IT outage raises resilience, security concerns in healthcare
Health systems around the world are dealing with cancelled appointments and other disruptions to services in the wake of the global IT outage that hit on Friday, which is now thought to be the largest cyber event in history.
Microsoft has said it estimates that around 8.5 million computers around the world have been affected by a misconfigured software update from cybersecurity specialist CrowdStrike, causing machines using Windows software – many of which were supporting critical infrastructure – to experience the dreaded 'blue screen of death'.
In an update posted on Saturday, Microsoft said that, while less than 1% of Windows computers worldwide were affected, "the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services."
In healthcare, that resulted in primary care doctors struggling to access patients' electronic health records, pharmacies unable to process prescriptions, and hospitals having to defer treatments, including elective surgeries and radiotherapy. Some biopharma companies have also reported some limited exposure to the problem.
The outage – which has been felt across the US, Europe, and other parts of the globe – has left healthcare services resorting to manual record-keeping to guide and provide care while IT teams work around the clock to get systems back on line.
In the UK, for example, the problem is focused mainly on GP surgeries and pharmacies, with only a limited impact on hospitals, while in the US EHRs were offline at hospitals including Mass General Brigham and Dana Farber, forcing non-emergency procedures to be postponed.
"The NHS has long-standing measures in place to manage the disruption, including using paper patient records and handwritten prescriptions, and the usual phone systems to contact your GP," said an NHS spokesperson. "Patients should attend appointments unless told otherwise."
With the situation easing and systems starting to come back online, the fear now is that cybercriminals will exploit the disruption by releasing code claimed to help systems recover, but which could open a back door to allow ransomware attacks or data theft.
Just a couple of weeks ago, a cyberattack disrupted hospitals and GP practices in London in what is now thought to be the work of a Russian criminal network, leading to the postponement of non-emergency patient care and the transfer of operations requiring blood transfusion to other unaffected hospitals.
Along with security concerns, discussions are also now focused on the widespread disruption caused by the software update, and questions are being raised about the fragility of the systems that healthcare and other critical infrastructures rely on every day.
"We have to realise this could have been a lot worse," said Adam Leon Smith, a cyber security expert and fellow of BCS, the Chartered Institute for IT in the UK. "Microsoft Windows isn't the main operating system used for mission-critical systems. It's Linux."
"We have to look at the complex supply chain infrastructure that's providing the systems, services, and products we rely on every day," added Smith. "Software should be a priority when we are planning from a national resilience point of view."
On the other hand, Professor Jon Crowcroft, Marconi professor of communications systems at the University of Cambridge, said: "While it is true that we have a lot of dependence on too small a number of software or service components and we need more diversity, it's worth noting that three sites I use that are Microsoft cloud-based are all completely ok, so CrowdStrike isn't as widely used/pervasive as some of the hyperbole suggests."
He added: "There are other possibly larger cloud/internet cybersecurity defences, e.g. Cloudflare; if this had happened with that it would likely have been a lot more serious."
Image by PantheraLeo1359531 via Wikimedia
