
However, some of those plans revolve around downtime computers, which may also be affected if they are Windows machines. An internal email from Duke encouraged clinicians to bring their personal computers if they could access clinical systems. Offices can revert to using paper records and phone calls for some functions.
Since there are already fixes for the bug available, experts anticipated that the issue would largely be resolved in a matter of days as IT teams reboot computers manually, though there could still be issues that prevent some organizations from implementing the fix in a timely manner.
Studies show that patient outcomes during cyberattacks are worse, and though the current outage is not a hack, it still cripples many of the same systems. Hospitals near those impacted by cyberattack see increased emergency department volume (by 15%), increased ambulance arrivals (by 35%), increased wait time (from 21 to 31 minutes) and a 128% increase in patients leaving the emergency department without being seen. Patients who have heart attacks and are treated at nearby, non-attacked hospitals are less likely to survive, perhaps because of increased ambulance times due to diversions, or because of increased patient loads.
The widespread nature of this outage — stemming not from health system-specific software, but underlying infrastructure for a wide range of Windows machines — meant the impacts extended beyond continuity of care for patients. Walter Reed National Military Medical Center warned patients of the outage in a tweet, asking them to prepare for travel disruptions and allow for extra time to get to their appointments.
In the U.S., many health systems continued with their regular appointment schedules on Friday while asking patients to expect delays, including Cincinnati Children’s and the Hospital of Special Surgery in New York. Others, including Cleveland Clinic, shared that while some of the technology they use was impacted by the outage, patient care was not impacted.
Duke’s chief health information officer Eric Poon told STAT in an email that things are almost back to normal, except for the need to use different rooms and computers. “It was still pretty impactful and we had to stand up our health system command center to handle the various outages, but thankfully we’ve been able to ‘stay open’ for surgical procedures, imaging, ED admissions and previously schedule[d] outpatient appointments,” he said.
Despite the extensive use of Microsoft machines and software in health care, not every health system has been impacted: Systems including Northwestern Medicine and Johns Hopkins Medicine said their systems were not affected by the outage.
Learn more:
- Medical Appointments, Surgeries Axed At U.S. Hospitals Amid CrowdStrike Outage – HuffPo
- Health care workers have been unable to access medical records, prescriptions, scheduling, and other electronic tools and documents due to the outage.
- Nonemergency surgeries, procedures and medical visits were canceled or suspended at multiple hospitals across the country Friday amid a global software outage that has kept health care workers from accessing medical records, prescriptions, scheduling, and other electronic tools and documents.
- Massachusetts General Hospital in Boston, the state’s largest, said it has canceled “all previously scheduled non-urgent surgeries, procedures, and medical visits” due to the outage linked to the cybersecurity firm CrowdStrike.
- Doctors revert to pen and paper after CrowdStrike’s outage hits hospitals: ‘Every single computer was down’ – Fortune
- The tech outage, which is due to an apparent faulty software update from cybersecurity provider CrowdStrike, has sowed chaos across the nation’s healthcare system. The damage shows how intertwined technology has become with 21st century medical care, and how one glitch can send the healthcare industry into a tailspin. Many hospitals and labs across the U.S. and globally have had their systems shut down, leading some hospitals to cancel or delay procedures and surgeries. Medical staff at many facilities have had to revert to documenting everything via pen and paper and calling in prescriptions.
- At least 12 major hospitals, health systems affected by global IT outage – ABC News
- The Department of Health and Human Services issued an urgent alert to hospitals and law enforcement reporting that “multiple government agencies” were impacted.