Journal:Emerging cybersecurity threats in radiation oncology
|Full article title||Emerging cybersecurity threats in radiation oncology|
|Journal||Advances in Radiation Oncology|
|Author(s)||Joyce, Christine; Roman, Faustin L.; Miller, Brett; Jeffries, John; Miller, Robert C.|
|Author affiliation(s)||The University of Tennessee Health Science Center, Medical IT Advisors, University of Tennessee Medical Center|
|Primary contact||Email: rcmiller at utmck dot edu|
|Volume and issue||6(6)|
|Distribution license||Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International|
Purpose: Modern image-guided radiation therapy is dependent on information technology and data storage applications that, like any other digital technology, are at risk from cyberattacks. Owing to a recent escalation in cyberattacks affecting radiation therapy treatments, the American Society for Radiation Oncology's Advances in Radiation Oncology is inaugurating a new special manuscript category devoted to cybersecurity issues.
Methods and materials: We conducted a review of emerging cybersecurity threats and a literature review of cyberattacks that affected radiation oncology practices.
Results: In the last 10 years, numerous attacks have led to an interruption of radiation therapy for thousands of patients, and some of these catastrophic incidents have been described as being worse than coronavirus disease 2019's impact on healthcare centers in New Zealand.
Conclusions: Cybersecurity threats continue to evolve, making combatting these attacks more difficult for healthcare organizations, requiring a change in strategies, tactics, and culture around cybersecurity in health and radiation oncology. We recommend an "assume-breach" mentality (threat-informed defense posture) and adopting a cloud-first and zero-trust security strategy. A reliance on computer-driven technology makes radiation oncology practices more vulnerable to cyberattacks. Healthcare providers should increase their resilience and cybersecurity maturity. The increase in the diversity of these attacks demands improved preparedness and collaboration between oncologic treatment centers both nationwide and internationally to protect patients.
Keywords: cybersecurity, healthcare security, radiation oncology, risk assessment
Modern image-guided radiation therapy is dependent on information technology (IT) and data storage applications that, like any other digital technology, are at risk from cyberattacks. In the fourth quarter of last year, America's healthcare institutions were subjected to a series of coordinated attempts to breach their cybersecurity defenses with criminal intent. Unfortunately, in some cases, these attempts were successful, resulting in a detriment to patient care. According to Cybercrime Magazine, global cybercrime damage in 2021 amounts to $16.4 billion a day, $684.9 million an hour, $11 million per minute, and $190,000 per second. The World Economic Forum estimated that the likelihood of detecting and prosecuting perpetrators of cyberattacks in the United States is at a dismal 0.05%.
In the fall of 2020, the U.S. federal government issued a joint advisory warning that the Cybersecurity and Infrastructure Safety Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) had credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers. More recently, the Director of the FBI compared the increase in ransomware attacks on U.S. infrastructure to the threat of the September 11 terrorist attacks. In New Zealand, ransomware incidents have been recently labeled as having worse impacts on cancer patients than coronavirus disease 2019 (COVID-19).
As the worst disruptions of the COVID-19 pandemic have passed (at least in some regions), the next pervasive disruptive threat to our medical profession appears to be cybersecurity risks. In light of this development, the American Society for Radiation Oncology's Advances in Radiation Oncology is inaugurating a special manuscript category devoted to cybersecurity issues.
Emerging cybersecurity threats in 2021
A study in 2014 showed that 94% of healthcare institutions have been victims of cyberattacks.[dead link] Based on a Medical Information Technology Advisors Threat Information Platform analysis of incidents related to the Asian-Pacific, United States, and European Union, as well as various other threat intelligence agencies reports, the number of compromised business e-mail accounts and ransomware incidents from phishing or dark web-compromised credentials are growing and quickly becoming the number one risk for healthcare organizations. Recent years have seen an increase in phishing occurrences from “trusted” organizations or services that are being abused. Phishing e-mails will often dangle a financial reward or something too good to be true with urgency or a strict deadline to perform an action. Other attempts could be a promise to show something exciting or forbidden or threating with negative consequences or punishment. The phishing e-mail will often have an unexpected attachment, spoofed website, or link to update your password. ("Call the sender to verify whether the e-mail is legitimate" is often best before taking any action.)
The United States has seen an increase in ransomware, especially from ransomware as a service groups using double and even triple extortion tactics. Data are encrypted and exfiltrated from the attacked healthcare organization, and then the attackers threaten to publish the data, directly extort patients, or threaten a distributed denial of service (DDoS) attack. In fact, the HHS' Health Sector Cybersecurity Coordination Center (HC3) has found that 60% of global cybersecurity incidents during the first half of 2021 targeting healthcare providers affected the U.S. health sector. Ransomware incidents are becoming linked to data breaches because in at least 72% of ransomware incidents, victim data were leaked.
In an analysis of 5,275 reported cybersecurity breaches last year, the number one method used was social engineering, with 85% of breaches involving a human element in a targeted organization. The threat to healthcare organizations in recent years has shifted from malicious internal actors to external organizations. Personal data, rather than medical data, is the most commonly stolen information in a security breach, with financial motivation behind 91% of attacks.
Usual scam tactics, including fear-based themes, prove to be successful, with only a few changes in frequency and some techniques abusing legitimate services to bypass protections. Themes on COVID-19, the work-from-home initiative, registration renewals, secure document exchanges, and even local festivals are used to trick victims into allowing these attacks. Some of the COVID-19 themes used in e-crime phishing schemes during the pandemic include:
- exploitation of individuals looking for details on disease tracking, testing, and treatment;
- impersonation of medical bodies, including the World Health Organization (WHO) and U.S. Centers for Disease Control and Prevention (CDC);
- financial assistance and government stimulus packages;
- tailored attacks against employees working from home;
- scams offering personal protective equipment; and
- passing mention of COVID-19 within previously used phishing lure content (e.g., deliveries, invoices, and purchase orders).
The existing disruptions in healthcare globally presented new vulnerabilities for cybercrime. Some cybercrime organizations announced their intention to not intentionally impact healthcare organizations during the pandemic, although how well they adhered to those pledges is unclear. Other organizations, such as Wizard Spider, intentionally targeted healthcare organizations at the end of October of 2020 at a time of increased medical facility utilization, when hospitals and clinics were under increasing pressure from the start of the influenza season and the pandemic fall surge. These actions mirrored a similar approach used against other industries, one of deliberately targeting organizations during times of institutional stress, such as what occurred with educational institutions at the start of the 2019 school year.
Malicious actors have made phishing and malware smarter using new techniques to bypass sandbox detonations (i.e., artificial network environments designed to trigger malware in a closed network), and are increasingly using “trusted” compromised accounts and services to launch their attacks. Third-party supply chain risks and the internet of things (IoT) environment makes threat management complex and increases the attack surface. The World Economic Forum estimated that attacks on IoT devices soared by 300% in 2019. The increase in the number of individuals now working from home has added additional risks and increased the complexity in combating attacks. Healthcare organizations are typically attacked by well-organized crime organizations and state-sponsored actors. The predicted cost of ransomware damage in 2021 ($20 billion) is 57 times more than the cost in 2015.
Finally, the lack of correlation, collaboration, and communication between service providers and their IT partners increases the ease with which attackers can affect a wide range of targets. Organizations face at least 10 major cybersecurity risks today, including:
- Phishing, including business e-mail compromises
- Ransomware attacks, including DDoS
- Hacking of unpatched software and external services (remote desktop protocol, virtual private network, file transfer protocol, databases)
- Software vulnerabilities and misconfigurations
- Lack of security logging and monitoring
- Third-party supplier's security (cloud, IoT, apps)
- Inadequate processes (e.g., patching, backup, change management)
- Technical debt/legacy software and increased attack surface
- User-based mistakes and lack of cybersecurity awareness (technical, operational, and user literacy)
- Threat identification and incident response
Cyberattacks affecting radiation oncology providers
Technological advancements in the treatment of cancer continue to improve patient outcomes. However, due to the reliance on technology, radiation oncology practices are more vulnerable to cyberattacks. In the recent past, radiation therapy treatments could be delivered from information recorded entirely on paper printouts and hand-written charts. Localization was achieved based on gross anatomy or skin markings, with wide margins to account for setup error. Therefore, treatment delivery could be isolated from treatment plan creation and was indeed the default paradigm before the invention of record and verification systems. Modern radiation therapy requires the loading and creation of three-dimensional data sets for localization, and the delivery of a complex treatment plan includes hundreds of control points that each contain hundreds of nodes of data giving the linear accelerator instructions on the positioning of each of its subsystems. The delivery of a single treatment can require the loading, creation, and management of gigabytes of data. This has led to an exponential growth in radiation therapy data, but also to a critical dependence on these vulnerable network systems to deliver treatment.
In 2016, a ransomware attack on a 10-hospital system in the national capitol region resulted in a hospital having to cancel 36 radiation oncology treatment appointments on the first day of the attack, and all treatment sessions several days after the attack. In the fall of 2020, there was a series of cyberattacks on U.S. healthcare institutions nationwide, including one in October of 2020 where the University of Vermont health network experienced a cyberattack that subsequently halted radiation therapy at their facility. In April of 2021, a cyberattack affected Elekta's cloud-based storage system for radiation oncology data and affected 42 of 170 customers across the United States. The Health Service Executive of Ireland was the target of a large-scale ransomware attack on May 14, 2021 that affected almost all of its clinical IT systems. Two weeks after the attack, approximately 7,000 patient appointments per day were being canceled. Advances in Radiation Oncology hopes to soon publish a detailed account of how this incident affected radiation therapy services in Ireland as part of the new cybersecurity series.
On May 18, 2021, a cyberattack at New Zealand's major medical center resulted in a disruption of cancer patient care and its radiation oncology clinics for three weeks, and even longer for other specialties. This event caused more than 350 radiation treatment sessions to be cancelled, delayed, or rescheduled, forcing physicians to coordinate with other facilities and providers to continue patient treatments. According to one source, this was potentially one of the largest cyberattacks in the country to date. Many radiation oncology clinics have been affected similarly, although the total number has not been quantified. A list of healthcare institutions suffering a breach involving more than 500 patients due to a cyberattack and other causes, such as simple physical theft of laptop computers, can be found on the HHS' Office for Civil Rights breach portal.
Most of these attacks prohibited providers from accessing the medical records system, causing delayed treatment for thousands of patients. These attacks pose a difficult situation for any healthcare provider and institution, but even more so for those involved in radiation oncology. Radiation therapy is essential in the treatment of many cancers and must be completed in a timely fashion to ensure tumor control. For head and neck, cervical, vulvar, and anal cancers, as well as medulloblastoma, delays in therapy are particularly linked to inferior tumor control. As these ransomware attacks become more prevalent, having robust cybersecurity and an emergency backup system is essential for these institutions to prevent lapses in radiation therapy service that may result in less effective treatment.
Ransom attacks are particularly detrimental to the delivery of quality radiation therapy because the effectiveness of fractionated therapy is dependent on patients not incurring unnecessary breaks in treatment. In the case of a ransomware attack, this can affect the effectiveness of treatment for hundreds or thousands of patients at the same time, with cascading effects on other specialties and healthcare workers. Because of this temporal effect, radiation therapy clinics should prioritize the protection of data for patients currently under treatment in the case of a ransom attack. Clinics should develop plans that allow for continuity of care in the case of a prolonged computer systems outage. Some practical considerations include being able to know each patient's current and prescribed dose independent of the oncology information system (often an issue in today's paperless environment) and having a method to resume treatments for these patients as quickly as possible. Prioritized data backup and restoration for current treatment patients is necessary to accomplish this goal. The University of Maryland has outlined one method for this scenario.
The diversity of threats and attacks demand improved collaboration between oncologic treatment centers nationwide and internationally. Facilities and practices need improved preparedness, incident response capabilities, communication, and threat intelligence sharing. A system should be put in place to promote more meaningful action beyond mandatory annual compliance check-box exercises. Lastly, institutions need to allocate appropriate funding to adequately respond to these attacks and increase resilience against increasing cybersecurity threats. By making these changes, providers will be more prepared to face attacks, resulting in improved patient outcomes.
A non-exhaustive list of recommendations towards improved preparedness are made below.
- 1. Require multifactor authentication for all identities and send alerts upon unusual behavior.
- 2. Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner.
- 3. Implement endpoint detection and response tools and systems that can block and alert on malicious activity.
- 4. Enable strong e-mail protection filters to prevent phishing e-mails from reaching end users, including filtering e-mails containing executable files and macros from reaching end users.
- 5. Maintain offline, encrypted backups of data and regularly test backups.
- 6. Implement a user awareness training program, and simulate attacks for phishing, ransomware, and other attack types.
- 7. Review network segmentation and limit administrative access based on least privilege principles.
- 8. Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures.
- 9. Filter network traffic to prohibit ingress and egress communications with known malicious internet protocol addresses.
- 10. Conduct regular cybersecurity risk assessments on both external and internal assets.
- 11. Review timely advisories sent by local and national cybersecurity, information sharing, and analysis centers.
- 12. Review third-party services risks, specifically those related to remote access and IT management.
- 13. Practice business continuity and incident response plans.
- 14. Increase vigilance in monitoring, detecting, and responding to suspicious activity.
- 15. Implement centralized logging and managed security operation services.
- 16. Maintain ongoing staff education regarding cybersecurity threats, adapted to the nature of the most current threats.
Socially engineered ransomware attacks are the primary threat to medical organizations at this time. In particular, these attacks target unsuspecting individuals within health care entities rather than directly attacking a system's technical defenses. Routine reeducation of staff on best security practices while working in an electronic environment can reduce the risk of a successful ransomware attack.
COVID-19: coronavirus disease 2019
DDoS: distributed denial of service
FBI: Federal Bureau of Investigation
HHS: U.S. Department of Health and Human Services
IoT: internet of things
IT: information technology
Research are available at public internet sites as referenced.
Conflict of interest
Dr. Miller reports funding from the American Society for Radiation Oncology. There are no other conflicts of interest.
- ↑ 1.0 1.1 1.2 Chang, J. (2020). "119 Impressive Cybersecurity Statistics: 2021/2022 Data & Market Analysis". Finances Online. https://financesonline.com/cybersecurity-statistics/. Retrieved 04 June 2021.
- ↑ "Alert (AA20-302A) Ransomware Activity Targeting the Healthcare and Public Health Sector". National Cyber Awareness System. Cybersecurity & Infrastructure Security Agency. 2 November 2020. https://www.cisa.gov/uscert/ncas/alerts/aa20-302a. Retrieved 01 February 2021.
- ↑ Viswanatha, A.; Volz, D. (4 June 2021). "FBI Director Compares Ransomware Challenge to 9/11". The Wall Street Journal. https://www.wsj.com/articles/fbi-director-compares-ransomware-challenge-to-9-11-11622799003?mod=e2twp. Retrieved 04 June 2021.
- ↑ 4.0 4.1 Ensor, J. (27 May 2021). "'Catastrophic failure': Cyber attack on Waikato DHB 'worse than COVID', significant impact on radiation patients - expert". MSN. Microsoft. https://www.msn.com/en-nz/news/national/catastrophic-failure-cyber-attack-on-waikato-dhb-worse-than-covid-significant-impact-on-radiation-patients-expert/ar-AAKsC9j?ocid=entnewsntp. Retrieved 04 June 2021.
- ↑ Filkins, B.. "Health care cyberthreat report: Widespread compromises detected, compliance nightmare on horizon paper". SANS. http://www.sans.org/reading-room/whitepapers/firewalls/paper/34735. Retrieved 24 June 2021.
- ↑ "Private communication, Medical Information Technology Advisors Threat Intelligence Platform". Medical IT Advisors. https://www.meditadvisors.com/. Retrieved 04 June 2021.
- ↑ Richard, N.; Andonov, D. (4 May 2021). "The UNC2529 Triple Double: A Trifecta Phishing Campaign". Mandiant. https://www.mandiant.com/resources/unc2529-triple-double-trifecta-phishing-campaign. Retrieved 14 June 2021.
- ↑ Tanner, J. (25 October 2020). "Finland shocked by therapy center hacking, client blackmail". ABC News. https://abcnews.go.com/Health/wireStory/finland-shocked-therapy-center-hacking-client-blackmail-73817011. Retrieved 04 June 2021.
- ↑ "Ransomware Trends 2021" (PDF). Health Sector Cybersecurity Coordination Center. 3 June 2021. https://www.hhs.gov/sites/default/files/ransomware-trends-2021.pdf. Retrieved 14 June 2021.
- ↑ 10.0 10.1 "Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information". HHS Office for Civil Rights. 2021. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. Retrieved 24 June 2021.
- ↑ "2021 Data Breach Investigations Report" (PDF). Verizon. 2021. https://enterprise.verizon.com/content/verizonenterprise/us/en/index/resources/reports/2021-data-breach-investigations-report.pdf. Retrieved 14 June 2021.
- ↑ 12.0 12.1 "2021 Global Threat Report" (PDF). Crowdstrike. 2021. https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf. Retrieved 24 June 2021.
- ↑ Muthuppalaniappan, Menaka; Stevenson, Kerrie (20 February 2021). "Healthcare cyber-attacks and the COVID-19 pandemic: an urgent threat to global health" (in en). International Journal for Quality in Health Care 33 (1): mzaa117. doi:10.1093/intqhc/mzaa117. ISSN 1353-4505. PMC PMC7543534. PMID 33351134. https://academic.oup.com/intqhc/article/doi/10.1093/intqhc/mzaa117/5912483.
- ↑ CSA 405(d) Task Group (28 May 2023). "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients" (PDF). https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf. Retrieved 04 June 2021.
- ↑ 15.0 15.1 Nichols, E.M.; Shafiq, U.R.; Byongyong, Y. (2018). "The impact of cybersecurity in radiation oncology: Logistics and challenges". Applied Radiation Oncology 7 (4): 14–18. https://appliedradiationoncology.com/articles/the-impact-of-cybersecurity-in-radiation-oncology-logistics-and-challenges.
- ↑ Nelson, Carl J.; Lester-Coll, Nataniel H.; Li, Puyao C.; Gagne, Havaleh; Anker, Christopher J.; Deeley, Matthew A.; Wallace, H. James (1 January 2021). "Development of Rapid Response Plan for Radiation Oncology in Response to Cyberattack" (in en). Advances in Radiation Oncology 6 (1): 100613. doi:10.1016/j.adro.2020.11.001. PMC PMC7811107. PMID 33490734. https://linkinghub.elsevier.com/retrieve/pii/S2452109420303407.
- ↑ Alder, S. (27 April 2021). "Radiation Treatments Disrupted After Cyberattack on Software Vendor". HIPAA Journal. https://www.hipaajournal.com/healthcare-providers-postpone-radiation-treatments-cyberattack-elekta/. Retrieved 25 June 2021.
- ↑ Cullen, P. (27 May 2021). "Cyberattack: HSE faces final bill of at least €100m". The Irish Times. https://www.irishtimes.com/news/health/cyberattack-hse-faces-final-bill-of-at-least-100m-1.4577076. Retrieved 12 August 2021.
- ↑ Paulino, Arnold C.; Wen, B.-Chen; Mayr, Nina A.; Tannous, Raymond; Loew, Thomas W.; Goldman, Frederick D.; Meeks, Sanford L.; Ryken, Timothy C. et al. (1 February 2003). "Protracted Radiotherapy Treatment Duration in Medulloblastoma:" (in en). American Journal of Clinical Oncology 26 (1): 55–59. doi:10.1097/00000421-200302000-00012. ISSN 0277-3732. http://journals.lww.com/00000421-200302000-00012.
- ↑ Petereit, Daniel G.; Sarkaria, Jann N.; Chappell, Richard; Fowler, John F.; Hartmann, Trudy J.; Kinsella, Timothy J.; Stitt, Judith A.; Thomadsen, Bruce R. et al. (1 July 1995). "The adverse effect of treatment prolongation in cervical carcinoma" (in en). International Journal of Radiation Oncology*Biology*Physics 32 (5): 1301–1307. doi:10.1016/0360-3016(94)00635-X. https://linkinghub.elsevier.com/retrieve/pii/036030169400635X.
- ↑ "Ransomware Guide". StopRansomware.gov. Cybersecurity & Infrastructure Security Agency. September 2020. https://www.cisa.gov/stopransomware/ransomware-guide. Retrieved 01 February 2021.
This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. Tables were turned into inline text. The Filkins cyberthreat report (Citation 5) is a dead URL, and an archived version of the report could not be found. Everything else remains true to the original article, per the "NoDerivatives" portion of the distribution license.