^

ASTRO Blog

Cyberattacks on Radiation Oncology Facilities: Protecting Your Network and Patient Data

By Suzanne Evans, MD, MPH, FASTRO, Vice-chair of ASTRO Clinical Affairs and Quality Council Steering Committee

Cyberattacks are increasingly affecting health care systems throughout the world and, in recent years, several high-profile cyberattacks have taken place against radiation oncology facilities. These attacks targeted patient data and medical records, putting the privacy and safety of patients with cancer at risk. An attack can lead to data breaches, resulting in data loss or data manipulation and delays in patient care. This is impactful on the patient level, where there can be a loss of trust and anxiety from delay in care, as well as loss of privacy or financial harm from identity theft. Organizations devote many hours to getting patients back onto treatment, which can involve large scale replanning efforts and may incur financial losses or reputational damage. Radiation oncology is especially vulnerable because of its reliance on technology to plan and deliver treatments, as well as the computer and network requirements to transfer relevant patient information safely and efficiently.

  • In 2015, a cyberattack occurred on a large U.S.-based cancer treatment provider. The attack compromised the personal and medical data of millions of patients, including their names, Social Security numbers and medical histories.
  • In 2019, a cyberattack in Canada affected a radiation oncology department, infecting the oncology information system (OIS). This resulted in several days of no treatment followed by several more days of treatment without the verification of an OIS.
  • In October 2020, a U.S.-based academic center experienced clinical outages as result of a cyberattack that included a loss of access to the internet, hospital servers and clinical systems. Treatments at this institution resumed in less than two weeks.
  • In April 2021, a major radiation oncology vendor had a ransomware attack, affecting more than 40 facilities across the United States, which resulted in the disconnection of regional cloud-based software and disabled back-up systems. This prevented access to the treatment delivery system, patient contact information and relevant treatment delivery details. In some instances, treatments at these facilities were interrupted for several weeks.
  • In May 2021, a cyberattack in Ireland severely disrupted oncology services and over 500 patients had their course of radiation therapy interrupted for up to two weeks.
  • In 2021, a ransomware cyberattack in New Zealand resulted in the shutdown of radiation therapy services for almost three weeks.
  • In February 2023 in the U.S., three clinically appropriate images of patients undergoing radiation therapy treatment and seven related documents were illegally obtained from a radiation oncology facility and posted on the dark web by cybercriminals in retaliation for not paying a ransom. This breach did not disrupt any radiation treatments but revealed sensitive patient information.

 

These examples demonstrate the serious risks posed by cyber criminals and highlight the importance of taking proactive measures to safeguard patient data and protect against cyber threats. They also highlight how cyberattacks can impact radiation oncology facilities irrespective of size, location or practice setting. As technology continues to play an increasingly important role in the health care industry generally and radiation therapy specifically, it is essential that radiation oncology facilities remain vigilant and take all necessary steps to prevent cyberattacks.

Steps for prevention

Preventing attacks against a radiation oncology facility involves taking proactive measures to safeguard the facility's network and patient data. Some steps are outlined below that can be taken to help prevent cyberattacks as part of disaster preparedness:

  1. Conduct a risk assessment: Identify and assess potential security risks and vulnerabilities within your network and infrastructure. This will help to prioritize security measures and assist with the development of an effective security plan.
  2. Train staff: Routinely train all staff on best practices for cyber security, including how to recognize phishing attacks and how to create strong passwords. Ensure that staff members understand the importance of protecting patient data and the potential consequences of a cyberattack. Maintain a low threshold for alerting anything you find suspicious, and do not follow links unless you are certain you trust the sender.
  3. Implement strong access controls: Limit access to sensitive data and systems to authorized personnel only. Use multifactor authentication to verify user identities and restrict access based on job function.
  4. Keep software and systems up to date: Ensure that all software, oncology information systems and devices are updated with the latest security patches and upgrades. Outdated software can be a significant security risk.
  5. Routinely back up data: Back up all patient data and system configurations regularly. This will help to ensure that data can be restored in the event of a cyberattack or system failure.
  6. Use firewalls and anti-virus software: Install firewalls and anti-virus software to protect against malware and other cyber threats. Regularly update these programs and run scans to ensure they are functioning properly.
  7. Develop an incident response plan: Develop a plan to respond to cyberattacks if one occurs. This should include procedures for detecting, containing and recovering from an attack, including having communication plans to keep patients and other relevant parties informed.
  8. Follow APEx recommendations regarding the review of interim dose information during on-treatment visits and document the exact accumulated dose in the notes. It is useful to have this information in the electronic health record, which is a separate system from OIS, in the setting of a cyberattack. If the previous steps have been followed, there should be a backup of all data; however, it can be invaluable to verify delivered dose to date in such settings.

 

By implementing these measures, radiation oncology facilities can significantly reduce the risk of a cyberattack and protect patient data and systems from potential harm. Additionally, there are useful resources often created by those in the field with firsthand experience of these disruptions that should be evaluated when developing response plans.

Free course for ASTRO Members

The ASTRO Academy is offering a course, Cybersecurity and Radiation Oncology, free for members, where you can learn about recent attacks on the radiation oncology community and how to minimize risks at your own practice. This session was previously recorded from the 2022 Annual Meeting. This is free for ASTRO members and 1.25 CME credits are available.

Additional resources published in ASTRO journals:

  1. Joyce C, Roman FL, Miller B, et al. Emerging Cybersecurity Threats in Radiation Oncology. Advances in Radiation Oncology. Published September 18, 2021.
  2. Nelson CJ, Soisson ET, Li PC, et al. Impact of and Response to Cyberattacks in Radiation Oncology. Advances in Radiation Oncology. Published June 17, 2022.
  3. Flavin A, O'Toole E, Murphy L, et al. A National Cyberattack Affecting Radiation Therapy: The Irish Experience. Advances in Radiation Oncology. Published August 6, 2022.
  4. Oliver M, Pearce A, Stillwaugh L, et al. The Impact of a Cyberattack at a Radiation Oncology Department: Immediate Response and Future Preparedness. Advances in Radiation Oncology. Published June 16, 2022.
  5. Harrison AS, Sullivan P, Kubli A, et al. How to Respond to a Ransomware Attack? One Radiation Oncology Department’s Response to a Cyberattack on their Record and Verify System. Practical Radiation Oncology. Published October 10, 2021.

 

Suzanne Evans, MD, MPH, FASTRO, is a Professor of Therapeutic Radiology at Yale University and vice-chair of the ASTRO Clinical Affairs and Quality Council Steering Committee.

Posted: April 26, 2023 | with 0 comments


Comments
Blog post currently doesn't have any comments.
 Security code