How to Respond to a Ransomware Attack? One Radiation Oncology Department's Response to a Cyber-Attack on Their Record and Verify System.

The digitization of healthcare for patient safety and efficiency introduced third party networks into closed hospital systems increasing the probability of cyberattacks and their consequences(1). In April 2021, a major vendor of a Radiation Oncology (RO) record and verify system (RVS) suffered a ransomware attack, affecting our department and many others across the United States. This article summarizes our response to the ransomware event including workflows, team member roles, responsibilities, communications and departmental recovery. The RVS created or housed accurate patient dose records for 6 locations. The immediate response to the ransomware attack was to shut down the system including the ability to treat patients. With the utilization of the hospital EMR and pre-existing interfaces with RVS, the department was able to safely continue patient radiotherapy treatments innovatively utilizing a direct Digital Imaging and Communications in Medicine (DICOM) transfer of patient data to the linear accelerators and implementing paper charting. No patients were treated in the first 24 hours of the attack. Within 48 hours of the ransomware event, 50% of patients were treated, and within 1 week, 95% of all patients were treated using direct DICOM transfer and paper charts. The RVS was completely unavailable for 2.5 weeks and full functionality was not restored for 4.5 weeks. A phased approach was adopted for re-introduction of patient treatments back into the RVS. Human capital costs included communication, outreach, workflow creation, quality assurance and extended clinical hours. Key lessons learned were to have a back-up of essential information, employ 'dry run' emergency training, having consistent parameter requirements across different vendor hardware and software, and having a plan for the recovery effort of restoring normal operations once software is operational. The provided report presents valuable information for the development of cyber-attack preparedness for RO departments.

A tutorial on activity-based costing of electronic health records.

As the American Recovery and Restoration Act of 2009 allocates $19 billion to health information technology, it will be useful for health care managers to project the true cost of implementing an electronic health record (EHR). This study presents a step-by-step guide for using activity-based costing (ABC) to estimate the cost of an EHR. ABC is a cost accounting method with a "top-down" approach for estimating the cost of a project or service within an organization. The total cost to implement an EHR includes obvious costs, such as licensing fees, and hidden costs, such as impact on productivity. Unlike other methods, ABC includes all of the organization's expenditures and is less likely to miss hidden costs. Although ABC is used considerably in manufacturing and other industries, it is a relatively new phenomenon in health care. ABC is a comprehensive approach that the health care field can use to analyze the cost-effectiveness of implementing EHRs. In this article, ABC is applied to a health clinic that recently implemented an EHR, and the clinic is found to be more productive after EHR implementation. This methodology can help health care administrators assess the impact of a stimulus investment on organizational performance.