Preventing Cyberattacks in Radiation Oncology: Three Actionable Steps and What the FDA Already Requires of Your Vendors
Abstract
Purpose
While AAPM Working Group Report 438 provides essential guidance for business continuity planning after a cyberattack, preventing attacks remains the highest priority. Medical physicists need practical, immediately implementable prevention strategies and must understand the cybersecurity obligations that device vendors are now legally required to meet under Section 524B of the FD&C Act and FDA's 2025 premarket guidance. This presentation bridges the gap between WG 438's recommendations and day-to-day implementation by providing actionable tools for attack prevention and vendor accountability.
Methods
We analyzed WG 438's prevention recommendations and cross-referenced them with FDA Section 524B requirements (effective March 2023) and the June 2025 premarket cybersecurity guidance. We identified the three highest-impact prevention actions accessible to medical physicists and mapped these to specific FDA-mandated vendor obligations including Software Bills of Materials (SBOMs), postmarket vulnerability monitoring plans, coordinated vulnerability disclosure processes, and patch delivery commitments. We developed practical implementation tools including vendor evaluation questions, red flag indicators, and template procurement contract language.
Results
Three immediately actionable prevention steps were identified: (1) establishing processes with IT to apply operating system patches promptly, (2) conducting inventories to identify and eliminate default user credentials on networked devices, and (3) incorporating FDA-referenced cybersecurity language into procurement specifications. We produced a checklist for auditing default credentials by device type, ten specific questions to ask vendors during procurement to verify FDA 524B compliance, a template procurement cybersecurity addendum with contract clauses referencing federal requirements, and a vendor accountability tracking framework.
Conclusion
Medical physicists are uniquely positioned to reduce their department's cyberattack surface and leverage federal regulations to hold vendors accountable. By implementing these three prevention strategies and requiring vendors to demonstrate FDA 524B compliance, radiation oncology departments can significantly strengthen their cybersecurity posture before an attack occurs rather than relying solely on post-incident business continuity planning.