Home Opinion What we’ve learned from the CrowdStrike global outage

What we’ve learned from the CrowdStrike global outage

by Kirsty Kirsty

Jamie Hibbard, Chief Technical Officer at Nourish 

The global IT outage that caused havoc on July 19th when a software update from CrowdStrike clashed with a Windows update triggering what people called ‘the blue screen of death,’ emphasised the importance of ensuring that organisations have robust security, reliable backups and disaster plans in place. For some, it was a big wake-up call. 
 
While most of the world ground to a halt, Nourish was unaffected by the crisis. However, this is a scenario we’re always thinking about and planning for. Anyone in the care sector should be doing so too, but unfortunately, these are things often left at the bottom of the priorities list and as a result, people get caught out.
 
When we woke up to the news of a global outage, we were relieved to see that there were no notifications from our automatic monitoring team. The first thing I did was check manually on our platforms to ensure that the recording of care was unaffected. It was. We’re hosted by AWS and don’t use the affected systems directly.
 
I then checked on our partners, such as our 24/7 live chat system and key integration partners, ready to offer support but fortunately, they weren’t affected either.  After contacting our development and support team, I messaged our internal teams before telling customers that while the world was in chaos, our systems were operating normally.
 
We make a point of ensuring that our software system is robust, investing time and money continuously. We have many failovers in place along with auto-scaling which means we can scale to meet the demands of our customers automatically without manual intervention. We also carry out a lot of proactive monitoring around cybersecurity and were one of the first digital care record companies to implement and achieve ISO 27001 – this requires the implementation of 93 controls and means that our policies and procedures and how we handle data can be trusted.
 
At the beginning of the year, we worked closely with the NHS to meet the Digital Social Care Records (DCSR) standard. We welcome the standard and the move to improve digital provision in our sector.  

“Every year, we ask an outside source to try and hack into our systems.”
 

Every year, we get an outside source to try and hack into our systems. This gives insights into the security of our platforms and reassurance in the development and methods we have in place to ensure our software is leading the way.  It’s a stressful time for me as Nourish’s Chief Technical Officer but we’re constantly developing ways to stay ahead of the risk in a changing world. 
 
And, finally, we do a disaster recovery test that looks at what would happen if one of our environments was completely down. We move it to a different location and identify how long it takes and how much data is lost. We also examine how we’d run our internal processes in such a situation. So for example, say London went down in an attack and another region was still up – we could deploy to that region and be back up and running as soon as possible. We do this annually. 
 
I will never say we’re foolproof because no business is or ever can be, but we make sure we stay on top of our security and for that reason, we are trusted and partnered with the largest social care providers in the UK. If we are ever affected, the process and plans we have in place should enable us to focus on recovery and enable us to communicate clearly with customers.
 
Everybody In the care sector needs to be protected. It’s an industry where people must have access to accurate and timely records to ensure safety  – for example, you need a record of people’s allergies, any medications they’re on, any wounds being treated, etc. And you need to know what a person’s treatment plan is. For this reason, the Nourish app is designed to work offline too – it downloads all the essential data that a care professional will need to continue to do their job safely (and could do so for up to two weeks). We always tell our customers to remain logged on and once they are back online, the system synchronises.
 
One of our SLAs (Service Level Agreements) is that users can access data as quickly as possible and we also provide customers with a template list of all the things that could go wrong.
 
One story I loved hearing was how a support person went to France, logging in before they went, they recorded care with photos offline for a week. When they travelled back to the UK and connected with the system,  their records automatically updated, ensuring a complete care record.
 
The biggest security risk
 
At the beginning of the outage, it was rumoured to be a cyber attack and it’s worth mentioning a few points here. Many people don’t realise that the biggest security risk on any computer is e-mail. It’s easy to send an email masquerading as somebody else. It’s a massive hole in security and having methods to confirm who you are speaking to is vital.
 
You should also train your teams to avoid clicking on links in emails because this is how phishing happens and hackers can access your passwords. We’ve noticed an increase in attempted phishing emails in the sector over the last six months with AI making it harder and harder to detect a real person. Many pretend to be from companies like the NHS, HMRC and Microsoft and they mostly look terrifyingly genuine. 
 
A successful attack allows a hacker access to your account and may enable them to install malware or ransomware, sabotage systems, steal money or intellectual property on your computer. They use this to impersonate you and attempt to infiltrate your organisation before asking for money to give you back access to your data or prevent them from posting what they have on the web.  There are many anti-phishing training platforms out there and staff should be trained on how to identify and prevent an attack.
 
Nourish also recommends having different passwords per platform and using a password manager if possible, so that if somebody did happen to capture your password, they’d still have to authenticate the device they’re logging in to.
 
Cyber Essentials certification or the NHS Data Security Protection Toolkit (DSPT) are good starting points to help your organisation think about security and disaster scenarios. The DSPT is also a prerequisite for care providers using GP connect, a feature we have on Nourish. However, care providers are not only in England and Wales so local guidance should be sought.
 
Updating, releasing and testing
 
Nourish updates at least every two weeks, whether that’s behind-the-scenes bug fixes or functionality releases. We’re constantly building our team to support the ever-growing demand for being one of the leading providers of digital care technology. 
 
The Crowdstrike outage happened because some code was pushed through to production without going through the normal testing process. At Nourish we have a testing process that comprises isolated development environments, a staging environment and a beta site which we deploy to for individual customers before we deploy to our wider production environments. It’s a standard development process, but for some reason, Crowdstrike cut corners and I am sure we’ll eventually find out why the process wasn’t followed.
 
Conclusion
 
Generally, the larger the care provider, the greater the likelihood of having an IT team in place who knows and owns data security and processes. In many cases however, it may be part of the business that nobody thinks and talks about, until something as simple as the internet going down causes a problem. Having a plan in place detailing how you will continue to access and record care in these scenarios is a vital first step. It’s important to speak to your digital provider and have a system in place for a worst-case scenario. It might never happen, but if it does, you’ll be glad you took action. 

Related Articles