Readiness for Radiation Treatment Continuity: Survey on Contingency Plans Against Cyberattacks

Abstract

PurposeCyberattacks on health care systems have been on the rise over the past 5 years. Formulation and implementation of a robust postattack business continuity plan and/or contingency plan (CP) is essential for minimal disruption to patient care. The level of awareness and planning within the radiation oncology community for cyberattacks is not clear. This study was undertaken to survey and assess cyberattack CP awareness and preparedness. Methods and MaterialsA survey instrument comprising 5 questions on awareness and preparedness of cyberattack CPs was e-mailed to 150 radiation oncology departments. Recipients included 105 institutions with residency programs in therapeutic medical physics, as listed by the Commission on Accreditation of Medical Physics Education Program (usually either school-based or large institutional settings), and 45 additional smaller settings within the United States, representing community practices. ResultsForty-three responses were deemed evaluable for analysis. Forty-two percent (18 respondents) of respondents responded that they are well-aware of the concept of a cyberattack CP. A large discrepancy in awareness exists between larger hospitals (LH) that have 5 or more treatment machines and smaller hospitals (SH) that have 4 or fewer, 54% versus 24 % (P < .05). Fifty-eight percent of respondents considered it “essential” to have such a plan in place, and 28% considered it “desirable” to do so but not practical. Nine percent regarded a cyberattack CP as unnecessary. No significant differences in responses were noted among different types or sizes of institutions on this issue. Sixty-two percent of LH responded that they were either preparing or evaluating a CP, compared with only 29% of SH (P = .03). However, no respondents explicitly replied that they already had a CP in place in their practices. ConclusionsThe importance of cyberattack preparedness and implementation does not seem to be well-recognized in radiation oncology. Both the awareness and the preparedness of SH are substantially less than those of LH. Specific and ongoing education efforts in parallel with development of appropriate programs are needed to counter the increasingly pervasive and complex threat of cyberattacks.