[Transcript] Episode 427: The CrowdStrike Drama and What We Can Learn from It

 

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Welcome to Episode 427, The CrowdStrike Drama and What We Can Learn From It.

 

Liath Dalton 

Yes, so unless you have been living under the proverbial rock, or or perhaps just distancing yourself from news, given how intense the news has been on on multiple fronts recently, you are probably aware of this major failure that has occurred as a result of the CrowdStrike drama. So, Evan, what kind of, happened, what is CrowdStrike? And why did it bring so many sectors to their knees?

 

Evan Dumas 

Yeah. So was this last Sunday that it happened? Yeah. No, not this last Sunday the week before. So,

 

Liath Dalton 

Nope. It was Friday.

 

Evan Dumas 

It was Friday? Oh, my gosh, there’s been a long newsweek. So Friday morning.

 

Liath Dalton 

It just feels like weeks.

 

Evan Dumas 

Yeah, I know. It was Friday morning, London, London time is when the update went out. So this wasn’t an attack. Most people think Oh, when there’s big failures, there must be some threat actor or evil hacker, no, not at all.

 

Evan Dumas 

This was a company called CrowdStrike. And they have various software that they give to large organizations, small organizations all over the place that manages security and safety. And so they pushed out an update. And it caused devices to try to reboot and then fail to reboot. And so it was stuck in this what’s known as the blue screen of death, because it has a little unhappy face and it says, cannot boot please try rebooting. And it’s basically a bad sign that something really bad is broken. And it caused this to happen for, it’s under 1% of all Windows computers, but it was still 8.5 million computers, mostly used by large organizations like banks, hospitals, airports. A lot of things went down, a lot of like non emergency surgeries got canceled. A lot of people were upset with banks, a lot of travelers were not able to fly home. And it affected tons and tons and tons of people just because of a bad update that was pushed out by this company.

 

Liath Dalton 

Exactly. And so the fortunate thing is that because CrowdStrike is a piece of security software that requires kind of managed IT services to be administering, that the types of organizations and health care practices and providers that were impacted by this are not those folks who are our typical clients and listeners at PCT.

 

Liath Dalton 

However, it does just highlight some really important things that we should be aware of and planning around intentionally so that we can be proactive, rather than than reactive. And have like operations and ability to communicate with clients or each other, be completely interrupted when there is some sort of technological failure or third party service outage that means that a core piece of either functionality or data, and typically client information, is inaccessible that impedes the ability to to manage things effectively.

 

Liath Dalton 

So we thought it was a good time to talk through what some of those corepreparedness pieces are, and how you should start thinking about them and kind of getting your ducks in a row with regards to that, in your practice, if it’s not something that has been top of mind for for a while, or, or even has not yet been top of mind in the lifecycle of your practice.

 

Liath Dalton 

So what is a number one takeaway from it, in terms of, you know, when when things go awry, and a crucial piece of functionality for your practice becomes inaccessible?

 

Evan Dumas 

Yeah. So it is really knowing what information you need for critical operations. Critical operations are just what it says on the tin things you need to have to do your work on a day to day basis, not like oh, can I have access to those musty old files in case someone does an ROI from six years ago? No, that’s that’s not critical.

 

Evan Dumas 

More like: do you know what clients you’re seeing today? Do you know how to reach them if your telehealth platform goes down? And I’m kind of telegraphing here, what we’re going to recommend, but know your critical info. Know, the things you absolutely need and how you would access it if those ways you normally access it, break. Don’t work, you can’t get access to them.

 

Liath Dalton 

Yes.

 

Liath Dalton 

And so where this has come up in, in reality, for a number of practices actually, has been when their EHR has gone offline.

 

Evan Dumas 

Yep.

 

Liath Dalton 

And and so they can’t access, not just client records and the ability to write new progress notes for for sessions, but like Evan said, client schedules and, and the contact information for clients, so you can communicate either, hey, we’re, if there are other things paired with such an outage, like inclement weather or some other sort of disaster, that means that you couldn’t see them in person. And you’re switching to telehealth, if you want to communicate that, or sometimes you might be saying we are going to reschedule.

 

Liath Dalton 

But the the main thing is, you want to be able to know what your schedule is how to communicate with clients, so that you can make the appropriate communication and implement the contingency plan that is also appropriate given the specific circumstances. And if you can’t access that info, you’re really prevented from from being able to do that in any reasonable way.

 

Liath Dalton 

So the easiest way to manage these critical data backups is to first and foremost identify if there is critical information for operational continuity. That is above and beyond those two sets of info that Evan and I already identified, and then create a process. So this is something that you manage through policy and procedure through behavioral measures and relying also on the appropriate tools to facilitate it.

 

Liath Dalton 

So the example we’ll give is that for practices that are doing the critical data backup of client schedules, and client contact info, the typical way for managing that critical data backup, is to export that information from your EHR, into your HIPAA secured Google Workspace environment. And then that’s something that is not just a HIPAA secure environment, but something that you can access as needed. It’s not dependent on the EHR being up and running in order to  be able to access. And another way that makes the calendar syncing, or keeping the appointment calendar up to date, is if you have a EHR that does the calendar sync with Google Calendar, to make sure that you are going through the steps to set up that calendar sync, specifically to the practice’s Google Workspace Google Calendars not to a personal Google Calendar.

 

Evan Dumas 

Oh, no.

 

Liath Dalton 

But to the to the practices’ one, just want to emphasize that piece. And that should really be something that is in place for each clinician and team member as well. And then that kind of happens automatically and seamlessly and doesn’t have to be managed manually. But the exporting of client contact info is something that needs to be managed manually. And that can be done with a pretty simple export function, and then just upload that to a folder in your Google Drive.

 

Liath Dalton 

And now in terms of the configurations for that Google Drive folder that you’re putting the entire list of the practices’ client contact info, that is something that should be restricted access to just the primary leadership team members. The security officer, deputy security officer, maybe practice owner as well, or your operations manager, it’s because we have to be keeping in mind that HIPAA’s minimum necessary standard always applies. And it’s on a, as access should be granted as needed and as appropriate. As needed being what is the level of access that someone needs to perform their responsibilities and duties. And that’s something that certainly is present for those core leadership team members who are going to be responsible for implementing the operational continuity and contingency plans within the practice. But that is not information that every staff member or even every clinician should be having access to. Right?

 

Liath Dalton 

But that’s not an onerous thing to put in place, you can make it part of just your ongoing security maintenance tasks. To, like when you check your access and usage logs and are needing, if the security officer is needing that audit log review, or the technical term is information system activity review, when they’re performing that in the in the EHR, they can then also do that little contact info, demographic data, export, plop that into the appropriate Google Drive folder that has been configured. And and that is the best way to manage that piece.

 

Liath Dalton 

Now, again, when we don’t, our identification of those two pieces of data does not preclude there being other potential pieces of of data that you would want for operational continuity. But the sort of process that we’ve outlined for how to manage having access to that info and keeping it within your HIPAA secure environment, would be something that translates to other types of of data as well. So that’s a really key piece.

 

Liath Dalton 

And then, Evan, you got a really great, great point when we were discussing this before we started recording.

 

Liath Dalton 

Which is that when it comes to contingency plans, it is not really enough or ideal to purely have them written on paper in your your policies and procedures and filed away and not something that you have done dry runs on.

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Yeah, exactly. Just like you know, when you were a kid, and they did fire drills at the school, you couldn’t just get a roomful of kids and say if there’s a fire do this, just try to remember that when there’s an emergency. People won’t remember that unless they’ve done something. So have a dry run for these. It could be everybody, could be just with leadership, but kind of know where your stuff is, know what to do and try it. And if you find it doesn’t work, then oh, you’ve done it wrong and you have to fix some things.

 

Liath Dalton 

Right.

 

Liath Dalton 

It’s it’s a great example of where going through the actual dry run for again, when we are suggesting this, we’re not saying do a dry run for every possible, you know, disastrous event or calamitous thing that could could occur and trigger your contingency plan meeting to be utilized. But picking a couple that are the most likely things to occur, and, you know, over time incrementally, doing a dry run for each of those circumstances, is going to help you identify if there are any holes. Like first and foremost, does it does it actually work? And then are there things missing, or that could be bolstered and amended that would make it easier to to implement or create more failsafes that are going to make it more robust and less likely to fail?

 

Liath Dalton 

So that’s just kind of a good approach in general, when it comes to risk management and business continuity, is to test things out, so that you aren’t just leaving these things to the “in theory, this will work and this will meet our needs.” And this doesn’t have to be this big endeavor that takes a whole bunch of time and resources to do a dry run. But if you’ve already got your contingency plans in place, and are doing critical data backups, great, then take the next step of finding a time in the not too distant future to do a dry run of one scenario.

 

Liath Dalton 

And if you don’t yet have specific, a specific contingency plan, and aren’t doing critical data backups, start there. The main thing is to be engaged with the process. And I think, increasingly, as we’re evaluating what the kind of current threat landscape is, and we’re seeing more and more instances, like what happened with the CrowdStrike issue, or even Change Healthcare, going back to the kind of prior debacle that impacted so many folks.

 

Liath Dalton 

These are more frequent occurrences. And so it makes sense to really be intentional and proactive around these things. And it doesn’t have to be something that’s all consuming, or becomes paralyzing thinking of all of the what ifs. It’s really, have I done what I can to to manage for these these potential issues? And then you get to move on to the other aspects of practice management and optimization. But you don’t want to leave out this this crucial area.

 

Evan Dumas 

No, not at all.

 

Liath Dalton 

Any other parting pieces of wisdom, you would share with folks Evan, that, that you often bring in risk analyses, for example?

 

Evan Dumas 

Yeah, it’s that a lot of times, the things we need to adapt to, we didn’t cause them to fail, someone else did, but it’s still up to us to make sure we can still see our clients and take care of things. And so, you know, big systems that like a group practice is usually reliant on a bunch of other systems. But knowing that, you know, reliant on the day to day, but they may still go down and what are you going to do about it? In case they do because, it becomes so easy to just think, oh, it’s always going to be very normal. Like, no, I mean, sure, we all pivoted when, when COVID happened, at least most of us hopefully. And then just make sure you’re still able to pivot when other things, when other things break.

 

Liath Dalton 

Exactly. Well, we hope hope that this feels kind of empowering or like it’s planting a good seed for for how to navigate this sort of thing. And we’ll pick a more lighthearted topic for for our next episode. But I always feel good when I’ve identified a risk and then manage to do something about it. And of that just kind of domino thinking of potential risks or things going awry, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

All right, folks, thanks for joining us, and we’ll chat to you next time.

 

Evan Dumas 

Yeah, talk to you next time everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find find us at PersonCenteredTech.com. For more podcast episodes you can go to person centered tech.com/podcast or click podcast on the menu bar.