1
|
Keogh RJ, Harvey H, Brady C, Hassett E, Costelloe SJ, O'Sullivan MJ, Twomey M, O'Leary MJ, Cahill MR, O'Riordan A, Joyce CM, Moloney G, Flavin A, M Bambury R, Murray D, Bennett K, Mullooly M, O'Reilly S. Dealing with digital paralysis: Surviving a cyberattack in a National Cancer center. J Cancer Policy 2024; 39:100466. [PMID: 38176467 DOI: 10.1016/j.jcpo.2023.100466] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Key Words] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 08/12/2023] [Revised: 11/26/2023] [Accepted: 12/21/2023] [Indexed: 01/06/2024]
Abstract
INTRODUCTION Cyberattacks represent a growing threat for healthcare delivery globally. We assess the impact and implications of a cyberattack on a cancer center in Ireland. METHODS On May 14th 2021 (day 0) Cork University Hospital (CUH) Cancer Center was involved in the first national healthcare ransomware attack in Ireland. Contingency plans were only present in laboratory services who had previously experienced information technology (IT) failures. No hospital cyberattack emergency plan was in place. Departmental logs of activity for 120 days after the attack were reviewed and compared with historical activity records. Daily sample deficits (routine daily number of samples analyzed - number of samples analyzed during cyberattack) were calculated. Categorical variables are reported as median and range. Qualitative data were collected via reflective essays and interviews with key stakeholders from affected departments in CUH. RESULTS On day 0, all IT systems were shut down. Radiotherapy (RT) treatment and cancer surgeries stopped, outpatient activity fell by 50%. hematology, biochemistry and radiology capacity fell by 90% (daily sample deficit (DSD) 2700 samples), 75% (DSD 2250 samples), and 90% (100% mammography/PET scan) respectively. Histopathology reporting times doubled (7 to 15 days). Radiotherapy (RT) was interrupted for 113 patients in CUH. The median treatment gap duration was six days for category 1 patients and 10 for the remaining patients. Partner organizations paused all IT links with CUH. Outsourcing of radiology and radiotherapy commenced, alternative communication networks and national conference calls in RT and Clinical Trials were established. By day 28 Email communication was restored. By day 210 reporting and data storage backlogs were cleared and over 2000 computers were checked/replaced. CONCLUSION Cyberattacks have rapid, profound and protracted impacts. While laboratory and diagnostic deficits were readily quantified, the impact of disrupted/delayed care on patient outcomes is less readily quantifiable. Cyberawareness and cyberattack plans need to be embedded in healthcare. POLICY SUMMARY Cyberattacks pose significant challenges for healthcare systems, impacting patient care, clinical outcomes, and staff wellbeing. This study provides a comprehensive review of the impact of the Conti ransomware attack on cancer services in Cork University Hospital (CUH), the first cyberattack on a national health service. Our study highlights the widespread disruption caused by a cyberattack including shutdown of information technology (IT) services, marked reduction in outpatient activity, temporary cessation of essential services such as radiation therapy. We provide a framework for other institutions for mitigating the impact of a cyberattack, underscoring the need for a cyberpreparedness plan similar to those made for natural disasters and the profound legacy of a cyberattack on patient care.
Collapse
Affiliation(s)
- Rachel J Keogh
- Department of Medical Oncology, Cork University Hospital, Wilton, Cork, Ireland; Cancer Research @UCC, College of Medicine and Health, University College Cork, Ireland.
| | - Harry Harvey
- Department of Medical Oncology, Cork University Hospital, Wilton, Cork, Ireland
| | - Claire Brady
- Department of Medical Oncology, Cork University Hospital, Wilton, Cork, Ireland; Cancer Research @UCC, College of Medicine and Health, University College Cork, Ireland; Cancer Trials Cork, Cork University Hospital, Ireland
| | - Edel Hassett
- Cancer Research @UCC, College of Medicine and Health, University College Cork, Ireland; Cancer Trials Cork, Cork University Hospital, Ireland
| | - Seán J Costelloe
- Department of Clinical Biochemistry, Cork University Hospital, Wilton, Cork, Ireland
| | - Martin J O'Sullivan
- Department of Breast Surgery, Cork University Hospital, Ireland; University College Cork, College Road, University College Cork, Ireland
| | - Maria Twomey
- Department of Radiology, Cork University Hospital, Ireland
| | - Mary Jane O'Leary
- Palliative Medicine, Marymount University Hospital and Hospice, Cork, Ireland; Palliative Medicine, Cork University Hospital, Ireland
| | - Mary R Cahill
- Department of Haematology, Cork University Hospital, Ireland
| | | | - Caroline M Joyce
- Department of Clinical Biochemistry, Cork University Hospital, Wilton, Cork, Ireland; INFANT Centre, University College Cork, Ireland; Pregnancy Loss Research Group, Department of Obstetrics & Gynaecology, University College Cork, University College Cork, Ireland
| | - Ger Moloney
- Information and Communication Technology (ICT) Department, Cork University Hospital, Ireland
| | - Aileen Flavin
- Bon Secours Radiotherapy Cork in Partnership with UPMC Hillman Cancer Centre, Cork, Ireland
| | - Richard M Bambury
- Department of Medical Oncology, Cork University Hospital, Wilton, Cork, Ireland; Cancer Research @UCC, College of Medicine and Health, University College Cork, Ireland; Cancer Trials Cork, Cork University Hospital, Ireland; Cancer Research @UCC, University College Cork, Cork, Ireland
| | | | - Kathleen Bennett
- School of Population Health, RCSI University of Medicine and Health Sciences Dublin, Ireland
| | - Maeve Mullooly
- School of Population Health, RCSI University of Medicine and Health Sciences Dublin, Ireland
| | - Seamus O'Reilly
- Department of Medical Oncology, Cork University Hospital, Wilton, Cork, Ireland; Cancer Research @UCC, College of Medicine and Health, University College Cork, Ireland; Cancer Trials Cork, Cork University Hospital, Ireland; Cancer Research @UCC, University College Cork, Cork, Ireland
| |
Collapse
|
2
|
Hines E, Trivedi S, Hoang-Tran C, Mocharnuk J, Pfaff MJ. Perspectives on Cybersecurity and Plastic Surgery: A Survey of Plastic Surgeons and Scoping Review of the Literature. Aesthet Surg J 2023; 43:1376-1383. [PMID: 37186025 DOI: 10.1093/asj/sjad122] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 03/12/2023] [Revised: 04/21/2023] [Accepted: 04/23/2023] [Indexed: 05/17/2023] Open
Abstract
BACKGROUND Data breach costs in the United States are among the highest in the world, making robust cybersecurity an important bulwark of national defense. Healthcare is a popular target for cyber threats, and there is increasing emphasis on cybersecurity safeguards to protect sensitive patient data. OBJECTIVES The objective of this national survey and scoping review is to (1) identify cybersecurity awareness, preparedness, and practices among plastic surgeons, and (2) to provide guidelines to mitigate the threat of cyberattacks. METHODS A 16-question, anonymous online survey was developed and distributed to The Aesthetic Society registrants to ascertain plastic surgeons' cybersecurity practices. Utilizing PubMed, CINAHL, and Embase databases, eligible articles were identified as part of this scoping review. RESULTS Of 89 individuals who began the survey, 69 completed it (77.5%). Sixty respondents agreed or strongly agreed that cybersecurity is an important issue in plastic surgery. The greatest perceived limitations for protection against cyberattacks were insufficient expertise (41.7%), followed by lack of funding and insufficient time to dedicate to this goal. Most respondents (78.7%) had cybersecurity policies incorporated into their practice. Those who agreed or strongly agreed they had technology to prevent data theft/breach were significantly more likely to be older than 54 years of age (P < .001). No articles identified in the literature specifically addressed cybersecurity in plastic surgery; however, 12 articles detailing cybersecurity in healthcare were identified and included. CONCLUSIONS Despite possessing adequate technology and procedures in place to prevent cyberattacks, plastic surgeons perceive significant barriers to cybersecurity protection, including insufficient expertise and lack of dedicated funding. It is imperative that our field establishes standards and protocols to protect our patients.
Collapse
|
3
|
Dameff C, Tully J, Chan TC, Castillo EM, Savage S, Maysent P, Hemmen TM, Clay BJ, Longhurst CA. Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMA Netw Open 2023; 6:e2312270. [PMID: 37155166 PMCID: PMC10167570 DOI: 10.1001/jamanetworkopen.2023.12270] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Grants] [Track Full Text] [Journal Information] [Submit a Manuscript] [Subscribe] [Scholar Register] [Received: 10/28/2022] [Accepted: 03/26/2023] [Indexed: 05/10/2023] Open
Abstract
Importance Cyberattacks on health care delivery organizations are increasing in frequency and sophistication. Ransomware infections have been associated with significant operational disruption, but data describing regional associations of these cyberattacks with neighboring hospitals have not been previously reported, to our knowledge. Objective To examine an institution's emergency department (ED) patient volume and stroke care metrics during a month-long ransomware attack on a geographically proximal but separate health care delivery organization. Design, Setting, and Participants This before and after cohort study compares adult and pediatric patient volume and stroke care metrics of 2 US urban academic EDs in the 4 weeks prior to the ransomware attack on May 1, 2021 (April 3-30, 2021), as well as during the attack and recovery (May 1-28, 2021) and 4 weeks after the attack and recovery (May 29 to June 25, 2021). The 2 EDs had a combined mean annual census of more than 70 000 care encounters and 11% of San Diego County's total acute inpatient discharges. The health care delivery organization targeted by the ransomware constitutes approximately 25% of the regional inpatient discharges. Exposure A month-long ransomware cyberattack on 4 adjacent hospitals. Main Outcomes and Measures Emergency department encounter volumes (census), temporal throughput, regional diversion of emergency medical services (EMS), and stroke care metrics. Results This study evaluated 19 857 ED visits at the unaffected ED: 6114 (mean [SD] age, 49.6 [19.3] years; 2931 [47.9%] female patients; 1663 [27.2%] Hispanic, 677 [11.1%] non-Hispanic Black, and 2678 [43.8%] non-Hispanic White patients) in the preattack phase, 7039 (mean [SD] age, 49.8 [19.5] years; 3377 [48.0%] female patients; 1840 [26.1%] Hispanic, 778 [11.1%] non-Hispanic Black, and 3168 [45.0%] non-Hispanic White patients) in the attack and recovery phase, and 6704 (mean [SD] age, 48.8 [19.6] years; 3326 [49.5%] female patients; 1753 [26.1%] Hispanic, 725 [10.8%] non-Hispanic Black, and 3012 [44.9%] non-Hispanic White patients) in the postattack phase. Compared with the preattack phase, during the attack phase, there were significant associated increases in the daily mean (SD) ED census (218.4 [18.9] vs 251.4 [35.2]; P < .001), EMS arrivals (1741 [28.8] vs 2354 [33.7]; P < .001), admissions (1614 [26.4] vs 1722 [24.5]; P = .01), patients leaving without being seen (158 [2.6] vs 360 [5.1]; P < .001), and patients leaving against medical advice (107 [1.8] vs 161 [2.3]; P = .03). There were also significant associated increases during the attack phase compared with the preattack phase in median waiting room times (21 minutes [IQR, 7-62 minutes] vs 31 minutes [IQR, 9-89 minutes]; P < .001) and total ED length of stay for admitted patients (614 minutes [IQR, 424-1093 minutes] vs 822 minutes [IQR, 497-1524 minutes]; P < .001). There was also a significant increase in stroke code activations during the attack phase compared with the preattack phase (59 vs 102; P = .01) as well as confirmed strokes (22 vs 47; P = .02). Conclusions and Relevance This study found that hospitals adjacent to health care delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke. These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at nontargeted hospitals within a community and should be considered a regional disaster.
Collapse
Affiliation(s)
- Christian Dameff
- Department of Emergency Medicine, University of California, San Diego
- Department of Biomedical Informatics, University of California, San Diego
- Department of Computer Science and Engineering, University of California, San Diego
| | - Jeffrey Tully
- Department of Anesthesiology, University of California, San Diego
| | - Theodore C. Chan
- Department of Emergency Medicine, University of California, San Diego
| | | | - Stefan Savage
- Department of Computer Science and Engineering, University of California, San Diego
| | - Patricia Maysent
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| | - Thomas M. Hemmen
- Department of Neurosciences, University of California, San Diego
| | - Brian J. Clay
- Department of Biomedical Informatics, University of California, San Diego
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| | - Christopher A. Longhurst
- Department of Biomedical Informatics, University of California, San Diego
- Office of the University of California, San Diego Health Chief Executive Officer, University of California, San Diego
| |
Collapse
|
4
|
Perakslis ED, Knechtle SJ, McCourt B, Lynch R, Doby BL. Doing it right: Caring for and protecting patient information for US organ donors and transplant recipients. PATTERNS 2023; 4:100734. [PMID: 37123437 PMCID: PMC10140603 DOI: 10.1016/j.patter.2023.100734] [Citation(s) in RCA: 0] [Impact Index Per Article: 0] [Reference Citation Analysis] [Abstract] [Track Full Text] [Subscribe] [Scholar Register] [Indexed: 04/08/2023]
Abstract
In the current US organ transplantation system, there are no regulations defining how organ procurement organizations must manage personal data and protect the privacy of donors and recipients. In response to the recent announcement of a major overhaul of the US transplantation system, we describe a practical approach to improving transplant data quality and protecting the autonomy of patients interacting with the system.
Collapse
Affiliation(s)
- Eric D. Perakslis
- Duke Clinical Research Institute, Duke University, Durham, NC 27701, USA
- Corresponding author
| | | | - Brian McCourt
- Duke Clinical Research Institute, Duke University, Durham, NC 27701, USA
| | - Raymond Lynch
- Departments of Surgery and Public Health, Penn State Health Milton S Hershey Medical Center, Hershey, PA, USA
| | - Brianna L. Doby
- Department of Public Health Sciences, New Mexico State University, College of Health Education, and Social Transformation, Las Cruces, NM, USA
| |
Collapse
|
5
|
Harvey H, Carroll H, Murphy V, Ballot J, O'Grady M, O'Hare D, Lawler G, Bennett E, Connolly M, Noone E, Kelly MG, Bazin A, Daly A, Mulroe E, McDermott R, O'Reilly S. The Impact of a National Cyberattack Affecting Clinical Trials: The Cancer Trials Ireland Experience. JCO Clin Cancer Inform 2023; 7:e2200149. [PMID: 37053539 PMCID: PMC10281450 DOI: 10.1200/cci.22.00149] [Citation(s) in RCA: 2] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [MESH Headings] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 09/20/2022] [Revised: 12/18/2022] [Accepted: 02/22/2023] [Indexed: 04/15/2023] Open
Abstract
PURPOSE Cyberattacks are increasing in health care and cause immediate disruption to patient care, have a lasting impact, and compromise scientific integrity of affected clinical trials. On the May 14, 2021, the Irish health service was the victim of a nationwide ransomware attack. Patient care was disrupted across 4,000 locations, including 18 cancer clinical trials units associated with Cancer Trials Ireland (CTI). This report analyses the impact of the cyberattack on the organization and proposes steps to mitigate the impact of future cyberattacks. METHODS A questionnaire was distributed to the units within the CTI group; this examined key performance indicators for a period of 4 weeks before, during, and after the attack, and was supplemented by minutes of weekly conference call with CTI units to facilitate information sharing, accelerate mitigation, and support affected units. A total of 10 responses were returned, from three private and seven public hospitals. RESULTS The effect of the attack on referrals and enrollment to trials was marked, resulting in a drop of 85% in referrals and 55% in recruitment before recovery. Radiology, radiotherapy, and laboratory systems are heavily reliant on information technology systems. Access to all was affected. Lack of preparedness was highlighted as a significant issue. Of the sites surveyed, two had a preparedness plan in place before the attack, both of these being private institutions. Of the eight institutions where no plan was in place, three now have or are putting a plan in place, whereas no plan is in place at the five remaining sites. CONCLUSION The cyberattack had a dramatic and sustained impact on trial conduct and accrual. Increased cybermaturity needs to be embedded in clinical trial logistics and the units conducting them.
Collapse
Affiliation(s)
- Harry Harvey
- UCC Cancer Trials Group, Cork University Hospital, Cork, Ireland
| | - Hailey Carroll
- UCC Cancer Trials Group, Cork University Hospital, Cork, Ireland
| | | | - Jo Ballot
- St Vincents University Hospital, Dublin, Ireland
| | | | - Debra O'Hare
- UCC Cancer Trials Group, Cork University Hospital, Cork, Ireland
| | - Gavin Lawler
- Irish Research Radiation Oncology Group, Dublin, Ireland
| | - Erica Bennett
- Bon Secours Radiotherapy Centre in association with UPMC Hillman Cancer Center, Cork, Ireland
| | | | - Emma Noone
- St Lukes Radiation Oncology Trials Unit, Dublin, Ireland
| | | | | | | | | | | | - Seamus O'Reilly
- UCC Cancer Trials Group, Cork University Hospital, Cork, Ireland
- Cancer Trials Ireland, Dublin, Ireland
| |
Collapse
|
6
|
Perakslis E, Knechtle SJ. Information design to support growth, quality, and equity of the US transplant system. Am J Transplant 2023; 23:5-10. [PMID: 36695621 DOI: 10.1016/j.ajt.2022.10.005] [Citation(s) in RCA: 2] [Impact Index Per Article: 2.0] [Reference Citation Analysis] [Abstract] [Key Words] [Track Full Text] [Journal Information] [Subscribe] [Scholar Register] [Received: 07/02/2022] [Revised: 10/03/2022] [Accepted: 10/17/2022] [Indexed: 01/13/2023]
Abstract
The Organ Procurement and Transplantation Network, an arm of the Health Resources and Services Administration, has a contract with the United Network for Organ Sharing since 1986 to provide central oversight of organ donation and transplants in the United States. The United Network for Organ Sharing has recently come under scrutiny, prompting a review by the National Academies of Sciences, Engineering, and Medicine as summarized in its recent report and also by the US Senate Finance Committee. The national news services have opined about organ donation ethics, access to transplantation particularly for medically underserved populations, and management of organ transplantation data. These critiques raise important concerns that deserve our best response as a transplant community. Broadly, we suggest that the data management approach of the Organ Procurement and Transplantation Network be replaced with a patient-centric omnichannel network in which all donor and recipient data exist in a single longitudinal record that can be used by all applications. A more comprehensive and standardized approach to donor data collection would drive quality improvement across organ procurement organizations and help address inequities in transplantation. Finally, a substantial increase in organ donation would be prompted by considering organ donors as a public health resource, meriting transparent publicly available data collection with respect to organ donor referral, screening, and management.
Collapse
Affiliation(s)
- Eric Perakslis
- Duke Clinical Research Institute, Population Health Sciences, Durham, North Carolina, USA
| | - Stuart J Knechtle
- Department of Surgery, Duke Transplant Center, Duke University School of Medicine, Duke Clinical Research Institute, Durham, North Carolina, USA.
| |
Collapse
|