Cyberattacks: What can radiology do to boost protection?

The 2021 cyberattack on the Irish healthcare system caused major disruption. Now authors from Cork have written about their experiences and how they've modified their approach to cybersecurity and implemented plans similar to those made for natural disasters.

In a study published on January 2 in the Journal of Cancer Policy, clinicians at the hospital assessed the impact of the incident and provided a framework for other institutions to mitigate the impact of such attacks.

“The sudden, immediate, and complete shutdown of the radiology information system (RIS) and picture archiving and communications system (PACS) was profound and devastating in our tertiary referral center with a high volume and complex case mix,” wrote medical oncologist Dr. Rachel Keogh, and colleagues.

Cork University Hospital is a level 5 hospital with 800 beds, 25,500 in-patient admissions, 27,000-day cases, and 58,000 emergency cases every year and employs over 4,000 staff. It is one of eight adult National Cancer Control Program (NCCP)-affiliated cancer centers and one of 54 acute hospitals in Ireland run by the Health Service Executive (HSE).

On the morning of May 14, 2021, the HSE received reports from hospitals of an attack on encrypted systems via Conti Ransomware. The source of the cyberattack originated from a phishing email sent on March 18, 2021, to a workstation whose antivirus software was set to monitor mode and consequently did not block resultant malicious commands.

In the ensuing two months, the attacker operated throughout the HSE’s IT environment, compromising servers, exfiltrating data, and moving laterally between hospitals, the authors wrote.

To help other institutions mitigate the impact when faced with a cyberattack, the authors have provided a summary of 10 steps organizations can take:

1. Patient safety: Revert to paper-based processes, focus on accurate patient identification and correct report of findings, and transfer patient care where possible to unaffected sites such as private institutions.
2. Paralysis: Complete shutdown of all devices and IT systems to mitigate against further threat.
3. Protect: Disconnect devices, servers, and emails and replace them with an alternative such as an encrypted messaging system (e.g., proton mail).
4. Prioritize: Develop recommendations/guidelines for treatment prioritization based on level of urgency.
5. Promote: Alternative communication pathways through staff education and training.
6. Publicize: Outreach to patients and community, nominate communication officer to liaise with media and public.
7. Protocol: Encourage the use of standardized documents such as systemic therapy templates, treatment summaries to avoid errors.
8. Personnel: Deploy staff to areas of need e.g., "runners" to transport written lab and imaging requests and reports, have backup paper-based rotas, staff contact, and payroll details.
9. Psychological support: Focus on staff burnout, promote staff wellbeing, and drop-in sessions with occupational health.
10. Prepare: Cyberattack contingency plan essential to mitigate risk from further ransomware attacks.

Ultimately, cyberattacks have rapid, profound, and protracted impact, the authors wrote. While laboratory and diagnostic deficits may be readily quantified, the impact of disrupted or delayed care on patient outcomes is less readily quantifiable, they noted.

“We provide a framework for other institutions for mitigating the impact of a cyberattack, underscoring the need for a cyber preparedness plan similar to those made for natural disasters,” the authors concluded.