222 - Cyberattack Resiliency Exercises in Radiation Oncology
Presenter(s)
A. Safakish1, M. Marquess1, Q. Xu1, J. Sanchez2, N. L. Simone2, D. Thomas1, J. Pijanowski3, J. M. Lamb4, and Y. Vinogradskiy2; 1Thomas Jefferson University, Philadelphia, PA, 2Department of Radiation Oncology, Sidney Kimmel Medical College at Thomas Jefferson University, Philadelphia, PA, 3UCLA, Los Angeles, CA, 4Department of Radiation Oncology, University of California, Los Angeles, Los Angeles, CA
Purpose/Objective(s): The rate of cyberattacks is continuing to rise in Radiation Oncology with devastating effects including patient treatment delays, worse clinical outcomes, and treatment in unsafe conditions. Cyber resiliency is the concept of assuming cyberattacks will occur and asking what can be done to resume radiation treatments as rapidly and safely as possible. Research into cyber resiliency is primitive, consisting of case reports and lacking quantitative data. The purpose of this work was to perform cyberattack resiliency exercises and quantitatively evaluate time to resume patient treatment and perform a risk analysis.
Materials/Methods: A resiliency exercise was performed at an academic medical center. Multi-disciplinary teams were established that included a physician, physicist, dosimetrist, and therapist. 10 current on-treatment patients receiving radiotherapy for a variety of disease sites were selected, and the team was instructed to recreate and deliver the plans to a phantom without the use of a record and verify system (both electronic patient information management systems were evaluated). Patient treatments were recreated using existing back-up systems, direct radiotherapy treatment file transfer to the linear accelerator, and paper charts. Time to resume treatment (defined as time from the start of recreating a plan to beam-on) and Failure Mode and Effects Analysis (FMEA) were recorded. FMEA was evaluated by identifying failure modes and using risk priority number (RPN) scoring taken as the product of Occurrence, Detectability, and Severity. FMEA was conducted before and after the resiliency exercises to identify failure modes that were not evident prior to the exercises.
Results: Time to treatment was on average 26 ± 31 minutes (average ± standard deviation) with the first patient taking 95 minutes and the last taking 6 minutes. Post resiliency exercises FMEA revealed an average RPN of 196 ± 120 with the highest scoring failure modes including dose not recorded, repeated fractions, and wrong positioning applied. Failure modes that were identified after the resiliency exercises that were not identified prior to the exercises included risk of missing a patient time-out, incorrect patient set-up device used, and a missed physics check.
Conclusion: Guidelines recommend performing resiliency exercises to prepare for cyberattacks. However, quantitative results of cyberattack resiliency exercises have not been previously reported. Our study provides quantitative data for return to treatment times and highlights the most critical failure modes in a cyberattack scenario. The provided results can be used to identify the most critical mitigation needs during a cyberattack, guide resource allocation for cyberattack preparation, and ultimately improve outcomes for patients that are under treatment if a center is impacted by a cyberattack.