Being prepared for cybersecurity events and outages is critical to maintaining business continuity, says Mike Mainiero, SVP and chief digital and information officer of Long Island-based Catholic Health. Mainiero has been in the digital health industry for 25 years. With Catholic Health, he heads up digital technology across six hospitals, hundreds of practice locations, and nursing homes. Healthcare Innovation recently spoke with Mainiero about how Catholic Health managed the global CrowdStrike Outage on July 19.
Mainiero received a call from the outage team in the early hours of July 19. The outage team had already been on a call since midnight. Communication with different presidents and facility owners of all the hospitals was immediately started.
“We realized early that it was not only affecting the workstations, that people needed to access the electronic health record system, but all the servers running on Microsoft,” Mainiero recalls. Systems powering blood banks, EKG readings, etc., were all affected by the outage. It was decided that the team needed to be split up to handle the different issues.
“We have a communication table, and we do this because we have an incident response plan for cyber security that has a procedure that you follow for cyber events,” Mainiero explains. With all the different systems, there’s always a change variable to deal with. They are prioritized from levels one to three. Mainiero gets involved in level two and one issues. A significant impact event is rated priority one, he says.
Mainiero notes that the outage's timing was advantageous because it occurred in the middle of the night. There is a low census, and usually, there are no elective surgeries. What is needed then, he explains, is a game plan for the early morning.
“As a CIO, one of the most important things you can do is ensure that you're partnering with the right technology vendors, that you understand their engineering culture, and that you have a great relationship with them,” Mainiero underscores. CrowdStrike, he adds, has an incredible team. “It was an unfortunate mistake.” CrowdStrike knew the fix; it wasn’t a cyberattack. However, the fix couldn’t be deployed en mass.
Mainiero explained how the team worked closely with hospital operations and leadership to strategize the deployment of the fix. After setting up a command center, an Excel formula was run to obtain a list of 3800 machines and areas to triage. The goal was to divide inpatient and outpatient facilities. “We wanted to look where the outpatient procedures were.” For example, a colonoscopy, we didn’t want those rescheduled, Mainiero says.
“The good news is that we did not cancel anything, and there were no real issues,” Mainiero says. By five pm that afternoon, all critical issues had been mitigated. Hundreds of third-party software vendors were being checked in with as well.
Mainiero attributes the success of addressing the issues that arose from the outage to the organization’s preparedness. “We do drills and tabletop exercises regularly.”
“We immediately had our retrospective because it was fresh in our minds,” Mainiero answers when asked about lessons learned. Mandating cell phone numbers and having boilerplate communications are essential, he highlights. “You need to be able to broadcast.” He mentions how nurses may not have constant access to email.
“I think the biggest lesson learned is acknowledging that the sophistication and reliance on technology are only getting exponentially greater,” Mainiero underscores. “This means that you have to match your peoples’ process and technology for resiliency.”
This wasn’t the worst outage Mainiero had experienced. However, Mainiero notes that its global impact woke the world up a bit. “You can’t exist in healthcare if you’re not equipped.” Mainiero also says it's important to look at your relationship with all your vendors. He mentions contract language as an example.
CrowdStrike, Mainiero says, has a quick response time. “Having that pipeline, that hotline is really important.”
