July 20, 2021 -- Cyberhacking of healthcare organizations are on the increase, and a recent cyberattack affected oncology care across the United States when hackers disrupted the software for machines that deliver radiotherapy to patients with cancer.
Cases of cyberhacking of healthcare organizations increased by 42% in 2020 from 2019, according to a report from the tech consulting firm Protenus, which issues an annual Breach Barometer report on the subject.
There were 470 hacks in 2020 vs 330 in 2019.
The cyberattack that specifically disrupted oncology care took place a few months ago. Hackers targeted the software for linear accelerators used in radiation therapy.
Elekta, the Swedish supplier of the software, said that their cloud-based data storage system experienced a "data security incident" in early- and mid-April. The company will not say whether or not the attack involved ransomware or was limited to attempted data theft.
"The incident is no longer ongoing," said Elekta's U.S. spokesperson Raven Canzeri in an email to Medscape Medical News.
At the time, however, Elekta cut off access to the data storage, which led to disruptions of radiation therapy sessions at 42 healthcare sites in the U.S., according to a report in the Atlanta Journal Constitution.
Elekta has 170 customers in the U.S., including multisite systems, that use the cloud-based data storage.
"We do not have the ability to operate the [radiation therapy] machines because the information that is programmed into those machines is up in the cloud," explained Marna Borgstrom, MPH, chief executive officer, Yale New Haven Health, New Haven, Connecticut, in a local news report at the time. The center suspended radiation treatment for 1 week.
All sites have resumed treatment, said Canzeri.
Sensitive patient information such as names, social security numbers, dates of birth, and diagnosis and treatment information was potentially exposed in the hack. However, no financial information was involved.
Cancer Centers of Southwest Oklahoma and Northwestern Memorial HealthCare (NMHC), a multihospital system in Illinois, both said they were told of those information vulnerabilities by Elekta in private communications.
The hack also affected Emory St. Joseph's Hospital in Georgia. Some of its radiation therapy patients had to be moved to other hospitals, and one patient expressed frustration and anxiety about the disruption, in a local news report. "It's stressful enough" to have cancer treatment without having also to "deal with this."
Elekta acknowledged that difficulty in its statement, emphasizing that the company "is committed to advancing patient care and outcomes and understands that any delay in scheduled radiation therapy adds to patients' treatment burden."
NMHC said that their data attack involved approximately 200,000 patients. However, the hack did not involve access to any of the NMHC electronic health records, but was restricted to Elekta's systems, they emphasized in a statement. The multihospital system said it was encouraging its oncology patients "to review statements from their health insurer or healthcare provider, and to contact them immediately if they see any services they did not receive."
The Weakest Link
Securing an institution or company against hacks requires multifaceted strategies but includes relatively simple measures like training staff to recognize common ploys, suggested a physician expert in 2019.
"The weakest link is still the healthcare employee duped by a 'phishing attack,'”Nabile M. Safdar, MD, associate chief medical information officer and vice chair of informatics at Emory University in Atlanta, told Medscape Medical Newsat the time.
In that same report, James Whitfill, MD, chief medical officer, Innovation Care Partners, Scottsdale, Arizona, said that "for now, it's the data that is being held for ransom," but that may evolve and become even more dramatic and dangerous.
Whitfill explained that numerous devices attached to or implanted in patients are potentially hackable. "In the future, people may be held for ransom," he warned.