In mid-July 2024, a significant software update issue from CrowdStrike led to widespread disruptions, notably impacting healthcare systems. The incident underscores, yet again, the critical need for robust Governance, Risk, and Compliance (GRC) strategies that anticipate and mitigate risks associated with third-party software. Here's a look at what happened during this incident and how GRC professionals, particularly in the healthcare sector, can fortify their operational resilience with strategic risk management practices to help prevent similar disruptions in the future.
Understanding the CrowdStrike Incident
On July 19, 2024, CrowdStrike released what they thought was a routine software update, but a “defect found in a Falcon content update for Windows hosts” caused widespread system crashes. The error ended up affecting organizations globally, including healthcare providers, emergency services, airlines, and financial institutions. The defective update was quickly rolled back, but the damage had been done, leading to significant operational and financial impacts — “airlines reported losses amounting to $860 million, while the banking and healthcare sectors together lost over three billion dollars” according to Spiceworks’ research. These figures underscore the severity of the disruption and the critical importance of managing third-party software risks effectively.
Implications for GRC Programs
IT and third-party software risks are not a new risk — in fact they fall neatly into the transformative novel risk definition that we discussed in the 2024 State of Risk Report. However, the CrowdStrike incident illustrates how seemingly routine software updates can pose significant risks. Beyond the immediate technical issues, such incidents can lead to extensive operational downtime, financial losses, and damage to an organization’s reputation. Businesses across all sectors must recognize the potential for third-party software issues to disrupt their operations and understand that robust operational resilience and risk management strategies are essential to mitigate these risks. Ensuring that software vendors follow stringent quality assurance processes and maintaining comprehensive incident response plans are critical steps for all organizations.
Implications for Healthcare Risk Programs
Healthcare organizations are particularly vulnerable to IT disruptions due to the critical nature of their services. The CrowdStrike incident highlighted several key risk areas:
- Operational Disruptions: System crashes can halt patient care processes, leading to delays in treatment and potential harm to patients.
- Financial Impact: The costs associated with system downtime, data recovery, and potential legal liabilities can be substantial.
- Reputational Damage: Trust in healthcare providers can be severely damaged if IT failures lead to compromised patient care.
Evaluating and Mitigating Third-Party Software Risks
To protect against similar incidents, risk professionals need to collaborate with their IT counterparts to adopt comprehensive and proactive strategies focused on third-party software. These include:
Thorough Vendor Assessment
- Due Diligence: Prior to partnering with a new vendor, perform detailed due diligence that includes questions to uncover software development and update processes — ensure they adhere to high standards of quality and security.
- Track Record Analysis: Evaluate the vendor's history of software reliability and incident response. Vendors with a history of frequent issues should be scrutinized more closely.
Contractual Safeguards
- Service Level Agreements (SLAs): Include stringent SLAs that specify uptime guarantees, incident response times, and penalties for non-compliance.
- Liability Clauses: Ensure contracts have clear liability clauses for software failures, including coverage for operational, financial, and reputational damages.
Risk-Based Software Management
- Prioritize Critical Systems: Identify and prioritize the most critical systems that require the highest level of protection and oversight.
- Regular Audits: Conduct regular audits of third-party software to ensure compliance with security and operational standards.
Proactively Strengthening Operational Resilience
In addition to mitigating third-party risks, internal strategies, teams, and plans should be prepared to help limit the impact of disruptions on operations.
Disaster Recovery Planning
- Comprehensive Plans: Develop and maintain comprehensive disaster recovery and business continuity plans. These plans should include steps for rapidly identifying and addressing failures to minimize operational disruption.
Crucially, these plans should draw insights from any noteworthy incidents — regardless of industry. For instance, the Change Healthcare cyber attack earlier this year offered a valuable lesson about an industry’s reliance on a single solution. By analyzing a broader perspective, organizations can uncover more potential risks and proactively develop mitigation strategies by asking: “Could this happen to us?” and “How can we prevent or prepare for similar scenarios?” - Testing and Drills: Regularly test disaster recovery plans through simulations and drills to ensure preparedness for real-world incidents.
Enhanced Monitoring and Response
- Real-Time Monitoring: Implement real-time monitoring tools and alerts to detect and respond to issues promptly.
- Incident Response Teams: Establish dedicated incident response teams and communication plans to handle disruptions efficiently.
The CrowdStrike incident serves as a stark reminder of the vulnerabilities that organizations face with third-party software. By implementing rigorous risk management practices, these risks can be better measured and evaluated, strengthening operational resilience and the continuity and reliability of critical services.
Origami Risk is committed to being a stable and secure software partner. Contact us to learn more about how our GRC and Healthcare risk management solutions can help you better manage your organization's approach to managing business continuity and third-party risk.