When, one year ago today, a buggy update to software sold by the cybersecurity firm CrowdStrike took down millions of computers around the world and sent them into a death spiral of repeated reboots, the global cost of all those crashed machines was equivalent to one of the worst cyberattacks in history. Some of the various estimates of the total damage worldwide have stretched well into the billions of dollars.
Now a new study by a team of medical cybersecurity researchers has taken the first steps toward quantifying the cost of CrowdStrike’s disaster not in dollars, but in potential harm to hospitals and their patients across the US. It reveals evidence that hundreds of those hospitals’ services were disrupted during the outage, and raises concerns about potentially grave effects to patients’ health and well-being.
Researchers from the University of California San Diego today marked the one-year anniversary of CrowdStrike’s catastrophe by releasing a paper in JAMA Network Open, a publication of the Journal of the American Medical Association Network, that attempts for the first time to create a rough estimate of the number of hospitals whose networks were affected by that IT meltdown on July 19, 2024, as well as which services on those networks appeared to have been disrupted.
By scanning internet-exposed parts of hospital networks before, during, and after the crisis, they detected that at minimum 759 hospitals in the US appear to have experienced network disruption of some kind on that day. They found that more than 200 of those hospitals seemed to have been hit specifically with outages that directly affected patients, from inaccessible health records and test scans to fetal monitoring systems that went offline. Of the 2,232 hospital networks they were able to scan, the researchers detected that fully 34 percent of them appear to have suffered from some type of disruption.
All of that indicates the CrowdStrike outage could have been a “significant public health issue,” argues Christian Dameff, a UCSD emergency medicine doctor and cybersecurity researcher, and one of the paper’s authors. “If we had had this paper’s data a year ago when this happened,” he adds, “I think we would have been much more concerned about how much impact it really had on US health care.”
CrowdStrike, in a statement to WIRED, strongly criticized the UCSD study and JAMA’s decision to publish it, calling the paper “junk science.” They note that the researchers didn’t verify that the disrupted networks ran Windows or CrowdStrike software, and point out that Microsoft’s cloud service Azure experienced a major outage on the same day, which may have been responsible for some of the hospital network disruptions. “Drawing conclusions about downtime and patient impact without verifying the findings with any of the hospitals mentioned is completely irresponsible and scientifically indefensible,” the statement reads.
“While we reject the methodology and conclusions of this report, we recognize the impact the incident had a year ago,” the statement adds. “As we’ve said from the start, we sincerely apologize to our customers and those affected and continue to focus on strengthening the resilience of our platform and the industry.”
