By Robert C. Miller, MD, MBA, FASTRO, and Faustin Laurentiu Roman, MsC
In the weeks leading up to the U.S. national elections in November 2020, while much of our nation’s attention was focused on political issues, there was a series of cyberattacks on U.S. health care institutions. The U.S Department of Health and Human Services (HHS) Office of the Assistant Secretary for Preparedness and Response, along with the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Safety Agency (CISA), issued an advisory on October 28, 2020, noting that “CISA, FBI and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers.”1
In a recent letter to the editor in ASTRO’s Advances in Radiation Oncology, Nelson and colleagues detail the challenges they faced when the University of Vermont Health Network was attacked on October 28 in a ransomware incident.2 The resulting IT outage lasted more than 40 days and was estimated to have cost more than $63 million to resolve.3 Delivery of radiation therapy was delayed for as many as 13 days for some patients due to the loss of the radiation oncology department’s information management system.
This incident was unique in the severity of the impact of the attack but hardly a unique occurrence. It does illustrate the trend away from broad-based attacks and toward persistent attempts to compromise high-value targets that have a high financial yield. The following challenges in cybersecurity and cybercrime will rise in importance throughout 20214:
- Social engineering attacks, such as email phishing and business email compromise.
- Increased attempts to exploit internet-facing vulnerabilities of organizations.
- Exploitation of system administration tools.
- Ineffective monitoring of critical IT systems.
- Human-operated ransomware risks.
The very technical and complex nature of radiation oncology5, combined with the escalation of cyber-attacks and changes of tactics from malicious actors, may influence the risk profile of service providers,6 especially when the delay in receiving treatments may prove to be fatal.7
Radiation oncology, reliant on connected technology, is particularly vulnerable.8 The inherent top threats to health care9, (e.g., communication errors, lost and stolen devices, insider threats), or more sophisticated cyber espionage threats,10 add up to a wide range of threat actors and risks that demands better collaboration, (e.g. threat intelligence sharing),11 meaningful action beyond compliance “tick-box” exercises, and appropriate funding to respond adequately and become resilient to the rising cybersecurity risks.
ASTRO’s Advances welcomes the submissions of scientific manuscripts, commentary and firsthand accounts of how providers and institutions are meeting these challenges. Our deadline for manuscript submission is October 31, 2021. To submit, send papers through the journal’s submission system and select “Cybersecurity” as the article type. Please reach out to the editorial office with any questions at firstname.lastname@example.org.
- Cybersecurity and Infrastructure Security Agency. “Alert (AA20-302A) Ransomware Activity Targeting the Healthcare and Public Health Sector.” Accessed online February 1, 2021: https://us-cert.cisa.gov/ncas/alerts/aa20-302a.
- Nelson, C. J., Lester-Coll, N. H., Li, P. C., Gagne, H., Anker, C. J., Deeley, M. A., & Wallace, H. J. (2020). Development of Rapid Response Plan for Radiation Oncology in Response to Cyberattack. Advances in radiation oncology, 6(1), 100613. https://doi.org/10.1016/j.adro.2020.11.001
- Becker’s Healthcare, “The 5 most significant cyberattacks in healthcare for 2020.” Accessed online February 1, 2021: https://www.beckershospitalreview.com/cybersecurity/the-5-most-significant-cyberattacks-in-healthcare-for-2020.html
- Thibodeaux, B. Five cyber threats to watch in 2021. Security. January 2021. Accessed online February 1, 2021: https://www.securitymagazine.com/articles/94343-five-cyber-threats-to-watch-in-2021
- The impact of cybersecurity in radiation oncology: Logistics and challenges (appliedradiationoncology.com)
- CISA Launches Campaign to Reduce the Risk of Ransomware | CISA
- Ralston, W. Wired magazine, Accessed online February 4, 2021 at: The untold story of a cyberattack, a hospital and a dying woman | WIRED UK
- Impact of Ripple20 Vulnerabilities on Healthcare IoT, Connected Devices (healthitsecurity.com)
- Healthcare Data Breaches & Security | Verizon Enterprise Solutions
- Beyond Compliance: Cyber Threats and Healthcare (fireeye.com)
- H-ISAC Information Sharing Best Practices - (h-isac.org)