Attack on Radiation Systems Vendor Affects Cancer Treatment

A series of cyber incidents targeting a Swedish vendor of oncology radiation systems earlier this month is still affecting some of the company's clients - including cancer treatment facilities in the U.S. - because the company has taken its cloud-based systems offline during its recovery effort.

Yale New Haven Health in Connecticut told local news media site WTNH on Friday that it was forced to take all its radiation equipment offline last week after a series of cyberattacks on Elekta, which provides the health system's cloud-based radiology software.

In another incident reported by news outlet WPRI, several local healthcare centers in Massachusetts and Rhode Island postponed radiation treatments for cancer patients earlier this month due to problems at Elekta. Among those affected, according to the news report, were cancer treatment centers of Southcoast Health in Massachusetts and cancer care facilities of Lifespan Cancer Institute in Rhode Island.

Vendor Resources

Resources are available to help vendors address evolving cybersecurity concerns pertaining to their products, Moore points out.

Those include: premarket and postmarket cybersecurity guidance from the Food and Drug Administration, guidance from the National Cyber Security Center of Excellence related to wireless infusion pumps, and resources from the Healthcare and Public Health Sector Coordinating Council Joint Cybersecurity Working Group.

A critical step, Sorani says, is for vendors to ensure remote access and control of any medical device is secured, properly authenticated and authorized. "The device should be restricted on the communications level to authorized parties only," he says.

"The next step is to be adaptable. As we all know, vulnerabilities and attacks are constantly evolving, so the best strategy is for the vendors to be able to evolve with it and put in place postmarket security controls that will allow them to send over software updates. That will eliminate or control the risk by closing the vulnerability or the undesired behavior pattern."

Read more at: Gov Info Security