Radiation Oncology Ransomware Attack Response Risk Analysis Using Failure Modes and Effects Analysis.

PURPOSE:There have been numerous significant ransomware attacks impacting Radiation Oncology in the past 5 years. Research into ransomware attack response in Radiation Oncology has consisted of case reports and descriptive articles and has lacked quantitative studies. The purpose of this work was to identify the significant safety risks to patients being treated with radiation therapy during a ransomware attack scenario, using Failure Modes and Effects Analysis. METHODS AND MATERIALS:A multi-institutional and multidisciplinary team conducted a Failure Modes and Effects Analysis by developing process maps and using Risk Priority Number (RPN) scores to quantify the increased likelihood of incidents in a ransomware attack scenario. The situation that was simulated was a ransomware attack that had removed the capability to access the Record and Verify (R&V) system. Five situations were considered: 1) a standard treatment of a patient with and without an R&V, 2) a standard treatment of a patient for the first fraction right after the R&V capabilities are disabled, and 3) 3 situations in which a plan modification was required. RPN scores were compared with and without R&V functionality. RESULTS:The data indicate that RPN scores increased by 71% (range, 38%-96%) when R&V functionality is disabled compared with a nonransomware attack state where R&V functionality is available. The failure modes with the highest RPN in the simulated ransomware attack state included incorrectly identifying patients on treatment, incorrectly identifying where a patient is in their course of treatment, treating the incorrect patient, and incorrectly tracking delivered fractions. CONCLUSIONS:The presented study quantifies the increased risk of incidents when treating in a ransomware attack state, identifies key failure modes that should be prioritized when preparing for a ransomware attack, and provides data that can be used to guide future ransomware resiliency research.