How to Respond to a Ransomware Attack? One Radiation Oncology Department's Response to a Cyber-Attack on Their Record and Verify System

Pract Radiat Oncol. 2022 Mar-Apr;12(2):170-174. doi: 10.1016/j.prro.2021.09.011. Epub 2021 Oct 10.


The digitization of healthcare for patient safety and efficiency introduced third party networks into closed hospital systems increasing the probability of cyberattacks and their consequences(1). In April 2021, a major vendor of a Radiation Oncology (RO) record and verify system (RVS) suffered a ransomware attack, affecting our department and many others across the United States. This article summarizes our response to the ransomware event including workflows, team member roles, responsibilities, communications and departmental recovery. The RVS created or housed accurate patient dose records for 6 locations. The immediate response to the ransomware attack was to shut down the system including the ability to treat patients. With the utilization of the hospital EMR and pre-existing interfaces with RVS, the department was able to safely continue patient radiotherapy treatments innovatively utilizing a direct Digital Imaging and Communications in Medicine (DICOM) transfer of patient data to the linear accelerators and implementing paper charting. No patients were treated in the first 24 hours of the attack. Within 48 hours of the ransomware event, 50% of patients were treated, and within 1 week, 95% of all patients were treated using direct DICOM transfer and paper charts. The RVS was completely unavailable for 2.5 weeks and full functionality was not restored for 4.5 weeks. A phased approach was adopted for re-introduction of patient treatments back into the RVS. Human capital costs included communication, outreach, workflow creation, quality assurance and extended clinical hours. Key lessons learned were to have a back-up of essential information, employ 'dry run' emergency training, having consistent parameter requirements across different vendor hardware and software, and having a plan for the recovery effort of restoring normal operations once software is operational. The provided report presents valuable information for the development of cyber-attack preparedness for RO departments.

MeSH terms

  • Communication
  • Delivery of Health Care
  • Humans
  • Particle Accelerators
  • Radiation Oncology*
  • United States
  • Workflow