On April 20, 2021, Elekta, a cancer software provider, was targeted by a healthcare ransomware attack. Through the attack, hackers were able to access Elekta’s cloud-based software, used to operate radiology equipment. As a result of the incident, Elekta temporarily took their software offline, preventing treatment for cancer patients across 170 U.S. health systems. More details on the healthcare vendor ransomware attack are discussed.
What We Know About the Healthcare Vendor Ransomware Attack
Elekta suffered a healthcare ransomware attack on April 20, 2021, in which hackers gained access to the provider’s cloud-based radiology software. Although not yet confirmed by Elekta, it seems as though the attack stemmed from a healthcare ransomware attack.
Upon discovering the breach, Elekta took their software offline, until vulnerabilities can be identified and addressed. The software which has been offline for more than a week, enables the use of radiology equipment for cancer treatment. As a result of the incident, several cancer patients have had to delay treatment, or be transferred to other treatment facilities.
An Elekta representative explained, “Elekta was subjected to a series of cyberattacks which affected a subset of U.S-based customers on our first-generation cloud system. On April 20, to contain and mitigate the attacks, Elekta proactively took down its first-generation cloud system in the United States. An investigation is being conducted, and any affected customer(s) will be contacted and fully briefed through the appropriate channels and in accordance with any legal requirements.”
Elekta described the ransomware attack as, “…intended to encrypt the data stored on this system. There is no evidence that any data was extracted or copied, and we do not believe that the hackers have any of the stored data in their possession.”
Which Health Systems Were Affected?
Although investigations are still underway, it appears as though 170 health systems have been affected by the incident.
“This issue was only isolated to a subset of US Cloud Customers due to our Geographical and Service Segmentation in Cloud Services,” an Elekta spokesperson said in an emailed statement. “No other Elekta servers, services or products have been affected.”
From early reports by affected health systems, it appears as though the geographic region in question was the Northeast. Several healthcare providers in the region have come forward with reports of the incident including Yale New Haven Health in Connecticut, Southcoast Health in Massachusetts, Lifespan Cancer Institute in Rhode Island, and Rhode Island Hospital.
“We do not have the ability to operate the machines because the information that is programmed into those machines is up in the cloud,” said YNHH CEO Marna Borgstrom
“Anytime a patient has any delay in care, we share in their concern as well and we understand their concern,” said YNHH spokesman Vin Petrini. “We have tried to find alternative treatments for them in the meantime.”
Elekta’s Response
“Elekta recognizes the inconvenience this suspension causes to its customers and to the patients these customers serve,” the spokesperson said. “Elekta is committed to advancing patient care and outcomes and understands that any delay in scheduled radiation therapy adds to patients’ treatment burden.”
Worrisome News for Healthcare Organizations
The growing trend of healthcare hacking incidents is worrisome to say the least. The leading cause of healthcare breaches each month continues to be hacking incidents. There are several reasons behind this including inadequate security protections, lack of comprehensive employee training, and vendor vulnerabilities.
- Inadequate security protections. Most healthcare organizations let cybersecurity fall to the wayside as lack of time, resources, or money cause them to prioritize other things. However, as evident by the Elekta incident, lack of security can lead to patient harm. When doctors cannot have access to the equipment or patient data they need to treat patients, the patient suffers. This is why it is essential to have physical, administrative, and technical safeguards in place securing protected health information.
- Lack of comprehensive employee training. A large portion of breaches, including ransomware incidents, start with employee error. Employees that lack adequate cybersecurity training are easy targets for hackers. This is due to the growing threat of phishing attacks. Phishing attacks occur when hackers send an email impersonating a trusted individual or entity, in attempts to gain access to sensitive information. These days, phishing emails can be extremely difficult to detect, which is why employee training is so important.
- Vendor vulnerabilities. In the case of the Elekta incident, the healthcare providers suffered from their vendor’s vulnerabilities. In the end, your vendor’s vulnerabilities are your vulnerabilities, especially when you rely heavily on the vendor to do your job. This is why HIPAA requires you to conduct your due diligence when choosing your business associates by assessing their risks to your data.