In late 2020, government agencies released a joint statement saying there was “credible information of an increased and imminent cybercrime threat” to hospitals and health care providers in the United States.1
Indeed, in the months since then, headlines have detailed cyberattacks at health care organizations throughout the United States and the rest of the world.2
“These attacks are likely driven by the fact that someone can quickly monetize data that is critically important to providers,” said Anthony Lakin, chief information security officer at Moffitt Cancer Center in Tampa, Florida.
“Data is an asset for any organization, and, in health care, it is critically important, since mishandling and unauthorized use has the potential to negatively impact patient care,” he added.
How Cyberattacks Impact Care
On the same day the aforementioned statement was released — October 28, 2020 — the University of Vermont Health Network (UVMHN) in Burlington suffered a ransomware attack with “wide-ranging and immediate consequences,” according to an article published in JCO Oncology Practice.3
In the article, Steven Ades, MD, and colleagues from UVMHN detailed some of the immediate challenges they faced after the attack. They lost access to all network intranet servers, email communication, and the electronic medical record (EMR).
“With loss of access to schedules, basic patient information, encrypted communications platforms and radiology, and laboratory and pharmacy services, clinical outpatient care delivery was reduced by 40%,” Dr Ades and colleagues wrote.
“The infusion visit volume dropped by 52% in the first week, and new patients could not access necessary services for timely diagnostic evaluation, requiring the creation of command centers to oversee ethical and transparent triage and allocation of systemic therapies and address new patient referrals,” the authors explained.
In April 2021, another attack of targeted data stored on a cloud-based system affected patients at about 50 health care providers in the United States.2 This attack targeted software for linear accelerators used in the delivery of radiotherapy.
“A lot of what we do in medical physics, particularly with this vendor and its software, works in the cloud,” explained Adam Dicker, MD, PhD, chair of the department of radiation oncology at Thomas Jefferson University in Philadelphia, which was affected by the attack.
“Everywhere is configured differently, but, at some locations, the software helps operate linear accelerators and is an oncology-specific EMR, including records of the doses, other technical minutia, and a picture of the patient.”
For example, Northwestern Memorial HealthCare in Chicago reported that sensitive data for about 200,000 of their patients were compromised in this attack.2
Dr Dicker said the effect on patient-specific information was limited at the Sidney Kimmel Cancer Center (part of Jefferson Health) because some of the radiation treatment details were stored in the main EMR system. However, the center was still unable to provide radiation oncology treatments for 2 days, he said.
“One of our physicists was able to figure out an approach to manipulating the linear accelerators while disconnected from the cloud utilizing a feature for quality assurance, and we were able to treat patients, but it was incredibly complex and took longer to treat patients,” Dr Dicker said.