The Multifaceted Threat of Cyberattacks in Oncology

Diego Adrianzen Herrera, MD

Cyberattacks in health care settings are becoming increasingly prevalent—as oncologists at the University of Vermont Health Network (UVHN) learned on October 28, 2020, when a major ransomware attack infected approximately 5000 computers across the network and caused a system outage that lasted more than 40 days.

The attack caused a total loss of access to all network intranet servers, email capabilities, and clinical systems. The health network also lost access to their electronic medical record system, including laboratory, pathology, pharmacy, and radiology systems. The effect on inpatient and outpatient care delivery was profound.

“The greatest effect [of a cyberattack] is on daily clinical patient care,” Diego Adrianzen Herrera, MD, assistant professor in the Division of Hematology and Oncology at the Larner College of Medicine and a member of the University of Vermont Medical Center in Burlington, said. “A lot of the systems that we use in oncology are dependent on checks and balances from a multidisciplinary team, including pharmacy and specialty nursing, which are automatized in the electronic medical record. When we lost access to that, the biggest immediate [effect] was the inability to communicate across interdisciplinary teams to safely provide treatments to patients.” Herrera said that prior to the attack outside the electronic medical record, there was little communication between systems.

Following resolution of the incident, investigators at the University of Vermont Medical Center published a paper, which Herrera coauthored, outlining the key takeaways from their experience. The report detailed the response to the ransomware attack and provided steps that both community and academic-based practices can take to lessen the effect on patient care should they experience a cyberattack (Figure¹).

“The most important lesson we learned from what happened to us was to have a backup, even if that means going backward and doing everything in a secure manner by paper,” Herrera said. “Patient care will be immediately affected more than anything else.”

What Delays in Care Look Like

System-level delays have been documented to have a direct effect on patient outcomes, according to results of a meta-analysis. Investigators conducted a systemic review of 34 studies that included 17 cancer treatment indications and more than 1 million participants to determine trends in patient survival according to wait time for treatment, including surgery, systemic treatment, or radiotherapy.²

The delay was significantly increased mortality in 13 of the 17 indications (P < .05). HRs for overall survival were estimated for each 4-week delay in cancer care, representing the risk of death for patients who experienced observed treatment delays compared with those who did not experience a delay. Surgical delays were consistently associated with increased mortality, with an HR range between 1.06 and 1.08—translating to a 6% to 8% increased chance of death for each 4-week delay. Delays in adjuvant and neoadjuvant treatments had an HR range of 1.01 to 1.28. Investigators reported that high-validity data were limited for curative radiotherapy; however, significant effects of delays were reported for patients with head and neck cancers (HR, 1.09; HR range, 1.05-1.14) and those with cervical cancer (HR, 1.23; HR range, 1.00-1.50).²

The investigators concluded that policies that focus on minimizing system-level delays (such as those generated in the fallout of a cyberattack) would maintain or improve population-level survival outcomes.² Due to the increasing frequency of cyberattacks along with the transition to electronic-based forms of filing and communication, multiple facets of oncology operations should be preemptively addressed to ensure preparedness to maintain continuous, safe care of patients.¹

Addressing Communication Challenges

The cyberattacks caused both the wired and wireless internet networks of UVHN to go completely offline, with no access to the email server. Only a single fax machine was left operational. In addition to internal communications being severed, external communication with patients was also severely hampered because the centralized call center for incoming patients was unable to quickly relay messages to the clinic offices and because outreach was made impossible since patient contact information was stored in the electronic medical record.

“The major problem we ran into in the midst of everything happening was that some people were text and emailing [using] personal accounts. Initially there was a lot of chaos,” Herrera said.

In response to the communication challenges caused by the ransomware attack, UVHN had to quickly implement alternate communication methods. First, the institution worked to establish SMS text groups to coordinate secured videoconferencing sessions to facilitate interprofessional communication. Participants in the video conferences were meticulously identified to avoid potential intrusion by hackers.

The university was forced to rely on the regional health information exchange to attempt to access patient information, as well as third-party internet-based services for contact information. Although clinical summaries, demographics, and laboratory results were accessible, it was largely insufficient because of the requirement of individual provider registration.

Considering the communication challenges faced during the attack, UVHN suggested several potential improvements and contingency plans for their communication procedures. These included ensuring cell phone coverage in the hospital and clinics, maintaining an offline database of patient information, and establishing group texts between key caregivers and administrators.

“The key is having standardized communications strategies in place outside of whatever is your norm,” Herrera said.

Timely and transparent communication presented a challenge for the University of Vermont Health Network. As mentioned, potential improvements and contingency plans for their communication procedures were proposed and included establishing an emergency cell phone system in the hospital and clinics, maintaining an offline or alternative server database of patient information, and establishing a centralized triaging system for rerouting patient care with partner services.¹

“If there’s one thing that people can prepare for, it’s to have a plan for communication across the different members of the team,” Herrera said. “Another major factor to think about is establishing leaders. We were fortunate in that everyone wanted to help, but we learned that if we can clarify who will take care of which part [of care], it’s more productive than everyone trying to do everything for their patients by himself or herself.”

Providing Oncologic Care in the Wake of a Cyberattack

With limited pathways for clear communication among interdisciplinary care teams and no electronic safeguards in place for multistep care regimens, UVHN needed to establish protocols to ensure that patients could be safely treated in the wake of the mass outage.

The loss of access to the electronic medical records and schedules at UVHN resulted in a 41% reduction in the delivery of clinical outpatient care, a 52% drop in infusion visit volume, and the need for the system to establish command centers to restore services for new patients, including triaging diagnostic evaluation, delivering therapies, and addressing referrals. The oncology-specific services most affected included access to chemotherapy plan templates, which communicated nursing and pharmaceutical processes for systemic care delivery, as well as electronic safeguards leveraged during treatments that required multiple steps in both preparation and delivery.

Several areas of need should be included when determining measures for offline and secure protocols including, but not limited to, the needs of those requiring inpatient systemic therapy, outpatient infusions, radiology imaging, and other diagnostic and continued care measures.

One example from the UVM study regarded administration of inpatient chemotherapy. All treatment plans stored in the electronic records—which included dose modifications, contact information, at-home medication information, pathology results, and more—were inaccessible. In response, all chemotherapy orders were rewritten by the primary oncologist, and patients were asked to carry with them any medications and available medical records. Chemotherapy plans were submitted for review at least a day in advance, and the primary oncologist decided on dose modifications based on the available information.¹

A set of chemotherapy templates for frequently used protocols was assembled for use for incoming patients. The entirety of each chemotherapy regimen, including premedications and emergency plans, was manually recorded and stored prior to administration. The investigators recommend the creation of backup patient files stored on an alternative server or in paper form. Additionally, nonelectronic protocols, with buy-in from all stakeholders, should be created and include a centralized tirage method for all actively treated patients.

For example, a UVHN transdisciplinary team of nurse navigators in conjunction with oncologists in the new patient command center evaluated and screened new or recent cancer diagnosis referrals based on cancer type. Patients were separated into 2 groups: recently established patients and new referrals. Special populations included neuro-oncology and cognitively impaired populations, patients scheduled to undergo autologous stem cell transplant, and patients involved in research studies.

A written list of recently evaluated patients was created by intake coordinators, and a treating physician was identified for each case. The needs of each case were communicated by the treating physician, with priority placed on the expedited completion of diagnosis and staging and the timely initiation of treatment. The outpatient command center was then tasked with coordinating diagnostic biopsies, genetic testing, and radiographic scans.

Easily verifiable regimens including continuous infusions, frequent treatments, and fixed-dose regimens were identified. The capability for triple verification of infusion details with verification of treatment plans by a pharmacist according to the cancer diagnosis and national guidelines was also required. Investigators at UVHN also recommend having paper copies of the most up-to-date versions of commonly used chemotherapy protocols, including the National Comprehensive Cancer Network guidelines, on file.

If the criteria were met, written orders were provided a day in advance by the treating physician for verification by nurses and pharmacy staff. All other patients were screened by a command center. Delays in the laboratory necessitated the completion of blood work 24 to 48 hours before chemotherapy and the utilization of outside facilities in some cases.

Command centers handling outpatient care, inpatient care, radiology challenges, and new patients were established soon after the institution realized that the disruption could continue for an extended period of time.

The outpatient command center was able to create a paper database of patient information for all patients receiving treatment during the system downtime. Patients with missed or upcoming therapy were stratified by physicians into tier 1 (curative intent, urgent/lifesaving, need for highly symptomatic disease, and proven survival advantage), tier 2 (safe to delay 1-2 weeks), and tier 3 (safe to delay at least 2 weeks).

New patient care proved to be a hurdle in the wake of the attack. Patients were stratified into 2 groups: those who were recently established and those who were new referrals. A primary care provider was assigned to recently established patients and triaged the expedited completion of their diagnosis and initiation of treatment. From there, these patients were referred to the outpatient command center for any further testing and coordination of procedures.

“The other group [that was particularly affected by the attack] were the new patients,” Herrera noted. “We are a big center and the only referral center for a very large population. [We’re also] the only center that can do certain specific testing, such as genetic testing and molecular panels. Work-up for a new diagnosis was definitely delayed. Even if the clinician came up with algorithms to solve [the problem], the lab was still down, and they just couldn’t function at the speed at which we would like for these specialty tests.”

New referrals were only taken on if urgent—for example those with acute leukemia—and were prioritized for admission and work-up; other nonurgent referrals were routed to community or network sites, once again relying on the preestablished open lines of communication between centers.

“[These attacks] are becoming so frequent,” Herrera said. “Every large health care network at this point should have backup systems and plans prepared for a potential cyberattack that blocks all of their communications. I hope [that this creates] awareness that this is just becoming the norm.

“There were 400 cyberattacks [targeting] health care facilities in the United States last year alone. The biggest takeaway is that [these types of attacks] are only going to get more and more common.”