After a widespread technology outage beginning Friday that forced Mass General Brigham to cancel all “non-urgent” medical appointments, the hospital system is set to resume normal clinical volume on Monday morning.
The outage, which began Friday morning, forced the hospital system, which has 15 locations in New England, to cancel all of its “non-urgent” medical appointments that day. On Monday, all scheduled appointments and procedures will go ahead as planned, the hospital system said in a statement Sunday.
“Through extraordinary innovation, dedication and effort, we have maintained operations throughout our emergency departments and many of our clinics while ensuring the care of the many patients at our hospitals,” the statement reads. “We are grateful for the trust and understanding of our patients and extend our deepest gratitude to all our staff who have come together and have worked so hard to ensure the health and safety of our patients during this unprecedented challenge.”
Mass General Brigham operates 15 hospitals in New England: Mass Eye and Ear, Massachusetts General Hospital, Mass General for Children, Mass General Cancer Center, Brigham and Women’s Hospital, Spaulding Rehabilitation Hospital (Boston), Brigham and Women’s Faulkner Hospital, McLean Hospital, Newton-Wellesley Hospital, Salem Hospital, Spaulding Rehabilitation Hospital (Cape Cod), Wentworth-Douglass Hospital in New Hampshire, Martha’s Vineyard Hospital, Cooley Dickinson Hospital and Nantucket Cottage Hospital.
At the heart of the massive disruption is CrowdStrike, a cybersecurity firm that provides software to scores of companies worldwide. The company says the problem occurred when it deployed a faulty update to computers running Microsoft Windows, noting that the issue behind the outage was not a security incident or cyberattack.
Microsoft says 8.5 million devices running its Windows operating system were affected by the faulty update.
A Saturday blog post from Microsoft was the first estimate of the scope of the disruptions caused by cybersecurity firm CrowdStrike’s software update.
“We currently estimate that CrowdStrike’s update affected 8.5 million Windows devices, or less than one percent of all Windows machines,” said the blog post from Microsoft cybersecurity executive David Weston.
“While the percentage was small, the broad economic and societal impacts reflect the use of CrowdStrike by enterprises that run many critical services.”
Weston said such a significant disturbance is rare but “demonstrates the interconnected nature of our broad ecosystem.” Windows is the dominant operating system for personal computers around the world.
While not everyone is a client of CrowdStrike and its platform known as Falcon, it is one of the leading cybersecurity providers, particularly in transportation, healthcare, banking and other sectors that have a lot at stake in keeping their computer systems working.
“They’re usually risk-averse organizations that don’t want something that’s crazy innovative, but that can work and also cover their butts when something goes wrong. That’s what CrowdStrike is,” Falco said. “And they’re looking around at their colleagues in other sectors and saying, ‘Oh, you know, this company also uses that, so I’m gonna need them, too.’”
Worrying about the fragility of a globally connected technology ecosystem is nothing new. It’s what drove fears in the 1990s of a technical glitch that could cause chaos at the turn of the millennium.
“This is basically what we were all worried about with Y2K, except it’s actually happened this time,” wrote Australian cybersecurity consultant Troy Hunt on the social platform X.
Across the world Friday, affected computers were showing the “blue screen of death” — a sign that something went wrong with Microsoft’s Windows operating system.
But what’s different now is “that these companies are even more entrenched,” Falco said. “We like to think that we have a lot of players available. But at the end of the day, the biggest companies use all the same stuff.”
Founded in 2011 and publicly traded since 2019, CrowdStrike describes itself in its annual report to financial regulators as having “reinvented cybersecurity for the cloud era and transformed the way cybersecurity is delivered and experienced by customers.” It emphasizes its use of artificial intelligence in helping to keep pace with adversaries. It reported having 29,000 subscribing customers at the start of the year.
The Austin, Texas-based firm is one of the more visible cybersecurity companies in the world and spends heavily on marketing, including Super Bowl ads. At cybersecurity conferences, it’s known for large booths displaying massive action-figure statues representing different state-sponsored hacking groups that CrowdStrike technology promises to defend against.
CrowdStrike CEO George Kurtz is among the most highly compensated in the world, recording more than $230 million in total compensation in the last three years. Kurtz is also a driver for a CrowdStrike-sponsored car racing team.
After his initial statement about the problem was criticized for lack of contrition, Kurtz apologized in a later social media post Friday and on NBC’s “Today Show.”
“We understand the gravity of the situation and are deeply sorry for the inconvenience and disruption,” he said on X.
Richard Stiennon, a cybersecurity industry analyst, said this was a historic mistake by CrowdStrike.
“This is easily the worst faux pas, technical faux pas or glitch of any security software provider ever,” said Stiennon, who has tracked the cybersecurity industry for 24 years.
