Health care organization resiliency in the face of CrowdStrike downtime

CrowdStrike, a U.S.-based cybersecurity solution providing endpoint detection and response (EDR) services, experienced a significant technical issue during the early hours of July 19, 2024. This incident primarily affected Windows PCs and caused widespread downtime on these systems; Mac and Linux hosts remained unaffected.

The outage has affected organizations from hospitals to commercial airline flights and even emergency call centers around the globe. The ripple effect was particularly damaging in the health care industry worldwide, as electronic medical record (EMR) systems were partially or completely unavailable.

What should organizations do?

As health care organizations continue to reel from this incident, it is important to ask what can be done in the short-term to manage and assess damage and better prepare your organization for future incidents.

Organizations should review and reinforce their resilience capabilities: Health care providers will eventually find a way to address their patients’ immediate needs, but from an administrative standpoint, many health care organizations lack the kind of resilience and contingency planning necessary to quickly respond to an incident, transition effectively to downtime procedures, maintain their essential business activities and recover to the point of daily operations. The following are two vital components of health care resilience that are often overlooked; however, proactive planning can substantially improve response, continuity and recovery outcomes, and address risks associated with these highly consequential technology disruptions.

Continuity of operations planning (COOP)/contingency planning: Continuity planning involves, in part, developing and documenting manual workarounds (i.e., operational activities) that facilitate the continuation of essential services following a disaster event affecting essential resources (e.g., information technology system or application, vendors, staff members, equipment). COOP plans include manual workarounds to maintain essential services, the minimum number of staff to execute the workarounds, the supplies and equipment supporting the staff and the services, the vendors and alternate vendors, and the intra- and inter-dependencies of each essential service.

Following the CrowdStrike outage, hospitals should have activated their continuity plans for critical downtime activities, such as paper charting, patient prioritization models, manual scheduling practices, manual dosing, and care team decision-making protocols.

Critical to the success of any plan is exercise and training. Resilience plans must be exercised to validate team roles and responsibilities, confirm downtime procedures, review staffing models to maintain essential services, and practice recovery procedures to return to daily hospital operations. Training personnel, which includes just-in-time training, is equally as important as exercises. All medical and nonmedical staff must understand their roles in continuity activities to mitigate the impact on patient care.

Third-party risk management: Robust vendor risk management is another proactive measure that can help mitigate the damage of a major business disruption. 

Foundational to this component is to inventory all third-party providers and to document services provided; business processes that the vendor is supporting; and the type of data the vendor is storing, processing or transmitting on your behalf, as well as identify the subsequent inherent risk of the vendor. You should then evaluate the criticality of the services the vendor is providing, and your reliance on these providers to support critical business activities, such as patient care, pharmacy services and/or billing.

Analysis should be completed on the vendor inventory to ensure business continuity plans are in place for any processes being supported by a third party. You may also want to consider diversifying your providers to minimize the downstream impact that could be caused by loss of services from a sole-sourced provider.

You should also consider your extended vendor ecosystem as part of your vendor inventory, which includes fourth parties, or the vendors and service providers that your third parties rely on. Fourth-party management is on the horizon for many industries and compliance frameworks, so it is important to have an understanding of your full vendor landscape to ensure proper controls are in place to protect the flow of information between these third and fourth parties and prevent downstream impacts from business disruptions.

Health care organizations traditionally focus their risk management efforts on the third parties with whom a business associate agreement (BAA) is required. But even in the health care space, critical vendors may fall outside the BAA scope, and these entities should not be overlooked.

Due diligence should also be conducted not merely as a point-in-time assessment when the vendor is onboarded, but regularly throughout the vendor relationship to ensure vulnerabilities are remediated in a timely fashion and proper controls are in place. This can be accomplished by issuing periodic security questionnaires, risk assessments, audits and contract reviews. You may also explore the use of real-time monitoring tools which will feed the organization information on various factors affecting the financial, operational, cyber and reputational risks of these vendors. This will help ensure you understand the risks that entity brings to your organization and how that risk may change over time and affect your organization.