On Thursday, a widespread outage to Microsoft systems took down computers in health systems around the globe, leading many to cancel non-urgent medical appointments and surgeries as they encouraged patients to make plans for disrupted travel and delays in care.
“A major worldwide software outage has affected many of our systems at Mass General Brigham,” the hospital system shared in a statement on Friday. “Due to the severity of this issue, all previously scheduled non-urgent surgeries, procedures, and medical visits are canceled today.” Dana-Farber Cancer Institute instructed all patients with scheduled appointments to stay home, and at Memorial Sloan Kettering Cancer Center, procedures requiring anesthesia were suspended.
An email notification to staff at Duke University Health System said the outage has impacted “computers and clinical systems” throughout the health system. The issue appears to have stemmed from a software update from the cybersecurity firm CrowdStrike, which disabled computers running Microsoft Windows.
“CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts,” the company said in a statement for customers, saying the issue did not stem from a cyberattack. Microsoft did not respond to a request for comment in time for publication.
The security meltdown is particularly ill-timed — and stunning — because it comes just weeks after Biden administration struck an agreement with Microsoft to help safeguard health systems against cyber security incidents. That agreement is aimed at helping rural hospitals avert ransomware attacks. Although Friday’s incident was caused by a glitch, and not a ransomware attack, it nonetheless points to Microsoft’s own entrenched security vulnerabilities.
Several health systems reported that the outage affected their electronic health record systems. The National Health Service reported issues with its patient record system EMIS, while U.S. hospitals said similar software systems from both Epic and Cerner experienced issues. It is unclear how long it will take for impacted health systems to recover from the outage. Other impacted health health systems include Mount Sinai Health System, University of Vermont Health, RWJBarnabas Health, and Virginia Commonwealth University Health.
Health systems have plans for outages in their computer systems, which can result from planned software updates, unanticipated bugs, and a growing number of cybersecurity attacks. At Penn Medicine, where some outpatient appointments and procedures were subject to cancellations today, the system was implementing these kinds of “downtime” procedures.
However, some of those plans revolve around downtime computers, which may also be affected if they are Windows machines. An internal email from Duke encouraged clinicians to bring their personal computers if they could access clinical systems. Offices can revert to using paper records and phone calls for some functions.
Studies show that patient outcomes during cyberattacks are worse, and though the current outage is not a hack, it still cripples many of the same systems. Hospitals with IT systems that are down during a cyberattack see increased emergency department volume (by 15%), increased ambulance arrivals (by 35%), increased wait time (from 21 to 31 minutes) and a 128% increase in patients leaving the emergency department without being seen. Patients who have heart attacks and are treated at nearby, non-attacked hospitals are less likely to survive, perhaps because of increased ambulance times due to diversions, or because of increased patient load at nearby non-attacked hospitals.
The widespread nature of this outage — stemming not from health system-specific software, but underlying infrastructure for a wide range of Windows machines — meant the impacts extended beyond continuity of care for patients. Walter Reed National Military Medical Center warned patients of the outage in a tweet, asking them to prepare for travel disruptions and allow for extra time to get to their appointments.
In the U.S., many health systems continued with their regular appointment schedules on Friday while asking patients to expect delays, including Cincinnati Children’s and the Hospital of Special Surgery in New York. Others, including Cleveland Clinic, shared that while some of the technology they use was impacted by the outage, patient care was not impacted.
Despite the extensive use of Microsoft machines and software in health care, not every health system has been impacted: Systems including Northwestern Medicine and Johns Hopkins Medicine said their systems were not affected by the outage.
This story will be updated.