When a Cyberattack Halts Radiation Therapy: Not 'If' but 'When'

Liam Davenport

November 10, 2022

SAN ANTONIO — Debilitating cyberattacks on radiation oncology departments are on the increase, and they can halt services for days or even weeks. US physicians who have lived through the experience and have experienced a shutdown say staff and clinicians must work on developing cyber resilience so that patients can continue to be treated.

"Cyberattacks are not new," commented C. Jillian Tsai, MD, PhD, Princess Margaret Cancer Centre, University Health Network, University of Toronto, Ontario, Canada, but there have been "more and more attacks in the last 3, 4 years."

She was speaking as chair of a special session on cyberattacks at the recent annual meeting of the American Society for Radiation Oncology (ASTRO) 2022 Annual Meeting.

Cyberattacks may affect single hospitals, institutions, entire healthcare systems, or computer companies, she explained, and the attacks have been increasing in frequency and magnitude.

One recent attack in New Zealand at a major medical center resulted in a disruption of cancer patient care and its radiation oncology clinics for 3 weeks and even longer for other specialties. This event, in May 2021,caused more than 350 radiation treatment sessions to be canceled, delayed, or relocated, forcing physicians to coordinate with other facilities and other providers to continue patient treatments. One commentator suggested that this one catastrophic event had a greater impact on patient services than the COVID-19 pandemic.

Outage at Yale

Also in spring 2021, a cyberattack hit the Yale New Haven Health healthcare system, which includes numerous facilities in more than six primary locations.

One of those was the radiation oncology department, recalls James B. Yu, MD, MHS, who lived through the crisis. He has since moved to, Columbia University Irving Medical Center, New York City.

At the meeting, Yu told the audience how the cyberattack effectively paralyzed the radiation oncology department.

The outage hit the record and verify software system, in which radiation therapy information is connected with imaging, treatment planning, and treatment delivery systems to manage a patient's radiation therapy.

This led to the disruption of radiation treatments at their institution, because the record and verify system was based in the cloud, not on the hospital premises.

The system contained past and present treatment plans and records of treatments already delivered, as well as patient set-up instructions, quality assurance checklists, patient consent forms, imaging verification records, and billing orders.

Critically, the cloud also operated the medical linear accelerator, although not the CT simulator, the high-dose-rate brachytherapy system, or the gamma knife, Yu commented.

About 14 days before the attack, the vendor noticed a malicious attack on the network, which caused the cloud to go down for a couple of hours. The next day, the system was "working really slowly" with "severe latency," Yu said.

When the definitive attack on the cloud system occurred, "we had no idea how long it was going to be down," Yu said. The initial thought was that it would be down for the rest of the day, and "we may have to do weekend treatment."

But as the outage stretched into a second day, "we began to realize the cloud may be down for a really long time."

Yu said that, behind the scenes, the physics team began to develop a "file mode" treatment plan, which involved taking a manually created treatment plan on a flash drive to the linear accelerator.

Patients also started being transferred to satellite institutions that had compatible machines. That required communication between physicians and the participation of multiple stakeholders to provide emergency credentials, insurance cover, and IT support.

On day 3 of the outage, "we began to expand the file mode treatment across the system and started treating patients in earnest [in this manner]," Yu said.

This approach is "extremely, extremely labor intensive" and requires the presence of three radiation therapists and a physicist, as well as printed charts and treatment plans, all of which had to be signed and verified by the physicist.

"When you have hundreds of patients on treatment, the amount of effort it takes to transfer a patient from the electronic medical records [EMR] to a paper system is extraordinary," he commented.

In the first few days after the attack began, the vendor kept saying, "We're close, we going to be up," but then "they became more and more silent."

About a week after the attack, "we pulled the trigger and said we're going to have to build an on-premises system," Yu continued. "We didn't know whether that was the right call or not, but at least then we knew how long it was going to take.... One of the worst part of all this was the uncertainty."

The IT team at Yale managed to create their own system in 1 week, a task that "usually takes months to do," although the round-the-clock recommissioning of radiation therapy machines that was required for this achievement led to burnout in some physicists, Yu noted.

One of the take-home lessons from this experience was, "Take care of your staff, or they will burn out and leave after your crisis," he said.

While the new system was being developed, treatment and administrative staff were juggling treating patients with the labor-intensive file mode system, scheduling patients "on the fly," and dealing with the increased workload from delayed or postponed treatments.

As the new system came online, new patients were initially entered into the on-premises system. Patients who were being treated in file mode were transferred onto it over the subsequent weeks, and all paper charts and records were entered manually.

Patients Receiving Contradictory Messages

Yu said that one of the challenges was that patients were receiving multiple and often contradictory or misinformed messages about the crisis and that different parts of the patient care system were not communicating in real time.

Also, the inclusion of multiple institutions and locations created a number of problems, especially because not all sites were involved in the daily crisis management calls.

One lesson learned for the future is that staff responses to patients and the public should be scripted so that everyone on the team is relaying the same message.

It is also important to involve all stakeholders and to have a "predictable and regular cadence of phone calls," Yu suggested.

Above all, he said that, when an attack occurs, it is important to designate a small crisis team within the physician team "to make decisions quickly and efficiently."

After the crisis is over, "make sure, once you're done, to support your staff and acknowledge the sacrifices they've put in," Yu added.

Not a Question of If, but When

Another clinician who lived through a similar cyberattack experience, Nataniel H. Lester-Coll, MD, warned the audience of radiation oncologists that it's not a question of "if" but "when this will happen."

Lester-Coll, who is assistant professor of radiation oncology at the University of Vermont Larner College of Medicine, Burlington, Vermont, recalled the how the cyberattack unfolded at his institution 2 years ago.

Ironically, the day that it happened, the Federal Bureau of Investigation, the US Cybersecurity and Infrastructure Security Agency, and the US Department of Health and Human Services issued a joint warning of imminent cyberattacks on US hospitals around the country.

The University of Vermont Health Network experienced "multiple outages," he said, and access to the internet, hospital servers, and remaining clinical systems was "immediately halted" by the IT infrastructure team in order to minimize the propagation of malware.

This rendered many hospital systems inaccessible ― including hospital EMR systems and laboratory, pharmacy, pathology, radiology, phone, and email systems ― "all of which we depend on so heavily," he said.

It meant that radiation treatments and schedules were unavailable, and so "all radiation treatments were canceled."

However, there was "no contact information to inform patients," so patients continued to arrive in the department ready for their treatment.

At that point, "everything went back to paper," Lester-Coll recalls. Patients were asked to bring in printouts of their treatment schedules, and the clinicians had to reconcile the available information "as best we could." The team spent days compiling the physical chart for each patient "using previously printed demographics and schedules," and they started making daily phone calls "to keep everybody updated on the situation."

Fortunately, the radiation treatment planning system at their institution resides on a UNIX server and was unaffected by the system outage, so the digital imaging and communications in medicine (DICOM) data could be exported to local drives.

In addition, the CT simulator remained functional, and so DICOM images could be transferred directly to the treatment planning system.

The medical physics teams decided that they needed to build an "entirely new information system" on a stand-alone server. They achieved this is less than 2 weeks, although staff had to work "long hours" to repopulate the patient data and treatment plans and complete quality and safety checks, Lester-Coll said.

During this time, patients were individually triaged. Patients were divided according to the urgency of their treatment into groups who required curative treatment with primary radiation therapy or concurrent chemoradiation therapy; those approaching the end of their treatment; and those with low-risk tumors that were expected to have slow rates of cell repopulation.

Because only the main hospital in Burlington was affected, some patients were sent to a treatment site 40 miles away, together with dosimetrists armed with saved DICOM images and structure sets from operational treatment plans.

Immobilization equipment was physically transported to this site. Physicians and therapists were also transferred to ensure the continuity of care and to provide "knowledge of patient-specific variables," Lester-Coll said.

Back at the main hospital, the linear accelerator was operated in service mode, which consists of "creating manual beams by entering each beam parameter," he explained.

This "allowed us to create some very simple rectangular fields and electron treatments that we could deliver that could be easily verified."

Lester-Coll concluded that as a result of his experience, he would now recommend the development of "purposeful redundancies" in the management system, such as frequent offline system backups to quickly restore function, and the development of system "silos" that would be exempt from network outages.

In addition, a "strong working relationship" should be established with the IT department, as any response to an attack required their input and support, and "disaster readiness exercises" should be performed annually to test the "strengths and weaknesses" of any contingency planning.

No Patients Treated for 24 Hours

Another participant who lived through a cyberattack was Adam P. Dicker, MD, PhD, Sidney Kimmel Medical College of Thomas Jefferson University, Philadelphia, Pennsylvania, who described a ransomeware attack on their institution's record and verify system in 2021.

Their response to the incident, which was published later that year, was to immediately shut down the system. Because of this, no patients were treated within the first 24 hours.

They were able to manually transfer DICOM patient data to the linear accelerators, and they implemented paper charting, because the hospital EMR could be exported.

This allowed 50% of patients to be treated within 48 hours and 95% within a week., Dicker commented.

The record and verify system was completely unavailable for 2.5 weeks, and full functionality was not restored for 4.5 weeks. This led to a buildup of patient data on paper records that had to be entered into the record and verify system.

In their report on the crisis, Dicker and colleagues write, "Key lessons learned were to have a back-up of essential information, employ 'dry run' emergency training, having consistent parameter requirements across different vendor hardware and software, and having a plan for the recovery effort of restoring normal operations once software is operational."

Recovery Plans and Dry Runs

In his talk, Dicker emphasized that "it's not cyber prevention, it's really about cyber resilience, because these breaches will occur. And the question is, How are you set up to deal with them?"

He explained that cyber resilience is about anticipating, withstanding, recovering from, and adapting to adverse conditions, stresses, attacks, or any other system compromise. The plan "should be to minimize risk or loss in the inevitable event an attack is successful."

Moreover, cyber resilience involves considering how to "maximize the viability of essential functions during or following an attack," Dicker said, and "how we can quickly restore as much mission or business functionality after an attack."

All of the speakers advocated developing a recovery plan and going through dry runs, during which the whole department simulates treating patients without certain software or fail-safe systems being available.

It needs to be talked through and worked through in theory, so that there is a plan in place, they emphasized.

"I think it needs discussing," Dicker added. "We can't stick our heads in the sand."

Tsai has relationships with Nanobiotix and Varian Medical. Dicker has relationships with CVS, the European Commission, Janssen, Oncohost, Oranomed, and NRG Oncology. Yu has relationships with Augmenix/Boston Scientific, Galera Pharmaceuticals, Pfizer, RefleXion. Zawalich and Lester-Coll report no relevant relationships,

American Society for Radiation Oncology (ASTRO) 2022 Annual Meeting: Session Cybersecurity and Radiation Oncology Panel. Presented October 25, 2022.

For more news, follow Medscape on Facebook, Twitter, Instagram, and YouTube.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.