Editor's note: This story has been updated with a responding comment from CrowdStrike.
Last year’s sweeping CrowdStrike outage interrupted at least 759 U.S. hospitals’ digital services to some extent, with more than a fifth of observed outages involving patient-facing services, according to a recent JAMA Network Open study.
The research outlines a method to quantify mass downtime events among healthcare delivery organizations by probing the open, public-facing network ports of their internet-connected systems and their Fast Healthcare Interoperability Resources (FHIR) endpoints at regular intervals.
Such approaches are common among other sectors and, when targeted toward hospital infrastructure, “show promise in monitoring and quantifying disruptions to critical digital healthcare technology,” the researchers wrote.
“To our knowledge, no federal, regional, state, commercial or trade association health care stakeholder or entity possesses the capability to assess in near–real time digital signals corresponding to the availability of national health care infrastructure technology,” they added.
In this case, the researchers conducted their scans on healthcare delivery organizations running Epic EHR systems with at least one publicly available FHIR internet endpoint. Among these, the researchers tallied when a hospitals’ IP address or FHIR endpoint would not respond to outside communication on July 19, 2024—when cybersecurity vendor CrowdStrike pushed out a faulty software update triggering worldwide IT outages. Numerous health systems, at the time, confirmed IT system interruptions that in some cases took days to fully unwind.
Among 2,232 scanned hospitals, researchers were able to detect disruptions among 34%—460 via IP address space scans, 206 via FHIR endpoint scans and 93 through both approaches.
Among these were 1,098 individual digital services with measurable disruptions. Many services recovered with six hours, though 43 individual services had outages exceeding 48 hours.
There were 239 deemed to be patient-facing, 169 relevant to hospital operations and 58 relevant to research, with the remainder either unable to be classified or not relevant to the hospital’s ongoing services (e.g., preproduction environments or medical education websites).
The patient-facing services included imaging platforms, staff portals for viewing patient data and patient portals for scheduling appointments. Operational systems spanned email applications, staff scheduling, security cameras, remote access tools and cybersecurity controls—the loss of which “may indirectly affect patient care by exacerbating staffing shortages, degrading communication, preventing remote work, or increasing physical or cybersecurity vulnerabilities,” researchers noted.
The researchers noted their approach “does not represent the definitive approach” to measuring digital healthcare infrastructure downtime, as unresponsive addresses and endpoints may “strongly suggest” downtime but could also have other explanations. Additionally, cloud-hosted or firewalled digital services are more difficult to measure via the researchers’ approach, “therefore, [healthcare delivery organizations] with less technically sophisticated networks and technology stacks may be overrepresented in these data.”
Still, the approach is to researchers’ knowledge, the first measure of the CrowdStrike outage’s large-scale healthcare impact and represents a methodology groundwork for proactive system disruption event monitoring that researchers said could potentially be improved with the use of large language models or other AI tools.
“Prospective internet availability scanning of critical digital health care may serve as an early warning signal for adverse events, such as ransomware attack, data center failure or faulty software, and could serve an important public health function as healthcare continues expanding its dependence on digital technology,” they concluded.
CrowdStrike, in a statement, described the analysis as "junk science," and said that reaching conclusions without verifying with the hospitals whether their systems were running Windows, had CrowdStrike installed or whether the observed failed responses were truly the result of downtime.
"While we reject the methodology and conclusions of this report, we recognize the impact the incident had a year ago," the company said in its statement. "As we’ve said from the start, we sincerely apologize to our customers and those affected and continue to focus on strengthening the resilience of our platform and the industry.”