New cybersecurity software coming to Michigan Medicine computers, starting today

10/25/2021

HITS began implementing changes to the cybersecurity software on kiosk computers this morning at 3am to mitigate performance issues with MiChart.

  • The current cybersecurity software, SentinelOne, will be replaced with CrowdStrike Falcon on all kiosk computers October 25-27, and on CoreImage PCs starting November 1. (CoreMacs have already completed updates) 
  • This change requires a reboot and could impact users who are on kiosk computers at the time maintenance is run (typically at 3am). 
  • This update is occurring immediately to mitigate performance issues with MiChart. 

To improve Michigan Medicine’s defenses against cyber attacks and ransomware, we are migrating to an enhanced endpoint protection software powered by CrowdStrike Falcon. The current endpoint protection platform, SentinelOne, will be replaced with CrowdStrike Falcon. Migrating to CrowdStrike provides a common platform across all of U-M to allow for better threat identification, mitigation, and incident response activities. 

User Impacts

When SentinelOne is removed, a reboot is required to complete the uninstallation process. 

  • Kiosk computers: Migration from SentinelOne to CrowdStrike is underway for Michigan Medicine kiosk computers October 25-27, 2021. Kiosk devices are shared computers that require user login, and are typically found in clinical spaces.
  • CoreImage PCs: Migration to CrowdStrike will occur for Michigan Medicine CoreImage PCs November 1-15, 2021.

Kiosk & CoreImage PCs: What to Expect

Notice that users will see on their computer screen indicating that a reboot will take place to allow for the cybersecurity software upgrade

Rebooting a Kiosk or CoreImage PC will allow CrowdStrike Falcon to be registered as the primary endpoint agent for your workstation. Below are examples of a series of messages users can expect to see. 

If the computer is in-use at the time it is targeted for the SentinelOne uninstallation, logged in users will see the following dialog first. On kiosk computers, expect an automatic reboot with no deferral option. On CoreImage PCs, users can expect the option to defer the reboot.

Pop up message that reads 'virus protection' that users may see on their computer screen. This is an expected action.

 Users may see this notification from Windows.  This is an expected action.

Reboot prompt on screen, with a 5 minute countdown ahead of the maintenance reboot

Users will receive a 5 minute reboot prompt at the end.

How Crowdstrike Falcon works

Once CrowdStrike Falcon is registered as the primary threat protection software, it will run in the background and there will be no system tray icon as with SentinelOne. If a threat is detected on the device, the user is alerted via a pop-up message and the agent intervenes and blocks the process.  

Examples of popup messages are provided below. If you see a popup, you do not need to take any action. The Cybersecurity Operations teams will be alerted behind the scenes and will monitor and evaluate the threat.

 

A example of when CrowdStrike intervenes and blocks a process:

A example of when CrowdStrike intervenes and quarantines a file:

If you experience any issues, please visit the Michigan Medicine Help Center at help.medicine.umich.edu and submit a ticket. The IA Cybersecurity team will work to address any issues you may have.

For more about the CrowdStrike endpoint protection software, visit the U-M Safe Computing website.

Clinical, Security