Tips for covering the aftermath of the CrowdStrike outage

On July 19, a software patch released by CrowdStrike contained an undetected error that severely disrupted operations for major companies and health care institutions using Microsoft Windows devices.

In what is believed to be the largest information technology outage in history, over 36,000 flights worldwide were canceled. Courthouses nationwide closed or delayed trial proceedings. As hospitals and health systems continue to recover, there are still numerous ideas for journalists to pursue. This tip sheet provides an update on what happened, and some ideas for second-day stories.

What is CrowdStrike?

CrowdStrike produces software designed to detect and prevent cyberattacks. Its platform Falcon was developed to monitor a company's machines for hacking attempts, viruses and other threats, the Wall Street Journal reported. The product is used by multiple large companies including airlines, banks, hospitals and health systems.

On July 19, an update issued by the company caused machines running Microsoft Windows operating systems to crash due to a compatibility fault, resulting in the "blue screen of death" - a term used to describe an error screen that appears on PCs when they overheat or encounter a critical issue.

What happened on July 19?

A faulty content update released for customers who have Windows operating systems prompted system outages. Microsoft estimated that 8.5 million Windows devices were impacted, Becker's Health IT reported.

CrowdStrike CEO George Kurtz posted on X (formerly Twitter) that the outages were not caused by a security or cyber incident, and that they were "deeply sorry for the inconvenience and disruption" and had deployed a fix.

Microsoft said it deployed hundreds of engineers and experts to restore services and has kept its customers informed on the incident through an online dashboard, Healthcare IT News reported. The situation "is a reminder of how important it is for all of us across the tech ecosystem to prioritize operating with safe deployment and disaster recovery using the mechanisms that exist," Microsoft said in a blog post.

How were health care operations impacted?

Hospitals and other health care providers impacted by the outage canceled surgeries and other procedures and switched to downtime operations when possible, working on paper. Kaiser Permanente activated its national command center in response to the "unprecedented" disruption, the New York Times reported.

Banner Health in Phoenix closed clinics, urgent care centers and other outpatient facilities. Mass General Brigham in Boston canceled all non-urgent procedures, surgeries and visits. Upstate University Hospital in Syracuse, N.Y., delayed some outpatient services and procedures, including lab appointments.

Other major institutions impacted include Duke Health, Memorial Sloan Kettering Cancer Center and Seattle Children's Hospital. CommonSpirit Health in Chicago canceled some appointments but restored operations to enough devices to stay open, according to the Wall Street Journal.

Additionally, many 911 and nonemergency call centers were disrupted. Services at community pharmacies, including accessing prescriptions and getting medication deliveries, were also disrupted. Labcorp said the outage impacted their ability to deliver lab results.

"This is worse than a cyberattack," B.J. Moore, chief information officer of Providence Health system in Renton, Wash., told the Times. The disruption affected the health system's IT network and the computers of its partners. The health system operates 52 hospitals in seven states and 1,000 clinics.

Some features of Epic's electronic health records, like its telehealth visit platform, weren't available during the outage. Hospital systems such as MassGeneralBrigham; RWJBarnabas Health in West Orange, N.J.; University of Vermont Health Network; and Harris Health System in Bellaire, Texas, said they had restored operations by July 22, Becker's Health IT reported. But full restoration could take weeks for others.

Follow-up story angles to pursue

• Republican leaders of the U.S. House Homeland Security Committee called on Kurtz to testify on Capitol Hill to explain how the outages occurred and what "mitigation steps" the company is taking to prevent future episodes, the Washington Post reported. Journalists could cover that testimony, if/when it happens and interview other IT experts about what Kurtz says and recommends.
• CrowdStrike warned that hackers are sending out a malicious, fake fix file called crowdstrike-hotfix.zip, and to work directly with company representatives. The file includes malware that allows hackers to monitor their devices remotely. Spanish filenames and instructions hint that the hackers are targeting Latin America-based customers, they said. Journalists could interview businesses impacted by the outage to see if they received this file and what they did with it. Or they could talk to IT experts about how to spot fake files like this.
• Lawsuits sometimes are filed even months later, like one filed this month, in which at least two complaints seeking class-action status were filed against Lurie Children's Hospital in Chicago, saying the medical center failed to keep its patients safe after a cyberattack shut down its systems for months, ABC7 Chicago reported. If any lawsuits result from this incident, that could be a story.
• Talk to hospital IT personnel about what downtime procedures they used during the outage, how long it took to restore services, and what lessons learned this can teach hospitals. Zafar Chaudry, M.D., chief digital and information officer for Seattle Children's Hospital, told Becker's Health IT that the incident underscored the reliance on third-party vendors for critical infrastructure. Future interruptions could be prevented, he said, by reducing reliance on a single vendor for software platforms, better evaluating these companies' security practices, regularly testing emergency response plans, and implementing data backups.
• Talk to CrowdStrike (or other vendors) to ask how they test software patches and updates before sending them to customers. Jeffrey Ferranti, M.D., chief digital officer of Duke University Health System, in an interview with Becker's Health IT, questioned why the update wasn't tested first in a small group to work out kinks before deploying it everywhere.
• Talk to patients who had procedures or other tests canceled to see how the outage impacted them.

Helpful links

• CrowdStrike website with more information and FAQs.
• Info on the outage from the Cybersecurity and Infrastructure Security Agency (CISA).
• Helping our customers through the CrowdStrike outage - Microsoft blog.