The CrowdStrike incident which took place in mid-July 2024 took down some of the most recognizable businesses globally across all industries. It’s no secret that the healthcare industry lacks proper preparation and resiliency, but this incident can and should serve as (another) wake-up call as to why healthcare cannot continue to treat cybersecurity as a checkbox item. More bandaids will not sufficiently protect an industry reliant on the constant sharing of PII/PHI data.
What happened:
There are lots of summaries out there on what happened. This summary of events by Jonathan Rudy of TransUnion is super clean and straight to the point.
- CrowdStrike released an update for their [EDR] security software in February 2024.
- EDR = Endpoint Detection & Response = records and detects malicious behavior across system endpoints
- This update included 21 fields—but only 20 were filled in.
- The July 2024 update tried to read the missing 21st value and looked in the wrong place in the computer’s memory—causing a Windows crash.
- This impacted systems using CrowdStrike’s EDR solution across the globe, causing disruptions to critical infrastructure and stopping employees from working.
- In the chaos that ensued, real malicious actors took advantage of the timing to phish and stand up fake websites and service pages. Full breakdown here.
Will this happen again?
The answer is a big “maybe.” The original CrowdStrike issue was not a malicious act but a (lack of) testing issue that didn’t account for the field addition.
While this specific issue likely won’t happen again for CrowdStrike (as there is likely now a hardcoded test case to make sure lightning doesn’t [Crowd]Strike the same place twice), similar issues are always possible with software updates.
But, will malicious actors take advantage of scenarios like this? They will always try.
How can healthcare organizations be better defended?
EDR is still a valuable tool – this type of security is an important part of organizations’ cyber strategy. However, segmentation is a critical complement. If systems are impacted, segmentation can prevent lateral movement and the spread of attacks.
Patch management and versioning strategy can also mitigate issues with problematic updates. Donna G., outlines here why a phased rollout approach of updates could also mitigate similar issues.
Organizational resiliency is a combination of hardware, software, and people. While the CrowdStrike incident caused real disruptions, a patch was rolled out. During the swirl, however, many organizations were likely victimized by phishing attacks preying on desperation. Systems can’t fix everything – something may get overlooked in a patch, or someone may click on something they shouldn’t, or team members may get “social-engineered” to share more than they should.
Healthcare needs improved disaster recovery, cybersecurity training, and segmentation in addition to EDR implementations. A holistic multi-layer security approach, including enabled teams, is no longer an option: it’s an imperative.