Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Expert Insights: How to prevent a CrowdStrike scenario in healthcare

  • Published: August 13, 2024
  • Category: Industry Insights

Share this post

Headshot of a man wearing glasses and braces over a light shirt
Daniel Mannion

Share this post

On 19 July 2024, people across the world woke up to find their IT equipment was completely unusable – crashing and unable to restart. An estimated 8.5 million devices were affected during the Crowdstrike outage and what followed was one of the largest outages in the history of Information Technology.

With such a big outage, many industries – including healthcare – were affected and the full impact of the outage is yet to be determined, but estimates of financial damage currently stand at around $10 billion.

crowdstrike Expert Insights: How to prevent a CrowdStrike scenario in healthcare crowdstrike

Post Incident Review 

A preliminary investigation by Crowdstrike has already identified the causes of the catastrophe and what Crowdstrike could have done to avoid it. The summary of the investigation has pointed at a validation failure in release processes; something potentially avoidable with adequate design, development and release controls. 

 

How can healthcare IT manufacturers avoid their own Crowdstrike scenario? 

As Healthcare IT becomes increasingly integrated with and central to healthcare operations, software developers and testers should work tirelessly to prevent and detect bugs in their software code, but there are several established International standards which can help to standardise software security. 

IEC 62304 –Medical Device Software – Software Life Cycle Processes

IEC 62304 is the international standard for software development and testing of medical device software that is well-recognised as the best approach by many medical device regulators (including the UK MHRA, EU European Commission and US FDA).

IEC 82304-1 – Health Software – General Requirements for Product Safety

IEC 82304-1 is the international standard for product safety of health software and it recognises the development aspects of IEC 62304 as relevant and applicable to all health software development.

Arguably by applying these standards to the development of all health software, alongside strong business continuity and disaster recovery controls, developers can avoid their very own CrowdStrike disaster. 

In this blog, we have condensed the requirements of these standards to help businesses understand what preventative action can be taken to safeguard their software and users from harm. 

Identifying Common Software Defects 

When developing software, it’s common for Engineering teams to identify common ways in which defects can occur and assess risks related to these defects in the code base. Clause 5.1.12 of IEC 62304 encourages development teams to document identified defects and the associated risks whilst documenting how preventive or protective action can prevent issues. 

This can be as simple as using an Integrated Development Environment that checks syntax for your code or having a second member of the engineering team review your work prior to release or establishing a User Acceptance Testing environment (UAT). There are also automated tools that can review and/or software code before it is released. 

 

Unit Implementation and Verification

As part of creating software “units” – the smallest pieces of software being created by the developer – Clause 5.5 requires developers to establish a process for checking the software units, setting acceptance criteria for each unit (including management of risks, fault handling, boundary conditions and memory overflows) and to confirm that the software units meet all of the identified acceptance criteria. This was reported in the Crowdstrike incident as one of a number of contributing factors to the disruption: 

“…problematic content in Channel File 291 resulted in an out-of-bounds memory read triggering an exception. This unexpected exception could not be gracefully handled, resulting in a Windows operating system crash (BSOD).”

 

Integration and System Testing

In an environment like Healthcare, Interoperability is critical to improving patient care and clinical workflows. By enabling a complete picture of the patient to be accessible to the healthcare professional, it has been evidenced to improve and enhance the quality and speed of care. Many healthcare technology businesses work in relative harmony with other software, meaning a robust approach to integration testing is critical. 

Integration Testing (Clause 5.6) involves confirming the interfaces between software units within the software product and interfaces with other software function correctly. System Testing (Clause 5.7) confirms that the finished software meets the customers requirements and the intentions of the developers. By testing software in environments that are similar to their customers, such as UAT environment that mirrors a Live production environment, developers identify bugs or issues that may not occur during development testing and can take corrective action before causing harm.

 

Software Release

Clause 5.8 requires that prior to Software Release a review of the design, development and testing work is undertaken to ensure they are sufficient, proportionate to the risk of the release and they have been completed. . By having clear lines of approval documented within a Standard Operating Procedure, developers can identify and resolve more issues prior to them reaching customers and affecting patients. 

In much the same way as Clauses 5.6 and 5.7 require customer approval and quality testing, Clause 5.8 exists to ensure a robust Software Release process is in place that can further screen issues prior to release. 

One way to mitigate significant risks during software release is to have a staggered deployment. This reduces the chance of widespread issues with only a small subset of customers being affected and the ability to roll-back the release should the issues be significant. Whilst this may take more time, in a healthcare setting, it’s a sensible approach to ensure the safety of the software. 

 

Product Risk Management

Under Clause 4.2, developers are required to implement a risk management system for their product – managing risk throughout the product life cycle. For Medical Devices, this is addressed under ISO 14971 for Medical Device Risk Management.

In addition to the international standards, at a national level in the UK, the adherence to the DCB0129 Clinical Safety standard enables the assessment of specific practices that are referenced above, many of which stem from ISO 14971. You can learn more about the crossover in a recent blog here. 

By applying the requirements of DCB0129, health software developers can be assured that a registered healthcare professional has not only risk assessed and approved the technology itself, but also reviewed existing policies and procedures mitigating the product’s risks. This includes a review of testing strategies, outstanding bugs, backup and restore policies and downtime procedures. Should a health software developer be in the early stages of the software development process, then a Clinical Safety Officer can support them to create and implement strong policies and procedures to support the use of their technology.

An independent, clinician-centric voice in the development process can be essential in identifying issues that only a clinician would see – we’ve certainly found this when supporting clients with DCB0129 and the NHS agree; compliance with DCB0129 is mandatory when selling into publicly-funded health and social care in England.

 

Would implementing IEC 62304 have prevented the CrowdStrike disaster? 

It’s difficult to say as we only have the preliminary report and little in-depth knowledge of their company’s workings. 

However, IEC 62304 is recognised as best practice for health and medical device software and following its principles, alongside other standards such as DCB 0129, will certainly reduce the probability of a software developer experiencing an issue on this scale.

 

How we can help

At 8fold, we work with digital health and medical device software companies to support them in developing software that is safe, secure and helps patients by providing the evidence and support to prove it to their customers and the regulators. This includes supporting the implementation of a Management System to meet the requirements of IEC 62304 (as well as other internationally-recognised medical device standards key to software medical devices – ISO 13485 Medical Device Quality Management, ISO 14971 Medical Device Risk Management and IEC 62366 Medical Device Usability Engineering). 

Contact us to find out more about how we can help you. 

Book your free, no-obligation discovery call with our experts.

Book your free, no-obligation discovery call with our experts. If you need support with NHS compliance, international standards or regulations, we’ve got your back. Get in touch.

Book a Call with our Expert Team

Other Articles​

Loading...
Title graphic reading 'ISO 14971 and DCB0129: Alignment over Duplication'

ISO 14971 and DCB0129: Alignment over Duplication

Read More →

May 6, 2026
HoplonAI

8foldGovernance & HoplonAI Partner to Safeguard the AI Generation of Healthcare Innovation

Read More →

April 2, 2026
Title graphic reading 'Digital Mental Health: Inclusion by Design' with a team meeting photo background

Digital Mental Health: Inclusion by Design

Read More →

December 29, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept