Not all IT outages are caused by hackers—last week’s global outage was caused by a faulty software update on Microsoft Windows computers, and the incident is still unfolding six days later.

The software flaw originated at CrowdStrike, a cybersecurity company widely used by businesses and government agencies to protect against IT problems. CrowdStrike customers’ Microsoft computers crashed shortly after the software update was deployed on July 18.

In the aftermath, CrowdStrike explained that a defect in one of its updates for computers running the Windows operating system had caused the issue. From its blog;

“CrowdStrike released a sensor configuration update to Windows systems. Sensor configuration updates are an ongoing part of the protection mechanisms of the Falcon platform. This configuration update triggered a logic error resulting in a system crash and blue screen (BSOD) on impacted systems.”

Because so many businesses worldwide rely on Windows, the damage was massive. Multiple industries experienced outages, including transportation, healthcare, banking, retailers, FedEx, UPS, and government offices. Airlines delayed and canceled flights, and hospitals delayed treatment and were forced into downtime. Microsoft said that 8.5 million computers were affected. Mac and Linux users were not affected.

CrowdStrike isolated the problem and promptly issued a remediation measure, including a video to guide customers online. Unfortunately, the fix requires time, as manual coding is required to isolate and remove the flaw.

Large and small organizations have suffered. As of July 23, many are still working to repair the damage.

CrowdStrike Failure Hit Healthcare

As reported by HealthcareInfoSecurity, the healthcare disruptions include patient services, lab collections, secure file transfers, transcription services, shipments, manufacturing, phone systems, electronic medical records, pharmacy orders, Medicaid and insurance billing, 911 communications, and more.

Mass General Brigham Hospital in Boston canceled non-urgent visits. According to The New York Times, Kaiser Permanente, a 40-hospital system based in Oakland, CA, activated its national command center in response to the “unprecedented” disruption. 

Memorial Sloan Kettering Cancer Center, Cleveland Clinic, and Mount Sinai were also affected. Like Mass General, Harris Health System in Texas canceled outpatient clinic appointments and elective hospital procedures on July 19, with plans to reschedule once the system issues resolved.

Phoenix-based Banner Health closed clinics, urgent care centers, and outpatient facilities on July 19 with plans to reopen them as the system is restored.

Epic and Meditech, electronic health records (EHR) companies, were affected, causing various disruptions, from canceled telehealth visits to unusable laptop and desktop workstations. Some healthcare systems switched to paper records.

HIPAA Requires a Contingency Plan

The HIPAA Security Rule requires organizations to create a contingency plan to guide staff in managing an unexpected disruption, reducing data loss, and maintaining operations.

A plan should set out clear procedures for responding to an emergency or other occurrence (for example, a cyberattack, fire, system failure, or natural disaster) that damages systems containing electronic protected health information (EPHI). The plan should be tested and practiced to ensure staff can implement it when needed.

The Security Rule “standards” and “implementation specifications” are a blueprint for regulated entities to develop their contingency plans. Examples include data backup, disaster recovery, and emergency mode operations. Beyond that, the contingency plan needs procedures, like contact information and cross-training for staff who may need to fill different roles in an emergency.

There is no one-size-fits-all for contingency plans. The organization’s most recent Risk Analysis is the central guide in developing a plan.

The HIPAA E-Tool^® software contains everything needed to create a contingency plan. It includes all the Security Rule standards and specifications, all the policies, suggested procedures, and a template to guide the plan’s creation. Let us know if you need help writing or refreshing a contingency plan that complies with HIPAA.