|
1
|
Readiness for Radiation Treatment Continuity: Survey on Contingency Plans Against Cyberattacks. Adv Radiat Oncol 2022; 7:100990. [PMID: 36148373 PMCID: PMC9486412 DOI: 10.1016/j.adro.2022.100990] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/18/2022] [Accepted: 04/30/2022] [Indexed: 11/24/2022] Open
Abstract
Purpose Cyberattacks on health care systems have been on the rise over the past 5 years. Formulation and implementation of a robust postattack business continuity plan and/or contingency plan (CP) is essential for minimal disruption to patient care. The level of awareness and planning within the radiation oncology community for cyberattacks is not clear. This study was undertaken to survey and assess cyberattack CP awareness and preparedness. Methods and Materials A survey instrument comprising 5 questions on awareness and preparedness of cyberattack CPs was e-mailed to 150 radiation oncology departments. Recipients included 105 institutions with residency programs in therapeutic medical physics, as listed by the Commission on Accreditation of Medical Physics Education Program (usually either school-based or large institutional settings), and 45 additional smaller settings within the United States, representing community practices. Results Forty-three responses were deemed evaluable for analysis. Forty-two percent (18 respondents) of respondents responded that they are well-aware of the concept of a cyberattack CP. A large discrepancy in awareness exists between larger hospitals (LH) that have 5 or more treatment machines and smaller hospitals (SH) that have 4 or fewer, 54% versus 24 % (P < .05). Fifty-eight percent of respondents considered it “essential” to have such a plan in place, and 28% considered it “desirable” to do so but not practical. Nine percent regarded a cyberattack CP as unnecessary. No significant differences in responses were noted among different types or sizes of institutions on this issue. Sixty-two percent of LH responded that they were either preparing or evaluating a CP, compared with only 29% of SH (P = .03). However, no respondents explicitly replied that they already had a CP in place in their practices. Conclusions The importance of cyberattack preparedness and implementation does not seem to be well-recognized in radiation oncology. Both the awareness and the preparedness of SH are substantially less than those of LH. Specific and ongoing education efforts in parallel with development of appropriate programs are needed to counter the increasingly pervasive and complex threat of cyberattacks.
Collapse
|
|
2
|
Goodwin A, Wilburn C, Wojewoda C, Mesec J, Cacciatore LS, Grove SA, Hajder A, Stowman AM. Anatomy of a Cyberattack: Part 2: Managing a Clinical Pathology Laboratory During 25 Days of Downtime. Am J Clin Pathol 2022; 157:653-663. [PMID: 35188951 DOI: 10.1093/ajcp/aqab213] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/11/2021] [Accepted: 12/06/2021] [Indexed: 11/14/2022] Open
Abstract
OBJECTIVES Our academic health care institution was the victim of a cyberattack that led to a complete shutdown of major patient care, operational, and communication systems, including our electronic health record (EHR), laboratory information system, pharmacy, scheduling, billing and coding, imaging software, internet, hospital shared computer drives, payroll, and digital communications. The EHR remained down for 25 days, significantly affecting our clinical pathology (CP) laboratory operations. METHODS During the downtime, our CP laboratory incorporated manual interventions for patient specimen testing, recruited additional staff for reporting results, and employed multiple communication modalities to support patient care. The crisis required a swift response, employing innovative approaches to mitigate patient harm; regular, multidisciplinary engagement; and consistent, broad-reaching communications. CP leadership worked with hospital administration, staff, and our referral clients to provide the timely laboratory results needed for acute patient care. RESULTS During this downtime, the laboratory lacked accurate information about the number of patient samples diverted to other laboratories, the number of specimens processed, and the number of test results reported. CONCLUSIONS This paper focuses on the approaches the CP division took to develop and maintain downtime operations. Laboratories should consider these strategies in preparation for a prolonged downtime.
Collapse
Affiliation(s)
- Andrew Goodwin
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Clayton Wilburn
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Christina Wojewoda
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Jessica Mesec
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Lori S Cacciatore
- University of Vermont Medical Center Jeffords Institute for Quality, Burlington, VT, USA
| | - Staci-Anne Grove
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Armina Hajder
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Anne M Stowman
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| |
Collapse
|
|
3
|
Hajjaj OI, Modi D, Owens W, Duybestyn A, Thompson T, Callum JL. The burden of cyberattacks on blood management and conservation efforts. Transfusion 2022; 62:1149-1151. [PMID: 35526230 DOI: 10.1111/trf.16860] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 01/04/2022] [Revised: 02/14/2022] [Accepted: 03/12/2022] [Indexed: 11/27/2022]
Affiliation(s)
- Omar I Hajjaj
- Department of Laboratory Medicine and Molecular Diagnostics, Sunnybrook Health Sciences Centre, Toronto, Ontario, Canada
| | - Dimpy Modi
- Department of Laboratory Medicine and Molecular Diagnostics, Sunnybrook Health Sciences Centre, Toronto, Ontario, Canada
- Department of Medicine, McMaster University, Hamilton, Ontario, Canada
| | - Wendy Owens
- Ontario Regional Blood Coordinating Network Office, Toronto, Ontario, Canada
| | - Andrew Duybestyn
- Ontario Regional Blood Coordinating Network Office, Toronto, Ontario, Canada
| | - Troy Thompson
- Ontario Regional Blood Coordinating Network Office, Toronto, Ontario, Canada
| | - Jeannie L Callum
- Department of Laboratory Medicine and Molecular Diagnostics, Sunnybrook Health Sciences Centre, Toronto, Ontario, Canada
- Department of Laboratory Medicine and Pathobiology, University of Toronto, Toronto, Ontario, Canada
- Department of Pathology and Molecular Medicine, Kingston Health Sciences Centre and Queen's University, Kingston, Ontario, Canada
| |
Collapse
|
|
4
|
Frisch NK, Gibson PC, Stowman AM, Goodwin A, Schwartz M, Cortright V, Hong T, Kalof A. Anatomy of a Cyberattack: Part 4: Quality Assurance and Error Reduction, Billing and Compliance, Transition to Uptime. Am J Clin Pathol 2022; 158:18-26. [PMID: 35188946 DOI: 10.1093/ajcp/aqac004] [Citation(s) in RCA: 1] [Impact Index Per Article: 0.5] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/16/2021] [Accepted: 01/13/2022] [Indexed: 11/14/2022] Open
Abstract
OBJECTIVES Our institution was the victim of a cyberattack that necessitated use of manual laboratory systems for more than 25 days. These manual processes had to be created not only to enable us to process our case volume without bottlenecks but also to maintain patient safety and allow for billing. METHODS Our laboratory needed to create a safe reporting process to ensure ongoing patient safety and error reduction during the downtime. Additionally, we needed to ensure the ability to bill for performed tests in some areas of the lab and maintain compliance with regulatory policies. RESULTS Amendment rates in our system were higher than before the attack, but no patient harm was observed. Intraoperative assessments declined, but high-acuity cases continued with a discrepancy rate comparable with the normal state. Many hours and resources (human and otherwise) were necessary to reconcile the work done to bill for services, but we were able to capture revenue through careful planning. CONCLUSIONS This article records the challenges we faced and the successes we achieved in maintaining compliance and a low error rate in the face of manual processes, the steps necessary to bring the cases into the newly restored electronic health record, and how we billed for the services we rendered.
Collapse
Affiliation(s)
- Nora K Frisch
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Pamela C Gibson
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Anne M Stowman
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Andrew Goodwin
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Michelle Schwartz
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Valerie Cortright
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| | - Tania Hong
- University of Vermont Health Network, Burlington, VT, USA
| | - Alexandra Kalof
- Department of Pathology and Laboratory Medicine, University of Vermont Medical Center, Burlington, VT, USA
| |
Collapse
|
|
5
|
Joyce C, Roman FL, Miller B, Jeffries J, Miller RC. Emerging Cybersecurity Threats in Radiation Oncology. Adv Radiat Oncol 2021; 6:100796. [PMID: 34746516 PMCID: PMC8555435 DOI: 10.1016/j.adro.2021.100796] [Citation(s) in RCA: 5] [Impact Index Per Article: 1.7] [Reference Citation Analysis] [Abstract] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 06/28/2021] [Revised: 08/18/2021] [Accepted: 08/22/2021] [Indexed: 11/26/2022] Open
Abstract
Purpose Modern image guided radiation therapy is dependent on information technology and data storage applications that, like any other digital technology, are at risk from cyberattacks. Owing to a recent escalation in cyberattacks affecting radiation therapy treatments, the American Society for Radiation Oncology's Advances in Radiation Oncology is inaugurating a new special manuscript category devoted to cybersecurity issues. Methods and Materials We conducted a review of emerging cybersecurity threats and a literature review of cyberattacks that affected radiation oncology practices. Results In the last 10 years, numerous attacks have led to an interruption of radiation therapy for thousands of patients, and some of these catastrophic incidents have been described as being worse than the coronavirus disease of 2019 impact on centers in New Zealand. Conclusions Cybersecurity threats continue to evolve, making combatting these attacks more difficult for health care organizations and requiring a change in strategies, tactics, and culture around cyber security in health and radiation oncology. We recommend an assume breach mentality (threat-informed defense posture) and adopting a cloud-first and zero-trust security strategy. A reliance on computer-driven technology makes radiation oncology practices more vulnerable to cyberattacks. Health care providers should increase their resilience and cyber security maturity. The increase in the diversity of these attacks demands improved preparedness and collaboration between oncologic treatment centers both nationwide and internationally to protect patients.
Collapse
Affiliation(s)
- Christine Joyce
- University of Tennessee Health Science Center College of Medicine, Memphis, Tennesse
| | | | - Brett Miller
- Division of Radiation Oncology, University of Tennessee Medical Center, Knoxville, Tennessee
| | - John Jeffries
- Information Security, University of Tennessee Medical Center, Knoxville, Tennessee
| | - Robert C Miller
- Division of Radiation Oncology, University of Tennessee Medical Center, Knoxville, Tennessee
| |
Collapse
|
|
6
|
Pinkham DW, Sala IM, Soisson ET, Wang B, Deeley MA. Are you ready for a cyberattack? J Appl Clin Med Phys 2021; 22:4-7. [PMID: 34505355 PMCID: PMC8504589 DOI: 10.1002/acm2.13422] [Citation(s) in RCA: 4] [Impact Index Per Article: 1.3] [Reference Citation Analysis] [Track Full Text] [Download PDF] [Journal Information] [Subscribe] [Scholar Register] [Received: 08/20/2021] [Revised: 08/20/2021] [Accepted: 08/24/2021] [Indexed: 11/08/2022] Open
Affiliation(s)
- Daniel W Pinkham
- Department of Therapeutic Radiology, Yale University School of Medicine, New Haven, Connecticut, USA
| | - Ina M Sala
- Department of Therapeutic Radiology, Yale University School of Medicine, New Haven, Connecticut, USA
| | - Emilie T Soisson
- Department of Radiation Oncology, University of Vermont Medical Center, Burlington, Vermont, USA
| | - Brian Wang
- Department of Therapeutic Radiology, Yale University School of Medicine, New Haven, Connecticut, USA
| | - Matthew A Deeley
- Department of Radiation Oncology, University of Vermont Medical Center, Burlington, Vermont, USA
| |
Collapse
|