How to Respond to a Ransomware Attack? One Radiation Oncology Department's Response to a Cyber-Attack on Their Record and Verify System.

The digitization of healthcare for patient safety and efficiency introduced third party networks into closed hospital systems increasing the probability of cyberattacks and their consequences(1). In April 2021, a major vendor of a Radiation Oncology (RO) record and verify system (RVS) suffered a ransomware attack, affecting our department and many others across the United States. This article summarizes our response to the ransomware event including workflows, team member roles, responsibilities, communications and departmental recovery. The RVS created or housed accurate patient dose records for 6 locations. The immediate response to the ransomware attack was to shut down the system including the ability to treat patients. With the utilization of the hospital EMR and pre-existing interfaces with RVS, the department was able to safely continue patient radiotherapy treatments innovatively utilizing a direct Digital Imaging and Communications in Medicine (DICOM) transfer of patient data to the linear accelerators and implementing paper charting. No patients were treated in the first 24 hours of the attack. Within 48 hours of the ransomware event, 50% of patients were treated, and within 1 week, 95% of all patients were treated using direct DICOM transfer and paper charts. The RVS was completely unavailable for 2.5 weeks and full functionality was not restored for 4.5 weeks. A phased approach was adopted for re-introduction of patient treatments back into the RVS. Human capital costs included communication, outreach, workflow creation, quality assurance and extended clinical hours. Key lessons learned were to have a back-up of essential information, employ 'dry run' emergency training, having consistent parameter requirements across different vendor hardware and software, and having a plan for the recovery effort of restoring normal operations once software is operational. The provided report presents valuable information for the development of cyber-attack preparedness for RO departments.

Design and Implementation of a Multipurpose Information System for Hematopoietic Stem-Cell Transplantation on the Basis of the Biomedical Research Integrated Domain Group Model.

PURPOSE: An important obstacle to cancer research is that nearly all academic cancer centers maintain substantial collections of highly duplicative, poorly quality-assured, nonintercommunicating, difficult-to-access data repositories. It is inherently clear that this state of affairs increases costs and reduces quality and productivity of both research and nonresearch activities. We hypothesized that designing and implementing a multipurpose cancer information system on the basis of the Biomedical Research Integrated Domain (BRIDG) model developed by the National Cancer Institute and its collaborators might lessen the duplication of effort inherent in capturing, quality-assuring, and accessing data located in multiple single-purpose systems, and thereby increases productivity while reducing costs. METHODS: We designed and implemented a core data structure on the basis of the BRIDG model and incorporated multiple entities, attributes, and functionalities to support the multipurpose functionality of the system. We used the resultant model as a foundation upon which to design and implement modules for importing preexisting data, capturing data prospectively, quality-assuring data, exporting data to analytic files, and analyzing the quality-assured data to support multiple functionalities simultaneously. To our knowledge, our system, which we refer to as the Cancer Informatics Data System, is the first multipurpose, BRIDG-harmonized cancer research information system implemented at an academic cancer center. RESULTS: We describe the BRIDG-harmonized system that simultaneously supports patient care, teaching, research, clinical decision making, administrative decision making, mandated volume-and-outcomes reporting, clinical quality assurance, data quality assurance, and many other functionalities. CONCLUSION: Implementation of a highly quality-assured, multipurpose cancer information system on the basis of the BRIDG model at an academic center is feasible and can increase access to accurate data to support research integrity and productivity as well as nonresearch activities.