Friday 14 May 2021, is a day I will never forget. I walked to work with a colleague, having heard on the national news that there had been a cyberattack on the Health Service Executive (HSE), i.e., the Irish health system. We had just come out of another COVID lockdown, the sun was shining, and certainly we had no desire to discuss another looming disaster. We briefly mentioned it, I suppose thinking it would be sorted by the time we got to work, or that it probably wouldn’t affect our services. Anyway, we were very wrong. In the case of my hospital, only 16 days later were we able to deliver radiotherapy to a patient. That period and subsequent dealing with the aftermath meant that those summer months were an absolute nightmare.

Were we prepared? We had a crisis plan in the event that all four linear accelerators should fail; patients would be transferred to another HSE centre. However, all HSE centres were affected, so our crisis plan couldn’t be executed. Nationally and locally, we scrambled together and worked effectively, but a huge number of decisions involved “thinking on our feet”. We worked long hours with no days off, so one could argue we were possibly not at our best when we made some of those crisis decisions.

Some basic preparation would have been a great help. In the case of my centre, the local private centre had capacity, but we had no prearranged agreement with it to transfer patients in the case of a catastrophic event like this. Although it took our emergency patients from day one, it took us five days to put an agreement in place to transfer our patients and staff there. Each patient then had to go through another CT scan and have their treatment replanned. While huge efforts were made to turn around plans rapidly, it generally took another two to three days to resume radiotherapy. I would strongly recommend having a reciprocal arrangement in place with an adjacent centre for an event like a cyberattack; we know that for a lot of our patients, the clock starts ticking as soon as they start radiotherapy, and oncological outcome can be adversely affected by gaps in radiotherapy. We additionally had to rely on the media to get patients to contact helplines, as we had lost all their demographic information and could not communicate with them. Again, basic preparation such as holding a list of patients currently on treatment, their dose and fractionation records and their contact details on a separate network would have made things a lot easier for patients and staff.

You can and should take every measure possible to reduce the risk of a cyberattack in your service, but despite your best efforts, it may still happen. Whilst you can’t remove all the horrors of a cyberattack, you can minimise the impact on patients by creating a business continuity plan. I congratulate colleagues in Belgium and Maryland, USA, who have accepted the reality of a cyberattack, rather than hope it won’t happen to them (Messens, 2024; Zhang, 2020). They have taken complex steps to continue to be able to treat patients during an IT failure or cyberattack. All radiotherapy departments should do this to mitigate the effects of these types of disasters.

To conclude, cyberattacks are a constant threat, and guidance is essential to help departments prepare effectively. Currently, the American Association of Physicists in Medicine Task Group 393 and ESTRO are producing guidance documents, which should offer valuable contingency measures that will provide welcome support in strengthening our preparedness for these events.
 

Aileen Flavin
Radiation Oncologist
Medical Imaging & Radiation Therapy
School of Medicine, University College Cork
Ireland

References

1. Messens E, Dabach A, Stevens P et al. Cyberattack fallback scenario for a radiotherapy department. Radiotherapy and Oncology, 2024, 194: S2922-S2923
2. Zhang, B., Chen S, Nichols E et al. A Practical Cyberattack Contingency Plan for Radiation Oncology. Journal of Applied Clinical Medical Physics, 2020, 21(7): 181-186.