Facing Digital Paralysis: A Critical Defense for Radiation Oncology

With the rapid evolution of medical technology, radiation oncology departments have reached an unprecedented level of reliance on Information Technology (IT) systems. Digitalization has permeated every step of the clinical workflow—from general patient documentation to complex Treatment Planning Systems (TPS) and linear accelerator operations. However, this total reliance has placed radiation oncology in an extremely vulnerable position. Recent studies show that cyber threats in the healthcare sector are escalating, with ransomware attacks more than doubling between 2016 and 2021.

To address this severe challenge, the Safety and Quality Committee (ROSQC) of the European Society for Radiotherapy and Oncology (ESTRO) initiated a project to publish the first cybersecurity framework specifically designed for radiation oncology departments in the journal Radiotherapy and Oncology.

Evidence-Based and Systematic Strategy: 190 Action Measures

This study was completed by Dr. Samuel Peters and an international team of experts through a systematic review of 133 relevant articles. Adapting the NIST Cybersecurity Framework (NIST CSF) to the unique needs of radiation oncology, the team established a resilience framework comprising "6 Steps," further detailed into 190 specific action measures.

The six core phases of the framework are as follows:

• Preparation: This proactive planning phase focuses on establishing a detailed Business Continuity Plan (BCP) and risk assessments. The plan must cover offline treatment procedures, patient referral mechanisms, and the defined roles of an interdisciplinary Incident Response Team (IRT).
• Prevention: Focuses on implementing proactive security measures, including user awareness training, system patch management, and network segmentation to isolate critical equipment like linear accelerators.
• Detection: Identifies suspicious activities (Indicators of Compromise, or IOCs) using real-time monitoring tools and establishes clear communication channels to ensure threats are reported immediately.
• Respond: The central execution phase during an attack, aimed at rapidly activating the BCP to ensure treatment continuity. Measures include isolating infected systems, assessing clinical risks, and switching to analog (manual) workflows if necessary.
• Recovery: Involves data restoration and system reconstruction. This process requires rigorous data consistency checks and evaluations of dose compensation for treatment gaps caused by the attack.
• Debriefing & Continuous Improvement: Analyzes successes and failures post-incident to feed lessons learned back into the preparation phase, continuously optimizing local emergency protocols.

Legal Regulations of the EU NIS2 Directive

The document emphasizes the critical importance of the EU NIS2 Directive (Network and Information Security Directive 2). Under this directive, healthcare organizations are classified as "essential entities" that must adopt specific technical and organizational security measures and fulfill incident reporting obligations. Failure to comply may lead to staggering administrative fines of up to €10 million or 2% of the total worldwide annual turnover. This underscores that cybersecurity is no longer just an IT responsibility but a legal and financial risk that hospital senior management must address.

A Question of "When," Not "If"

The study concludes that for radiotherapy, a cyberattack is no longer a question of "if," but a realistic threat of "when". Due to the deep integration of radiation oncology and IT systems, the IT department alone cannot address these challenges; it requires comprehensive cooperation between clinical staff, IT experts, and equipment vendors.

The team urges radiation oncology departments to view cyber resilience as a top priority. As the next attack is inevitable, healthcare providers must work closely with IT specialists and vendors to establish protocols that prioritize patient safety and well-being.

Reference

• Peters, S., O'Donovan, A., Bellini, M., Caissie, A., Coffey, M., Dabach, A., Delaney, G. P., Fischer, P. E., Frenken, G., Liszewski, B., Maingon, P., Messens, E., Perryck, S., Zhang, B., & Reijnders-Thijssen, P. (2026). ESTRO framework for radiation oncology departments to mitigate against cyberattacks. Radiotherapy and oncology : journal of the European Society for Therapeutic Radiology and Oncology, 214, 111305. https://doi.org/10.1016/j.radonc.2025.111305