Attack on Radiation Systems Vendor Affects Cancer TreatmentSome Hospitals Postpone Procedures as Systems Taken Offline
A series of cyber incidents targeting a Swedish vendor of oncology radiation systems earlier this month is still affecting some of the company's clients - including cancer treatment facilities in the U.S. - because the company has taken its cloud-based systems offline during its recovery effort.
Yale New Haven Health in Connecticut told local news media site WTNH on Friday that it was forced to take all its radiation equipment offline last week after a series of cyberattacks on Elekta, which provides the health system's cloud-based radiology software.
In another incident reported by news outlet WPRI, several local healthcare centers in Massachusetts and Rhode Island postponed radiation treatments for cancer patients earlier this month due to problems at Elekta. Among those affected, according to the news report, were cancer treatment centers of Southcoast Health in Massachusetts and cancer care facilities of Lifespan Cancer Institute in Rhode Island.
Yale New Haven Health, Southcoast Health and Lifespan did not immediately respond to requests for comment.
Elekta Confirms Incident
Elekta confirms to Information Security Media Group that its first-generation cloud-based storage systems experienced a data security incident. The company, however, did not provide further details, including whether ransomware was involved.
"As a precaution, we have taken our first-generation cloud systems offline in order to protect our customers and their patients," Elekta says.
"Only a subset of U.S. customers have been affected by this service outage. We recognize the impact this might have on affected customers and their patients and, while we are working tirelessly to enable customers to continue providing secure patient care, our first priority has been to confine the effects of the attack in order to safeguard our customers and their data," the company says.
"As part of this effort, we are continuing to complete the process of migrating customers to our new Microsoft Azure cloud. This migration had already started, and we are working around the clock to accelerate it."
Elekta says it worked with cyber experts and law enforcement agencies, including the FBI, to launch an investigation into the security incident to understand what happened, mitigate any possible harm and offer customers "a reliable solution that delivers on our commitment to ensure that cancer patients have access to precise and personalized radiotherapy treatments."
Elekta says it has notified and briefed its affected customers. The company declined to provide additional details about the attack "in order to avoid compromising our investigation or intruding on all of our customers’ rights to provide information to their patients."
Patient Safety Worries
The Elekta incident is a stark reminder of the worrisome threats ransomware attacks and other cyber incidents pose to systems and devices used for patient care.
"An attack on a medical device, particularly if that equipment is used to keep patients alive, is very dangerous as it can and will directly impact patient safety," says Jon Moore, chief risk officer at privacy and security consultancy Clearwater.
Organizations should conduct business impact assessments to understand the effects on their operations and patient safety if the confidentiality, integrity or availability of the information processed by clinical systems is compromised, Moore adds.
"They should then conduct a risk analysis to understand the specific risks to the identified systems, including vendor or third-party risk," he says. "Organizations need to make informed decisions on how to treat identified risks, including mitigation through the implementation of additional controls where appropriate. This includes business continuity and disaster recovery planning and testing."
Motti Sorani, CTO of security vendor CyberMDX, notes: "Healthcare delivery organizations cannot afford an incident where a patient or staff member will be put in danger, so while a billing machine in the hospital network also needs to be protected from attacks, prioritizing critical patient care devices that can impact human life is the highest priority.
"These devices are 'smart' - their operation is controlled by software, either local or remote, that could be manipulated to render the device behavior and turn it to be dangerous, by increasing the radiation levels, or the dosage rate."
When a vendor is compromised, there is always an extra concern about the impact of supply chain risks, Sorani says. For example, an attacker could potentially use a vendor's compromised permissions and access to change a device's configurations, alter software or laterally move a ransomware payload to a device, he says.
"This, of course, puts in risk not only the devices but the entire clinical network of the healthcare delivery organization," Sorani says.
Steps to Take
Healthcare organizations need to strengthen their vendor risk management programs - particularly as applied to the acquisition of networked medical devices, Moore says.
"They need to have solid inventories of their networked medical devices and monitor these devices for vulnerabilities," he says. "Applying patches when available and using network segmentation to wall off devices is probably the best technique available today to secure devices."
Organizations also should consider including hacks of medical devices in their business continuity exercises, he adds.
Concern over cyber risks posed by vendors to healthcare organizations are increasing, Moore adds. "There are a lot of legacy devices deployed. Many of these cannot be upgraded or patched and pose a particular danger that organizations will need to manage for some time even as more secure devices enter the market."
Resources are available to help vendors address evolving cybersecurity concerns pertaining to their products, Moore points out.
Those include: premarket and postmarket cybersecurity guidance from the Food and Drug Administration, guidance from the National Cyber Security Center of Excellence related to wireless infusion pumps, and resources from the Healthcare and Public Health Sector Coordinating Council Joint Cybersecurity Working Group.
A critical step, Sorani says, is for vendors to ensure remote access and control of any medical device is secured, properly authenticated and authorized. "The device should be restricted on the communications level to authorized parties only," he says.
"The next step is to be adaptable. As we all know, vulnerabilities and attacks are constantly evolving, so the best strategy is for the vendors to be able to evolve with it and put in place postmarket security controls that will allow them to send over software updates. That will eliminate or control the risk by closing the vulnerability or the undesired behavior pattern."