The Attack Surface is CRITICAL in Healthcare Cyber Security…
August 22, 2024

Minimising the attack surface of a system deployed in the Radiotherapy department.

The attack surface is the number of possible access points, or attack vectors, where an unauthorised user can access a system to maliciously extract or manipulate data. Typically for a large Hospital network this could mean thousands of access points and a vast array of interconnected devices, from medical equipment to administrative systems, patient record databases, and even wearable health devices.

The interconnected nature of centrally hosted IT systems introduces an additional layer of complexity to the attack surface, this layer of complexity makes it very difficult for even large IT teams to administer, patch and monitor. Compatibility issues with older but critical software deployed on such systems often mean newer patches cannot be installed, opening security vulnerabilities that can’t be closed.

The following scenario is entirely fictional; however it closely reflects recent similar cyberattacks against healthcare providers in Europe. It demonstrates the catastrophic effects a ransomware attack can have against a centrally hosted system with a large attack surface.

Scenario: Ransomware Attack on a Centralised Healthcare Network

Date: August 15, 2024
Time: 08:00 AM

Background:

HealthSecure is a major healthcare provider, operating a centralised health care network called MedSecureNet. This system integrates all critical operations, including patient records, communication channels, diagnostic tools, and treatment modalities, across multiple hospitals and clinics. Among these facilities is a state-of-the-art radiotherapy department specialising in cancer treatment.

The Attack:

At 08:00 AM, a skilled hacker group launches a targeted cyberattack on MedSecureNet. The attack starts with a phishing email sent to a system administrator. The email contains a file labelled as a “System Update,” but it’s actually a sophisticated piece of ransomware. When the file is opened, it takes advantage of a well-known vulnerability in the system. Central IT was aware of this vulnerability, but a risk assessment conducted months earlier had accepted the risk because applying the patches to fix it would have rendered an older, critical clinical system unusable.

Within minutes, the ransomware spreads throughout MedSecureNet, encrypting all connected systems, including patient records, treatment planning software, and communication platforms, including the VOIP telephone system. A ransom note appears on all screens, demanding payment in cryptocurrency to unlock the encrypted data. The note warns that failure to pay within 48 hours will result in the permanent loss of all data.

Impact on Radiotherapy Department:

Time: 08:30 AM

The radiotherapy department, responsible for delivering precise radiation treatments to cancer patients, is heavily reliant on MedSecureNet for patient information, schedules, treatment plans, machine calibration, and communication with oncologists.

Immediate Consequences:

 

  1. Patient Record Access Denied:

08:31 AM: Access to all electronic health records (EHRs) is completely blocked. Staff cannot retrieve or update patient information, including previous treatment sessions, current treatment plan, or any recent changes in patient condition stored in their Oncology Information System (OIS). The absence of this information significantly increases the risk of errors and further complications.

  1. Communication Breakdown:

08:35 AM: The department’s internal communication system, which relies on MedSecureNet, goes down. Oncologists, technicians, and support staff are unable to communicate effectively. Critical updates about patient conditions, necessary adjustments to treatment protocols, and coordination with other departments (like radiology) are disrupted. They must resort to using personal phones, cellular coverage in the department is very poor,  leading to further delays and miscommunication. The ability to contact Patients to delay or reschedule their appointment is not possible.

  1. Appointment Chaos:

08:45 AM: Patients scheduled for radiotherapy start arriving. However, the department is unable to proceed with their treatment sessions. With no access to appointment schedules or treatment plans, patients are left waiting, and staff are unable to provide any clear communication regarding the situation.

  1. Treatment Planning Software Inaccessibility:

08:50 AM: The treatment planning software, essential for creating and modifying radiation therapy plans, becomes inaccessible. All ongoing patient treatments are immediately halted. Technicians and oncologists cannot access or modify the critical parameters that guide the radiation doses for individual patients.

  1. Machine Delivery Failure:

08:55 AM: Linear accelerators (LINACs), the machines used to deliver radiotherapy, are integrated with MedSecureNet to receive specific treatment plans. With the whole Hospital network encrypted, the machines are unable to load the necessary plans or verify calibration settings. Manual operation the machines is not possible due to their reliance on the network for up-to-date safety protocols and patient-specific data.

 

Escalating Crisis:

09:30 AM: The department head declares an emergency, and all radiotherapy treatments are suspended. Patients are informed of the situation, but many are distressed, especially those in the middle of critical treatment cycles. The inability to deliver scheduled daily fractions on time threatens to compromise the effectiveness of ongoing cancer treatments, potentially leading to treatment replanning for some cases.

10:00 AM: The IT team, working in conjunction with external cybersecurity experts, begins attempts to isolate the ransomware and assess the extent of the encryption. They quickly realise that all backup systems connected to MedSecureNet have also been compromised, complicating recovery efforts. The general Hospital IT team are struggling to prioritise their actions between departments all facing the same issues.

11:00 AM: The hacker group issues a second warning, demanding a larger ransom as time passes. They threaten to release sensitive patient data if their demands are not met. The hospital administration faces an ethical dilemma: pay the ransom and hope for decryption, or refuse and risk patient data leaks and the complete loss of treatment continuity.

Long-Term Consequences:

  1. Patient Health Impact:

Several patients suffer severe setbacks due to delayed or missed radiotherapy sessions. For patients with aggressive cancers, even a short delay in treatment can lead to rapid disease progression, reducing the likelihood of successful outcomes.

  1. Reputation Damage:

News of the ransomware attack spreads quickly, leading to a loss of confidence in HealthSecure’s ability to provide safe and reliable care. Patients and their families express anger and concern, and many seek treatment elsewhere.

  1. Financial and Legal Repercussions:

The hospital faces massive financial losses, both from potential ransom payments and the cost of system recovery. Additionally, lawsuits are filed by patients whose treatment was interrupted, claiming negligence in the hospital’s cybersecurity measures.

  1. Data Loss and Recovery Challenges:

Even after the ransom is paid, recovery is slow. Some data is permanently lost, forcing the hospital to rebuild patient records and treatment plans from incomplete backups and manual records. This process takes weeks, further delaying patient care.

  1. Regulatory Scrutiny and Reforms:

HealthSecure becomes the subject of a major investigation by health and cybersecurity authorities. The investigation reveals significant gaps in their cybersecurity defences, leading to new regulations that mandate more stringent protections for healthcare networks.

Conclusion: The ransomware attack on MedSecureNet highlights the vulnerability of centralised healthcare systems and the catastrophic impact such attacks can have on patient care. The radiotherapy department’s reliance on interconnected systems proves to be a critical weakness, emphasising the need for robust cybersecurity measures, offline contingencies, and rapid response protocols to protect patient safety in the digital age.

The more serious attacks have been published in detail, with the official and independent reports advising wherever possible Networks should be separated and strict Access Control Lists (ACL’s) applied, to prevent the ease with which any Ransomware can spread across a Hospital wide network infecting multiple servers.

One of the leading recommendations and something that was highlighted in the 2021 HSE Report into their cyberattack is…

 “What is particularly needed in radiation therapy departments is the development of robust IT pathways with dedicated secure servers, rather than reliance on hospital systems. Investment in cybersecurity is of course crucial to ensure that cyberattacks are prevented. It is our opinion that being able to store your own radiation therapy data, rather than relying on hospital servers, as well as having an in-house team with knowledge and understanding of IT related to radiation therapy are necessities going forward in radiation therapy departments. All of these strategies will come at a cost, but overall, we feel that is a price worth paying given the devastating effect of cyberattacks on radiation therapy services.”

Reference: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9486432/

As a Managed Service Provider (MSP) specializing in the Radiotherapy sector, Quadris is uniquely positioned to address these challenges. Our solutions are specifically designed to minimize the attack surface for radiotherapy departments, isolating them from other hospital departments and providing dedicated support, maintenance, and security services. Our team understands the RT patient workflow, ensuring that our systems align with clinical needs. Our systems and processes have been rigorously tested against similar attacks and have proven robust enough to remain unaffected. We have the expertise and resources to deliver comprehensive cybersecurity solutions tailored to the needs of each organisation. By working closely with our clients, we can understand their unique security challenges and design customised, effective, and affordable solutions.

 

More Articles