Radiation Oncology Ransomware Attack Response Risk Analysis Using Failure Modes and Effects Analysis

Yevgeniy Vinogradskiy; Leah Schubert; Amy Taylor; Shari Rudoler; James Lamb

doi:10.1016/j.prro.2024.03.001

. Author manuscript; available in PMC: 2025 May 9.

Published in final edited form as: Pract Radiat Oncol. 2024 Mar 19;14(5):e407–e415. doi: 10.1016/j.prro.2024.03.001

Radiation Oncology Ransomware Attack Response Risk Analysis Using Failure Modes and Effects Analysis

Yevgeniy Vinogradskiy ^a,^*, Leah Schubert ^b, Amy Taylor ^a, Shari Rudoler ^a, James Lamb ^c

PMCID: PMC12063670 NIHMSID: NIHMS2075539 PMID: 38508451

Abstract

Purpose:

There have been numerous significant ransomware attacks impacting Radiation Oncology in the past 5 years. Research into ransomware attack response in Radiation Oncology has consisted of case reports and descriptive articles and has lacked quantitative studies. The purpose of this work was to identify the significant safety risks to patients being treated with radiation therapy during a ransomware attack scenario, using Failure Modes and Effects Analysis.

Methods and Materials:

A multi-institutional and multidisciplinary team conducted a Failure Modes and Effects Analysis by developing process maps and using Risk Priority Number (RPN) scores to quantify the increased likelihood of incidents in a ransomware attack scenario. The situation that was simulated was a ransomware attack that had removed the capability to access the Record and Verify (R&V) system. Five situations were considered: 1) a standard treatment of a patient with and without an R&V, 2) a standard treatment of a patient for the first fraction right after the R&V capabilities are disabled, and 3) 3 situations in which a plan modification was required. RPN scores were compared with and without R&V functionality.

Results:

The data indicate that RPN scores increased by 71% (range, 38%-96%) when R&V functionality is disabled compared with a nonransomware attack state where R&V functionality is available. The failure modes with the highest RPN in the simulated ransomware attack state included incorrectly identifying patients on treatment, incorrectly identifying where a patient is in their course of treatment, treating the incorrect patient, and incorrectly tracking delivered fractions.

Conclusions:

The presented study quantifies the increased risk of incidents when treating in a ransomware attack state, identifies key failure modes that should be prioritized when preparing for a ransomware attack, and provides data that can be used to guide future ransomware resiliency research.

Introduction

The frequency of cyberattacks continues to rise with the number of cyberattacks tripling since 2013.¹ Unfortunately, health care has not been immune with over 94% of health care systems noting that they have been the victims of a cyberattack.² The most common form of cyberattacks in health care are ransomware attacks. Ransomware attacks are defined as installed malware that targets files and makes them inaccessible until a sum of money is paid. Ransomware attacks in health care result in delays in treatment, discontinued treatment, treatment errors, and unsafe conditions, all leading to substandard and dangerous care.

Radiation oncology is especially susceptible to ransomware attacks because it is one of the most technologically reliant medical disciplines as the ability to deliver radiation therapy safely relies heavily on multiple, disparate, complicated software systems. There have been numerous significant ransomware attacks affecting Radiation Oncology in the past 5 years.^2-9 In 2019, in he Health Sciences North academic health science center (Sudbury, Ontario, Canada), a computer virus infected the computer networks and brought numerous clinical operations to a halt, including radiation oncology.⁵ In 2020, a cyberattack on the University of Vermont Health Network caused access to all clinical systems to be halted.⁴ A widely impactful ransomware event occurred in April of 2021 affecting >40 centers where a major Record and Verify (R&V) vendor was attacked.⁶ In 2021, the Irish Health Service Executive was the victim of a ransomware attack affecting all 4000 nationwide locations⁸ and resulting in the immediate shutdown of radiation oncology and radiology services. In 2016, a ransomware attack impacted a 10-hospital system in Washington, DC.⁷ These ransomware attacks demonstrate that although the latest cybersecurity measures can be implemented, ransomware attacks are not completely preventable and will occur. Methods need to be developed that help Radiation Oncology clinics in managing patient radiation therapy treatments during a ransomware attack.

Research into ransomware attack management and response in Radiation Oncology has consisted mostly of case reports and descriptive articles of how centers have responded to their respective ransomware attacks.^2-8,10 There has been a lack of quantitative studies evaluating the safety impact of ransomware attacks in Radiation Oncology. Failure Modes and Effects Analysis (FMEA) is a structured and quantitative way to identify potential errors and their resulting impact on a system before an adverse event occurs. FMEA has been widely adopted as a quantitative risk analysis tool in Radiation Oncology.¹¹ Two examples of how FMEA has been applied to Radiation Oncology include evaluating the safety of commissioning a treatment planning systems (TPS)¹² and assessing the risks involved with adaptive radiation therapy.¹³ FMEA has the potential to both quantify the increased risk of treating patients in a ransomware attack state (compared with standard operating procedures) and provide seminal data that can be used to identify the most salient failure modes, which in turn can drive innovations that can improve a clinic’s ability to treat patients in a ransomware attack scenario. The purpose of this work was to perform a multi-institutional FMEA for patients being treated with radiation therapy in a ransomware attack scenario.

Methods and Materials

FMEA of treating patients in a ransomware attack state

A FMEA was conducted using Risk Priority Number (RPN) scores to quantify the increased likelihood of errors in a ransomware attack scenario. The situation that was simulated was a ransomware attack that had impacted the R&V system such that a clinic had completely lost the capability to treat using an R&V. The rationale for selecting a ransomware attack scenario where the capabilities of an R&V were completely lost was that was the situation most likely encountered in previous Radiation Oncology ransomware attacks.^2-8 A FMEA was performed focused on treating a patient with an R&V (ie, under normal operating conditions) and without an R&V (ie, under ransomware attack conditions). The multidisciplinary team performing the FMEA consisted of 3 Medical Physicists, a Radiation Oncologist, and a Radiation Therapist. A portion of the team had previous experience managing a clinic in a ransomware attack scenario.⁶

The FMEA analysis was divided into 5 distinct but related processes: 1) a standard treatment of a patient with and without an R&V, 2) a standard treatment of a patient for the first fraction right after the R&V capabilities are disabled, 3) the patient is on treatment, the physician changes a treatment plan, the number of fractions is kept constant, and no resimulation is required, 4) the patient is on treatment, an adaptive plan is requested, a resimulation is required, and the number of fractions is kept constant, and 5) the patient is on-treatment and the physician changes the number of fractions using the same treatment plan. The 5 processes were chosen to cover the most common clinical treatment scenarios encountered in a ransomware attack state. Situation 1 covers a standard treatment and situation 2 covers the unique demands of restarting treatment for the first fraction after R&V capabilities have been lost where critical information needs to be gathered and recreated. An example of the replan situation described in scenario 3 is when a clinician changes a multileaf collimator position to alter a breast plan, an example of an adaptive plan described in situation 4 is a head and neck replan due to changing tumor anatomy, and an example of a plan change described in situation 5 is when the physician decides to stop treatment early due to toxicity.

For each of the 5 processes, a process map was created by the multidisciplinary team and failure modes were identified. For each failure mode, an occurrence (O), severity (S), and lack of detectability (D) score were assigned. The O, S, D, scores were combined to form a risk priority number, RPN, where RPN = OxSxD. To capture different clinical workflows, process maps were developed jointly for 3 institutions (Thomas Jefferson University, University of Colorado, University of California Los Angeles) by the multidisciplinary team. Two of the institutions use ARIA R&V (Varian) and one of the institutions uses Mosaiq R&V (Elekta). Where processes were deemed identical, consensus was reached in identifying occurrence (O) and detectability (D) scores; where processes diverged between institutions, scores were averaged. To maximize consistency of O, S, and D scores across the 5 processes, an iterative approach was taken; process maps and scores were developed separately by each institution, discussed to obtain consensus or average scores as needed, and then discussed again to regularize scores across all 5 processes with and without R&V in place. The severity (S) score was kept constant for each failure mode between treating with and without an R&V. The rationale for keeping the severity score constant between treating with and without an R&V is that 1) there was no change in severity or impact whether the failure mode occurred with or without an R&V, and 2) it allowed for a direct comparison of the increased probability of errors caused by disabling the capabilities of an R&V.

The results for each of the 5 analyzed processes are presented as process maps and tables describing all failure modes with and without an R&V with corresponding O, S, D, and RPN scores. Descriptive statistics are presented for each scenario including mean ± standard deviation, as well as the percent increase of RPN without an R&V compared with RPN with an R&V.

Assumptions made for the FMEA

To create a bounded FMEA situation, several assumptions were made for the analysis. An assumption was made that a department had chosen to continue treating patients in a ransomware attack state rather than sending patients to another treatment location. Although some centers who had previously experienced ransomware attacks chose to cancel all patient treatments and send patients to another facility for treatment; a significant portion of centers opted to continue treating patients in a ransomware attack scenario.^2-9 The FMEA in this study assumed that although the R&V access was lost due to the ransomware attack, Electronic Medical Record (EMR), the linear accelerators, and the ancillary software (for example quality assurance software and image registration software) capabilities remained intact. Although there is rationale for assuming that if the R&V software was compromised, it may be possible that other software capabilities are compromised, to limit the number of scenarios evaluated, a decision was made to simulate a situation with no access to the R&V while access to other software systems remained. For the clinic that uses MOSAIQ, the TPS is a separate and distinct software entity, and the FMEA assumed full access to the TPS. For the clinics that use the ARIA R&V because the ARIA and the TPS are on the same database, an assumption was made that capabilities of both the R&V and TPS were disabled. It was assumed that treatment planning data for plans for patients under treatment would be available in Digital Imaging and Communications in Medicine (DICOM) format as all 3 clinics have a secondary software (for example MIM Software) that is used to back-up critical DICOM information including the treatment plan. Therefore, an assumption was made that in a ransomware attack state, previously approved treatment plans could be restored but no new treatment plans could be created. The RPN analysis for the specialized situations of treating for the first fraction in a ransomware attack state and the replanning situations that are impacted by not having access to a TPS are explicitly noted in the RPN analysis. The scenarios describing treatment with no R&V assumed a treatment paradigm proposed by numerous clinics that encountered a ransomware attack that impacted their R&V.^2-9 The treatment paradigm proposed included 1) using file transfer to directly send the DICOM radiation therapy plan to the linear accelerator (referred to as “file-mode”) and 2) manually recording treatments using paper charts. The treatment paradigm using file-mode has been previously described on Varian linear accelerators⁶ and allowed for treatment using any modality (electrons, photons, 3-dimensional conformal radiation therapy, intensity modulated radiation therapy, volumetric modulated arc therapy), and enabled patient alignment using planar and cone beam computed tomography imaging. If a treatment interruption occurred, file-mode allowed the option to redeliver the beam where the interruption occurred or move on to the delivery of the next beam (ie, ignore the partial delivery of a single beam). One of the situations (situation 2) involves performing a FMEA for treating a patient for the first fraction that the patient is to be treated with no R&V. An assumption is made for the first fraction after an R&V that back-up methods are available to determine where in the course of their treatment that patient was (ie, how many fractions had been treated up until the ransomware attack occurred).

Results

Figures 1 and 2 present process maps for treating patients with and without an R&V for clinics that treat using the ARIA R&V (process maps for clinics that treat with Mosaiq are provided in Appendix EA). Each process map is broken down by who is assigned to complete a task including front desk, therapist, physician, dosimet-rist, and physicist. Figures 1 presents a process maps for treating with an R&V using ARIA, and Figure 2 presents a process map for treating with no R&V for clinics that in a nonransomware situation use ARIA. Key process map differences between treating with and without a R&V include checking the patient in using the EMR or a paper chart, loading the plans in file-mode, as well as using the paper chart to verify the treatment plan, fraction, set-up parameters, and to track the delivered dose.

Process map for a standard treatment where ARIA is available.

Process map for a standard treatment where the Record and Verify system is unavailable for a clinic that typically treats using ARIA. Changes relative to the process map where ARIA is available are provided in red and italicized text.

Table 1 lists the failure modes and accompanying RPN scores for identified failure modes for a standard treatment with and without an R&V. The average (± standard deviation) RPN for failure modes treating patients with an R&V were 110 ± 74 and without an R&V were 188 ± 103, representing a 71% percent increase. The failure modes with the highest RPN when treating with an R&V were 1) patient does not show up for treatment (RPN = 245), 2) wrong beam modifier (RPN = 224), and 3) patient in the wrong treatment position (RPN = 180). The failure modes with the highest RPN when treating with no R&V were 1) dose not recorded, fraction inadvertently repeated (RPN = 392), 2) wrong patient brought from waiting room for treatment (RPN = 294), and 3) patient does not show up for treatment (RPN = 280).

Table 1.

Failure modes and accompanying RPN scores for identified failure modes for a standard treatment with and without a Record and Verify system

Failure mode	Impact	RPN with record and verify (occurrence, detectability, severity)	RPN with no record and verify (occurrence, detectability, severity)	Percent increase (%)
Dose not recorded, fraction repeated	Overtreatment	126 (3, 6, 7)	392 (7, 8, 7)	211
Wrong patient brought from waiting room for treatment	Patient treated with wrong plan	140 (5, 4, 7)	294 (7, 6, 7)	110
Patient does not show up for treatment	Gap in treatment	245 (7, 7, 5)	280 (7, 8, 5)	140
Wrong beam modifier	Wrong dose to patient	224 (7, 8, (4)	224 (7, 8, 4)	0
Beam interruption	One beam not delivered, partial under- or overdose	64 (8, 2, 4)	224 (8, 7, 4)	250
Proper IGRT not performed	Patient not aligned correctly	96 (4, 4, 6)	216 (6, 6, 6)	225
Patient wrongly aligned during image alignment	Dose delivered to wrong location	168 (6, 4, 7)	210 (6, 5, 7)	25
Patient arrival not communicated, missed treatment	Gap in treatment	60 (6, 2, 5)	210 (6, 7, 5)	250
Wrong positioning applied	Patient in wrong position	180 (6, 6, 5)	180 (6, 6, 5)	0
Wrong plan pulled up for the right patient	Patient treated with wrong plan	84 (3, 4, 8)	168 (6, 4, 7)	100
Partial treatment missed	Partial underdose	60 (3, 4, 5)	105 (3, 7, 5)	75
Patient not sent for clinic visit	Missed clinic visit	72 (8, 9,1)	81 (9, 9, 1)	12
Pacemaker not monitored according to instructions	Pacemaker not monitored	10 (1, 10, 1)	30 (3, 10, 1)	300
Patient came back twice in same day	Exceeded daily dose	4 (1, 1, 4)	16 (1, 4, 4)	300
Average ± SD		110 ± 74	188 ± 103	71

Open in a new tab

Abbreviations: IGRT = Image Guided Radiation Therapy; RPN = Risk Priority Number.

The rows are ordered in order of highest to lowest RPN score for the situation with no record and verify system availability.

Figure 3 presents a process map for a standard treatment of a patient for the first fraction right after the R&V capabilities are disabled due to a ransomware attack. Key steps include recreating plan details (for example fraction number the patient is on, the radiation prescription, and set-up notes), exporting the plan to a file that the linear accelerator can access, reprinting the plan, and rechecking the plan. Table 2 shows the RPN scores for the first fraction of treatment in a ransomware attack state where the patient is treated in file-mode and using a paper chart. The average RPN is 197 ± 123, which is 72% higher than a standard treatment with an R&V (Table 1). The top 3 failure modes for the first fraction of treatment in a ransomware attack state were 1) a patient is missed that was on treatment (RPN = 441), 2) the wrong plan version is exported from planning system (RPN = 315), and 3) an incorrect on-treatment fraction number is determined (RPN = 280).

Process map for a standard treatment of a patient for the first fraction right after the Record and Verify capabilities are disabled due to a ransomware attack.

Table 2.

Failure modes and accompanying RPN scores for identified failure modes for the first fraction of treatment without a Record and Verify system

Failure mode	Impact	RPN with no record and verify (occurrence, detectability, severity)
Missed a patient that was on treatment	Patient has a gap in treatment until discovered	441 (7, 7, 9)
Export the wrong plan version from planning system (for a clinic that lost both ARIA and Eclipse treatment planning capabilities)	Treat with wrong plan version	315 (7, 9, 5)
Incorrect on-treatment fraction number (transcription error or therapist didn’t update document)	Tumor underdose (minor)	280 (7, 8, 5)
Incorrect list of plans on treatment for a multi-site treatment (for a clinic that lost both ARIA and Eclipse treatment planning capabilities)	One of the treatment sites does not get treated	270 (6, 5, 9)
Export the wrong plan version from planning system	Treat with wrong plan version	270 (6, 9, 5)
In calling patients to give them their schedule, one is missed and not followed up	Patient has a gap in treatment until discovered	252 (7, 4, 9)
Incorrect list of plans on treatment for a multi-site treatment	One of the treatment sites does not get treated	225 (5, 5, 9)
Incorrect set-up and patient positioning	Dose not delivered as intended	196 (7, 7, 4)
Incorrect prescription	Incorrect dose delivered	128 (4, 4, 8)
Creating the paper schedule, a patient is missed	Patient has a gap in treatment until discovered	108 (3, 4, 9)
Incorrect assignment of bolus	Incorrect dose delivered (minor)	64 (4, 4, 4)
Boost plan not ready in time	Patient has a gap	64 (4, 4, 4)
Boost plan ready, but physics check missed, and plan technically incorrect	Plan technically incorrect and not caught	64 (2, 4, 8)
Incorrect patient preparation	Wrong dose distribution (minor)	36 (3, 3, 4)
Average ± SD		194 ± 119

Open in a new tab

Abbreviation: RPN = Risk Priority Number.

The rows are ordered in order of highest to lowest RPN score.

Process maps for the 3 plan alteration processes are provided in Appendix EB. For the situation where the patient is on treatment, the physician changes a plan, the number of fractions is kept constant, and no resimulation is required, the average RPN for failure modes treating patients with a R&V were 78 ± 8 and without a R&V were 153 ± 81, representing a 96% percent increase (Table 3). For the situation where the patient is on treatment, an adaptive plan is requested, a resimulation is required, and the number of fractions is kept constant, the average RPN for failure modes treating patients with a R&V were 56 ± 8 and without a R&V were 77 ± 32, representing a 38% percent increase (Table 4). Only one failure mode was identified for the situation where the patient is on-treatment and the physician changes the number of fractions using the same treatment plan. The identified failure mode for the fraction change situation was that the incorrect number of fractions would be schedule for the new plan. The RPN for the single identified failure mode when treating with a R&V was 48 and without a R&V was 72, representing a 50% percent increase. For clinics that use ARIA and therefore in a ransomware attack state would lose their R&V and TPS capabilities, the replanning situations described in Tables 3 and 4 would not be possible.

Table 3.

Failure modes and accompanying RPN scores for identified failure modes for a situation where the patient is on treatment, the physician changes a plan, the number of fractions is kept constant, and no resimulation is required

Failure mode	Impact	RPN with record and verify (occurrence, detectability, severity)	RPN with no record and verify (occurrence, detectability, severity)	Percent increase (%)
Did not schedule new plan/old fields not hidden	Patient gets treated with old plan/field	84 (4, 3, 7)	210 (6, 5, 7)	125
New plan gets planned/scheduled for wrong number of fractions	Wrong total dose	72 (4, 3, 6)	96 (4, 4, 6)	33
Average ± SD		78 ± 8	153 ± 81	96

Open in a new tab

Abbreviation: RPN = Risk Priority Number.

Data are presented for situations with and without a Record and Verify system being available. The rows are ordered in order of highest to lowest RPN score for the situation with no record and verify system availability.

Table 4.

Failure modes and accompanying RPN scores for identified failure modes for a situation where the patient is on treatment, an adaptive plan is requested, a resimulation is required, and the number of fractions is kept constant

Failure mode	Impact	RPN with record and verify (occurrence, detectability, severity)	RPN with no record and verify (occurrence, detectability, severity)	Percent increase (%)
Therapists not notified of adaptive process and planner does not untreat approve and de-schedule old plan/did not hide fields	Keep treating the old plan until new plan ready	56 (2, 4, 7)	112 (4, 4, 7)	100
Old plan not completed/fields not deleted	Extra fractions treated	64 (4, 2, 8)	72 (3, 3, 8)	13
Planner not notified to start planning	Plan not ready in time; gap in treatment	48 (2, 4, 6)	48 (2, 4, 6)	0
Average ± SD		56 ± 8	77 ± 32	38

Open in a new tab

Abbreviation: RPN = Risk Priority Number.

Discussion

The presented study performs a FMEA analysis comparing RPN scores with and without an R&V in a standard treatment scenario, a standard treatment of a patient for the first fraction right after R&V capabilities are disabled, and 3 less common scenarios where a plan alteration is necessary. Our data indicate that compared with a nonransomware attack state where the R&V is available, RPN scores increased by an average of 71% when R&V functionality is disabled (Table 1). In less-common situations involving adaptive planning or alteration of a treatment course, the RPN scores increased by 38% to 96%. Because the severity (S) score was kept consistent between the situation with and without an R&V, the increase in RPN is entirely due to the increase in occurrence and or decrease in detectability of the failure mode. Because the increase in RPN score is entirely due to the increase in occurrence and detectability, and previous studies have shown correlations between FMEA analysis and safety incidents,^14,15 the 71% increase in RPN can be taken as a surrogate for the increase in the likelihood of a radiation therapy incident impacting a patient compared with the probability of a radiation therapy incident impacting a patient in normal operating conditions (where all software functionality is available).

The data revealed that the failure modes with the highest RPN scores in a ransomware attack state with R&V capabilities disabled were different than the failure modes with the highest RPN scores with R&V capabilities intact (Table 1). The 3 highest RPN scores for a standard treatment without a R&V were 1) the dose is not recorded, and the fraction is therefore repeated (RPN = 392), 2) the wrong patient is brought from the waiting room to the treatment room (RPN = 294), and 3) the patient does not show up for treatment (RPN = 280). Without an R&V, our data identified that checking in patients, bringing a patient from the waiting room to the treatment room, and tracking when a patient misses treatment, were the failure modes that had the greatest increase in likelihood of occurring. In a ransomware attack state when the R&V is unavailable, the tracking of patient arrival and check-in processes are typically done with either the EMR, using custom software solutions, or manually using paper charting.⁶ Given the greatest increase in RPN score, our data suggest that ransomware attack preparation resources should be spent exploring, developing, and testing robust back-up patient scheduling and check-in methods. The third failure mode identified with a high RPN in a ransomware attack state is a dose not being recording as the manual recording of dose is not as effective as automated methods.^16,17 To decrease the likelihood of the dose not being recorded correctly in a ransomware attack state, alternative dose tracking methods (for example obtaining delivered dose information from log files¹⁸), should be considered.

The highest RPNs for the specialized situation where the first fraction of treatment is performed without a R&V system (and therefore includes the step of gathering critical information) include missing a patient that was on-treatment (RPN = 441), the wrong plan version is exported from planning system (RPN = 315), and an incorrect on-treatment fraction number is determined (RPN = 280). The failure modes of determining which patients are under treatment and how many fractions have been previously delivered before the ransomware attack have been noted as a potential source of error,^2,6 and the presented quantitative data underscore the importance of having a robust and reliable back-up system of basic information. The failure mode of exporting the wrong treatment plan can be mitigated by having a clear paradigm of which plans are being used for treatment, potentially deleting or moving any unused plans from the TPS and having a robust back-up of DICOM files (which all 3 institutions involved in the work had in place). Within the replanning situations, the failure mode with the highest RPN is not scheduling a new plan (or not hiding old treatment fields) when a replan is requested (Table 3, RPN = 210). The failure mode of not updating a treatment plan to reflect the desired change can be mitigated by having a redundant system to check that plan alterations have been complete and by automatically deleting or removing any existing plans when a change of plan is requested.

The FMEA evaluating treating patients in a ransomware attack state is dependent on the assumptions made to perform the analysis. To appropriately define the scope of the FMEA and to mimic previous cyberattacks,^2,6 several critical assumptions were made for the analysis including 1) that a department had chosen to continue treating patients in a ransomware attack state, 2) access to other critical software (EMR, linear accelerator driving software, and ancillary software) remained intact, 3) access to the TPS remained for clinics that use Mosaiq and was disabled for clinics that use ARIA, 4) back-up information of basic information was available including patient schedules, fraction tracking, and approved treatment plans, and 5) file-mode and manual charting methods were used for treatment. Several of the assumptions warrant further discussion. An assumption that is imperative to the study is a clinic’s decision of whether to continue treating in a ransomware attack state or to cancel patient treatments and refer patients to another facility. Although the data presented in the present study shows that continuing to treat in a ransomware attack state poses a greater risk of errors occurring, referring patients to another facility would significantly delay radiation therapy delivery, which has shown to worsen clinical outcomes for certain disease sites.^19-22 Although some clinics chose to cancel all radiation therapy treatments when impacted by a ransomware attack, several chose to continue treating patients using the presented workflow.^2-9 A key assumption that represented the workflow of the 3 clinics involved in the work was that a back-up of basic information (including patient schedules, fraction tracking, and approved treatment plans) was available. At each of the 3 clinics, this information was assumed to be redundantly stored in a combination of hospital EMR systems, an RT-PACS, and a TPS. Without a back-up of basic information many of the noted steps in the process map (particularly for the situation of treating for the first fraction in a ransomware attack state) would not be possible or would pose a much higher risk of error. The scenarios described in the present work assume linear accelerator file-mode capabilities using a Varian linear accelerator. File-mode using an Elekta linear accelerator has been previously²³ described and may warrant different options and challenges relative to the presented workflows. Similarly, operating in service-mode with either a Varian or Elekta linear accelerator may also warrant different failure modes relative to the presented scenarios. A common scenario that can occur in a ransomware attack state is that the entire network infrastructure is under attack and therefore access to all software, not just the R&V, is disabled.⁹ If the entire network is unavailable, proceeding with radiation therapy treatment may not be possible. If a decision is made to refer patients to a different facility for treatment, the recommendations made by the FMEA to have a robust and reliable back-up source of basic information (including which patients are under treatment and how many fractions have been delivered) is still critical. Although the FMEA is specific to the assumption made, the presented data can be used as a guide how to prospectively assess risk in a ransomware attack scenario.

The frequency of cyberattacks continues to rise in health care^1,2 with numerous reported ransomware incidents impacting Radiation Oncology departments.^2-9 Radiation Oncology departments have recognized the importance of developing a cyberattack contingency plan. Data from a Radiation Oncology-based cyberattack survey shows that 86% of responders recognize that it is, “essential,” or “desirable,” to have a cyberattack contingency plan in place.¹⁰ The same Radiation Oncology cyberattack survey also highlighted that while responders recognized the importance of cyberattack contingency plans, the responders noted that developing a robust plan may not be practical due to resource limitations.¹⁰ Given that resources are limited and quantitative data are needed to drive the focus of ransomware attack preparation, the presented study is important in that it quantifies the increased risk of treating in a ransomware attack state and identifies key failure modes that departments can prioritize when developing a cyberattack contingency plan.

Conclusion

The study performed an FMEA for patients being treated with radiation therapy in a ransomware attack scenario comparing RPN for patients treated with and without a R&V. The data indicate that RPN scores increased by 71% (range, 38%-96%) when R&V functionality is disabled compared with a nonransomware attack state where R&V functionality is available. The failure modes with the highest RPN included incorrectly identifying patients on treatment, incorrectly identifying where a patient is in their course of treatment, treating the incorrect patients, and not correctly keeping track of delivered fractions. The presented study quantifies the increased risk of incidents when treating in a ransomware attack state, identifies key failure modes that departments can prioritize when preparing for a ransomware attack, and provide data that can be used to guide future ransomware resiliency research.

Supplementary Material

Appendix

NIHMS2075539-supplement-Appendix.docx^{(1.7MB, docx)}

Footnotes

Supplementary materials

Supplementary material associated with this article can be found in the online version at doi:10.1016/j.prro.2024.03.001.

References

1.Al-rimy BAS, Maarof MA, Shaid SZM. Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Comput Secur. 2018;74:144–166. [Google Scholar]
2.Joyce C, Roman FL, Miller B, Jeffries J, Miller RC. Emerging cybersecurity threats in radiation oncology. Adv Radiat Oncol. 2021;6:100796. [DOI] [PMC free article] [PubMed] [Google Scholar]
3.Ades S, Herrera DA, Lahey T, et al. Cancer care in the wake of a cyberattack: How to prepare and what to expect. JCO Oncol Pract. 2022;18:23–34. [DOI] [PMC free article] [PubMed] [Google Scholar]
4.Nelson CJ, Lester-Coll NH, Li PC, et al. Development of rapid response plan for radiation oncology in response to cyberattack. Adv Radiat Oncol. 2020;6: 100613. [DOI] [PMC free article] [PubMed] [Google Scholar]
5.Oliver M, Pearce A, Stillwaugh L, Leszczynski K. The impact of a cyberattack at a radiation oncology department: immediate response and future preparedness. Adv Radiat Oncol. 2022;7: 100896. [DOI] [PMC free article] [PubMed] [Google Scholar]
6.Harrison AS, Sullivan P, Kubli A, et al. How to respond to a ransomware attack? One radiation oncology department’s response to a Cyber-Attack on their record and verify system. Pract Radiat Oncol. 2021;12:170–174. [DOI] [PubMed] [Google Scholar]
7.Nichols E, Rahman S, Yi B. The impact of cybersecurity in radiation oncology: Logistics and challenges. Appl Rad Oncol. 2018;7:14–18. [Google Scholar]
8.Harvey H, Joyce R, Rock K, et al. The impact of a ransomware cyber attack on a breast cancer center. J Clin Oncol. 2022;40(16 Supp): e13620–e13620. [Google Scholar]
9.Flavin A, O’Toole E, Murphy L, et al. A national cyberattack affecting radiation therapy: The Irish experience. Adv Radiat Oncol. 2022;7: 100914. [DOI] [PMC free article] [PubMed] [Google Scholar]
10.Yi B, Sawant A, Chen S, Lee S-W, Zhang B. Readiness for radiation treatment continuity: Survey on contingency plans against cyberattacks. Adv Radiat Oncol. 2022;7: 100990. [DOI] [PMC free article] [PubMed] [Google Scholar]
11.Huq MS, Fraass BA, Dunscombe PB, et al. The report of Task Group 100 of the AAPM: Application of risk analysis methods to radiation therapy quality management. Med Phys. 2016;43:4209–4262. [DOI] [PMC free article] [PubMed] [Google Scholar]
12.Wexler A, Gu B, Goddu S, et al. FMEA of manual and automated methods for commissioning a radiotherapy treatment planning system. Med Phys. 2017;44:4415–4425. [DOI] [PubMed] [Google Scholar]
13.Noel CE, Santanam L, Parikh PJ, Mutic S. Process-based quality management for clinical implementation of adaptive radiotherapy. Med Phys. 2014;41(8 Part1): 081717. [DOI] [PMC free article] [PubMed] [Google Scholar]
14.Hoisak JD, Manger R, Dragojević I. Benchmarking failure mode and effects analysis of electronic brachytherapy with data from incident learning systems. Brachytherapy. 2021;20:645–654. [DOI] [PubMed] [Google Scholar]
15.Yang F, Cao N, Young L, et al. Validating FMEA output against incident learning data: A study in stereotactic body radiation therapy. Med Phys. 2015;42(6 Part1):2777–2785. [DOI] [PubMed] [Google Scholar]
16.Margalit DN, Chen Y-H, Catalano PJ, et al. Technological advancements and error rates in radiation therapy delivery. Int J Radiat Oncol Biol Phys. 2011;81:e673–e679. [DOI] [PubMed] [Google Scholar]
17.Yeung TK, Bortolotto K, Cosby S, Hoar M, Lederer E. Quality assurance in radiotherapy: Evaluation of errors and incidents recorded over a 10 year period. Radiother Oncol. 2005;74:283–291. [DOI] [PubMed] [Google Scholar]
18.Chow VU, Kan MW, Chan AT. Patient-specific quality assurance using machine log files analysis for stereotactic body radiation therapy (SBRT). J Appl Clin Med Phys. 2020;21:179–187. [DOI] [PMC free article] [PubMed] [Google Scholar]
19.Hanna TP, King WD, Thibodeau S, et al. Mortality due to cancer treatment delay: Systematic review and meta-analysis. BMJ. 2020;371:m4087. [DOI] [PMC free article] [PubMed] [Google Scholar]
20.Ferreira JAG, Olasolo JJ, Azinovic I, Jeremic B. Effect of radiotherapy delay in overall treatment time on local control and survival in head and neck cancer: Review of the literature. Rep Pract Oncol Radiother. 2015;20:328–339. [DOI] [PMC free article] [PubMed] [Google Scholar]
21.Mohammed N, Kestin LL, Grills IS. Rapid disease progression with delay in treatment of non–small-cell lung cancer. Int J Radiat Oncol Biol Phys. 2011;79:466–472. [DOI] [PubMed] [Google Scholar]
22.Paulino AC, Wen B-C, Mayr NA, et al. Protracted radiotherapy treatment duration in medulloblastoma. Am J Clin Oncol. 2003;26:55–59. [DOI] [PubMed] [Google Scholar]
23.Nelson CJ, Soisson ET, Li PC, et al. Impact of and response to cyberattacks in radiation oncology. Adv Radiat Oncol. 2022;7: 100897. [DOI] [PMC free article] [PubMed] [Google Scholar]

Associated Data

This section collects any data citations, data availability statements, or supplementary materials included in this article.

Supplementary Materials

Appendix

NIHMS2075539-supplement-Appendix.docx^{(1.7MB, docx)}

[R1] 1.Al-rimy BAS, Maarof MA, Shaid SZM. Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Comput Secur. 2018;74:144–166. [Google Scholar]

[R2] 2.Joyce C, Roman FL, Miller B, Jeffries J, Miller RC. Emerging cybersecurity threats in radiation oncology. Adv Radiat Oncol. 2021;6:100796. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R3] 3.Ades S, Herrera DA, Lahey T, et al. Cancer care in the wake of a cyberattack: How to prepare and what to expect. JCO Oncol Pract. 2022;18:23–34. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R4] 4.Nelson CJ, Lester-Coll NH, Li PC, et al. Development of rapid response plan for radiation oncology in response to cyberattack. Adv Radiat Oncol. 2020;6: 100613. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R5] 5.Oliver M, Pearce A, Stillwaugh L, Leszczynski K. The impact of a cyberattack at a radiation oncology department: immediate response and future preparedness. Adv Radiat Oncol. 2022;7: 100896. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R6] 6.Harrison AS, Sullivan P, Kubli A, et al. How to respond to a ransomware attack? One radiation oncology department’s response to a Cyber-Attack on their record and verify system. Pract Radiat Oncol. 2021;12:170–174. [DOI] [PubMed] [Google Scholar]

[R7] 7.Nichols E, Rahman S, Yi B. The impact of cybersecurity in radiation oncology: Logistics and challenges. Appl Rad Oncol. 2018;7:14–18. [Google Scholar]

[R8] 8.Harvey H, Joyce R, Rock K, et al. The impact of a ransomware cyber attack on a breast cancer center. J Clin Oncol. 2022;40(16 Supp): e13620–e13620. [Google Scholar]

[R9] 9.Flavin A, O’Toole E, Murphy L, et al. A national cyberattack affecting radiation therapy: The Irish experience. Adv Radiat Oncol. 2022;7: 100914. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R10] 10.Yi B, Sawant A, Chen S, Lee S-W, Zhang B. Readiness for radiation treatment continuity: Survey on contingency plans against cyberattacks. Adv Radiat Oncol. 2022;7: 100990. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R11] 11.Huq MS, Fraass BA, Dunscombe PB, et al. The report of Task Group 100 of the AAPM: Application of risk analysis methods to radiation therapy quality management. Med Phys. 2016;43:4209–4262. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R12] 12.Wexler A, Gu B, Goddu S, et al. FMEA of manual and automated methods for commissioning a radiotherapy treatment planning system. Med Phys. 2017;44:4415–4425. [DOI] [PubMed] [Google Scholar]

[R13] 13.Noel CE, Santanam L, Parikh PJ, Mutic S. Process-based quality management for clinical implementation of adaptive radiotherapy. Med Phys. 2014;41(8 Part1): 081717. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R14] 14.Hoisak JD, Manger R, Dragojević I. Benchmarking failure mode and effects analysis of electronic brachytherapy with data from incident learning systems. Brachytherapy. 2021;20:645–654. [DOI] [PubMed] [Google Scholar]

[R15] 15.Yang F, Cao N, Young L, et al. Validating FMEA output against incident learning data: A study in stereotactic body radiation therapy. Med Phys. 2015;42(6 Part1):2777–2785. [DOI] [PubMed] [Google Scholar]

[R16] 16.Margalit DN, Chen Y-H, Catalano PJ, et al. Technological advancements and error rates in radiation therapy delivery. Int J Radiat Oncol Biol Phys. 2011;81:e673–e679. [DOI] [PubMed] [Google Scholar]

[R17] 17.Yeung TK, Bortolotto K, Cosby S, Hoar M, Lederer E. Quality assurance in radiotherapy: Evaluation of errors and incidents recorded over a 10 year period. Radiother Oncol. 2005;74:283–291. [DOI] [PubMed] [Google Scholar]

[R18] 18.Chow VU, Kan MW, Chan AT. Patient-specific quality assurance using machine log files analysis for stereotactic body radiation therapy (SBRT). J Appl Clin Med Phys. 2020;21:179–187. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R19] 19.Hanna TP, King WD, Thibodeau S, et al. Mortality due to cancer treatment delay: Systematic review and meta-analysis. BMJ. 2020;371:m4087. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R20] 20.Ferreira JAG, Olasolo JJ, Azinovic I, Jeremic B. Effect of radiotherapy delay in overall treatment time on local control and survival in head and neck cancer: Review of the literature. Rep Pract Oncol Radiother. 2015;20:328–339. [DOI] [PMC free article] [PubMed] [Google Scholar]

[R21] 21.Mohammed N, Kestin LL, Grills IS. Rapid disease progression with delay in treatment of non–small-cell lung cancer. Int J Radiat Oncol Biol Phys. 2011;79:466–472. [DOI] [PubMed] [Google Scholar]

[R22] 22.Paulino AC, Wen B-C, Mayr NA, et al. Protracted radiotherapy treatment duration in medulloblastoma. Am J Clin Oncol. 2003;26:55–59. [DOI] [PubMed] [Google Scholar]

[R23] 23.Nelson CJ, Soisson ET, Li PC, et al. Impact of and response to cyberattacks in radiation oncology. Adv Radiat Oncol. 2022;7: 100897. [DOI] [PMC free article] [PubMed] [Google Scholar]

PERMALINK

Radiation Oncology Ransomware Attack Response Risk Analysis Using Failure Modes and Effects Analysis

Yevgeniy Vinogradskiy, PhD

Leah Schubert, PhD

Amy Taylor, BS, RTT

Shari Rudoler, MD

James Lamb, PhD