ohA widespread outage on Microsoft systems on Thursday took down computers in health systems around the world, causing many healthcare providers to cancel non-urgent medical appointments and surgeries and urging patients to plan for interrupted travel and delays in care.
“A major global software outage is affecting many systems at Massachusetts General Brigham Hospital,” the hospital said in a statement on Friday. “Due to the severity of this issue, all non-urgent surgeries, procedures and appointments scheduled for today have been canceled.” Dana-Farber Cancer Institute has asked all patients with appointments to stay home, and procedures requiring anesthesia have been canceled at Memorial Sloan Kettering Cancer Center.
According to an email notification sent to Duke University Health System employees, the outage affected “computer and clinical systems” across the health system, and the problem was apparently caused by a software update from cybersecurity firm CrowdStrike that disabled computers running Microsoft Windows.
““CrowdStrike is actively working with customers affected by the flaw found in a single content update for Windows hosts,” the company said. Said Microsoft said in a statement that the issue was not the result of a cyberattack. Microsoft did not respond to a request for comment by press time.
This security collapse is especially badly timed and shocking because it comes just weeks after the Biden administration reached an agreement with Microsoft to protect the health system from cybersecurity incidents. The agreement is intended to help rural hospitals avoid ransomware attacks. Friday’s incident was caused by a glitch, not a ransomware attack, but it still highlights Microsoft’s own deep-rooted security vulnerabilities.
Several health systems reported the outage affected their electronic medical record systems. The National Health Service reported issues with its patient record system, EMIS, and U.S. hospitals reported issues with similar software systems from both Epic and Cerner. Other affected health systems include Mount Sinai Health System, University of Vermont Health System, RWJBarnabas Health System, and Virginia Commonwealth University Health System.
CrowdStrike is a cybersecurity software vendor that scans devices on a network to make sure they’re up to date and compliant. Ironically, health systems that have invested in cybersecurity measures were more likely to be affected by the CrowdStrike outage, experts said. Although the outage wasn’t the result of a hack, it’s still a cyber issue, said Joshua Glandorf, chief information officer at UC San Diego Health, which was not affected by the outage.
“The problem fundamentally stems from the need for cybersecurity tools,” Glandorf said. “You need tools like CrowdStrike and endpoint detection to prevent cybersecurity attacks, but that also creates other vulnerabilities.”
Similarly Changing cyber attacks in healthcare Like the CrowdStrike outage that crippled many medical operations when it came online in February, the scale of this outage stems from the fact that the company is the most prominent provider of such cybersecurity services, experts told STAT.
“CrowdStrike is just one of 100 companies that control tiny parts that are everywhere. If one of the other 99 goes down, it will have the same impact. This is a sign that we can’t wait any longer. We need to stop the bleeding,” said Kevin Hu, a professor of electrical engineering and computer science at Northeastern University. “The White House should appoint a blue ribbon committee to investigate what caused this and how we can be resilient so that it doesn’t happen again in the future.”
Most health systems have plans for such outages, which can occur due to planned software updates, unexpected bugs, increased cybersecurity attacks, etc. At the University of Pennsylvania School of Medicine, where some outpatient appointments and procedures were canceled today, the health system said it has such “outage” procedures in place.
But some of these plans concern computers during downtime, which could be affected if they are Windows machines. An internal email from Duke University encourages clinicians to bring in personal computers if they have access to clinical systems. For some functions, offices can revert to using paper records and telephones.
A fix for the bug is already available, and experts expect the issue to be largely resolved within a few days once IT teams manually reboot computers, but some organizations may still have trouble implementing the fix in a timely manner.
Studies show that patients who have suffered cyberattacks have worse outcomes, and while the current outages are not the result of hacks, many of the same systems are still failing. Hospitals near hospitals affected by cyberattacks have increased emergency department visits (15%), ambulance arrivals (35%), and wait times (21 to 31 minutes), and a 128% increase in patients leaving the emergency department without being seen. Patients who suffer heart attacks and are treated at nearby hospitals that were not attacked are less likely to survive, possibly due to increased ambulance arrival times due to diversions, or increased patient volume.
Because the outage was widespread and stemmed from the underlying infrastructure of a wide variety of Windows machines, rather than software specific to the health system, the impact extended beyond patient continuity of care. Walter Reed National Military Medical Center warned patients about the outage in a tweet, urging them to arrive on time for appointments and allow extra time for travel disruptions.
In the US, many medical facilities, including Cincinnati Children’s Hospital and the Hospital for Special Surgery in New York, continued their normal appointment schedules on Friday but told patients to expect delays. Others, such as the Cleveland Clinic, said some of the technology they use was affected by the outage but that patient care was not affected.
Eric Poon, Duke University’s chief medical information officer, told STAT in an email that other than having to use separate rooms and computers, things are largely back to normal. “It still had a significant impact and we had to activate our health system command center to deal with various outages, but fortunately we were able to ‘stay open’ for surgeries, imaging, emergency department admissions, and previously scheduled hospitalizations,” he said.[d] “Make an appointment for outpatient care,” he said.
Microsoft machines and software are widely used in healthcare, but not all health systems were affected. Systems at Northwestern Medicine and Johns Hopkins Medicine, among others, said they were not affected by the outage.
