How to Respond to a Ransomware Attack? One Radiation Oncology Department's Response to a Cyber-Attack on Their Record and Verify System

Amy S Harrison; Paul Sullivan; Alex Kubli; Kathleen M Wilson; Amy Taylor; Nicholas DeGregorio; Joseph Riggs; Maria Werner-Wasik; Adam Dicker; Yevgeniy Vinogradskiy

doi:10.1016/j.prro.2021.09.011

How to Respond to a Ransomware Attack? One Radiation Oncology Department's Response to a Cyber-Attack on Their Record and Verify System

Pract Radiat Oncol. 2022 Mar-Apr;12(2):170-174. doi: 10.1016/j.prro.2021.09.011. Epub 2021 Oct 10.

Affiliations

¹ Department of Radiation Oncology, Sidney Kimmel Cancer Center at Thomas Jefferson University Hospital, Philadelphia, Pennsylvania. Electronic address: amy.harrison@jefferson.edu.
² Department of Radiation Oncology, Sidney Kimmel Cancer Center at Thomas Jefferson University Hospital, Philadelphia, Pennsylvania.

PMID: 34644601
DOI: 10.1016/j.prro.2021.09.011

Abstract

The digitization of healthcare for patient safety and efficiency introduced third party networks into closed hospital systems increasing the probability of cyberattacks and their consequences(1). In April 2021, a major vendor of a Radiation Oncology (RO) record and verify system (RVS) suffered a ransomware attack, affecting our department and many others across the United States. This article summarizes our response to the ransomware event including workflows, team member roles, responsibilities, communications and departmental recovery. The RVS created or housed accurate patient dose records for 6 locations. The immediate response to the ransomware attack was to shut down the system including the ability to treat patients. With the utilization of the hospital EMR and pre-existing interfaces with RVS, the department was able to safely continue patient radiotherapy treatments innovatively utilizing a direct Digital Imaging and Communications in Medicine (DICOM) transfer of patient data to the linear accelerators and implementing paper charting. No patients were treated in the first 24 hours of the attack. Within 48 hours of the ransomware event, 50% of patients were treated, and within 1 week, 95% of all patients were treated using direct DICOM transfer and paper charts. The RVS was completely unavailable for 2.5 weeks and full functionality was not restored for 4.5 weeks. A phased approach was adopted for re-introduction of patient treatments back into the RVS. Human capital costs included communication, outreach, workflow creation, quality assurance and extended clinical hours. Key lessons learned were to have a back-up of essential information, employ 'dry run' emergency training, having consistent parameter requirements across different vendor hardware and software, and having a plan for the recovery effort of restoring normal operations once software is operational. The provided report presents valuable information for the development of cyber-attack preparedness for RO departments.

MeSH terms

Communication
Delivery of Health Care
Humans
Particle Accelerators
Radiation Oncology*
United States
Workflow