MedTech segment · Radiation Oncology

Radiation Oncology & Radiotherapy cybersecurity.

Cybersecurity for linacs, treatment planning systems, oncology information systems, and brachytherapy platforms.

Book a radiation-oncology review Talk to an expert

Overview

What we mean by radiation oncology.

Radiation oncology platforms - linacs, treatment planning systems (TPS), oncology information systems (OIS), and brachytherapy afterloaders - carry the most documented ransomware history of any medical device segment (Elekta cloud-storage incident, Varian/Siemens advisories, Universal Health Services and Sky Lakes outages). They combine safety-critical dose-delivery control with multi-day patient-treatment workflows that cannot tolerate downtime. We build premarket and postmarket cybersecurity packages tuned to the TPS-to-linac plan path, the OIS integration boundary, and the long deployed service lives of radiotherapy capital equipment.

Threat surface

Cyber risks specific to radiation oncology.

TPS-to-linac plan integrity

The treatment plan delivered from TPS to linac is safety-critical writable state - any path that can substitute, modify, or replay a plan must be authenticated, integrity-protected, and audited end to end.

OIS as the ransomware blast-radius

The OIS is the convergence point for scheduling, plans, imaging, and delivery records - the Elekta 2021 incident demonstrated that cloud-OIS outage halts treatment fleet-wide; segmentation and recovery plans are first-class deliverables.

Long-tenure capital and embedded OS

Linacs and TPS hosts routinely run for 10-15 years on embedded OS versions that go EOL mid-deployment - the postmarket plan must document compensating controls and a defensible patch cadence under treatment-schedule constraints.

Vendor remote-service and physics tooling

Vendor service tunnels and on-site physicist tooling have been the entry point in multiple public incidents - they're a continuous postmarket surface, not a one-time review.

Attack surface

Radiation oncology attack surface

Radiation-oncology platforms span the treatment planning system, the OIS (the convergence point for plans, imaging, scheduling, and delivery records), and the linac itself, with on-board imaging and brachytherapy afterloaders sharing the same trust chain. Vendor remote-service tooling has been the entry point in multiple public incidents.

01Treatment planning system (TPS)
02Oncology information system (OIS)
03PACS / DICOM-RT
04On-board imaging (IGRT / iCT)
05Linac control & delivery
06Brachytherapy afterloader
07Vendor remote-service tunnel
08Physicist tooling

Layers shown outermost (top) to innermost (bottom). Dashed rows are part of the surrounding system but out of scope for this view.

Real-world attacks

Notable real-world attacks & threat scenarios.

Radiation oncology carries the most documented ransomware and outage history of any medical device segment. Reviewers expect threat models that explicitly address the Elekta, UHS, and Sky Lakes incidents as design references, not as background context.

Historical incidents

Elekta cloud-based storage incident (April 2021)

A ransomware attack against Elekta's first-generation cloud-based storage system disrupted radiation-oncology operations at numerous cancer centers in North America for multiple days to weeks. The incident is the canonical reviewer reference for OIS / cloud-platform resilience and treatment-continuity planning in radiation oncology.

Elekta customer notification, April-May 2021Public reporting at affected cancer centers
Universal Health Services ransomware (September 2020)

The UHS ransomware event halted clinical operations - including radiation oncology - across the network for days, demonstrating fleet-wide impact when shared infrastructure underlying radonc is compromised. Reviewers cite this incident when assessing OIS segmentation and manual-fallback design.

UHS public statement, September-October 2020
Sky Lakes Medical Center ransomware (October 2020)

Sky Lakes Medical Center disclosed a Ryuk ransomware incident that disrupted radiation-oncology treatments and forced manual rescheduling for weeks. The pattern is cited as a reference case for treatment-day RTO/RPO and the need for a usable manual-fallback workflow.

Sky Lakes Medical Center public statements, Oct-Nov 2020

Active threat scenarios

TPS-to-linac plan substitution or replay

A treatment plan modified, substituted, or replayed on the path from TPS through OIS to the linac is a direct patient-safety hazard at the level of dose delivery; every hop needs authentication, integrity, and replay protection.
OIS ransomware blast-radius without recovery plan

Elekta-class root cause: cloud-OIS outage halts treatment fleet-wide; absence of segmentation, RTO/RPO, manual fallback, and hospital-IR integration is a deficiency-letter pattern.
Vendor remote-service tunnel compromise

Vendor service tunnels and on-site physicist tooling have been the entry point in multiple public incidents - they belong in the postmarket plan as an ongoing surface, not a one-time premarket review.
EOL embedded OS on long-tenure linacs

Linacs run 10-15 years on embedded OS that reaches EOL mid-deployment; absence of a per-generation configuration matrix and compensating-controls plan is reviewer-visible.

What FDA reviewers cite

Reviewer talking points from these incidents

Positive evidence of authentication, integrity, and replay protection across the TPS→OIS→linac plan path
OIS segmentation, RTO/RPO, manual-fallback workflow, and hospital-IR integration (Elekta 2021 reference)
Documented vendor remote-service architecture and account custody (multiple incident references)
Per-generation EOL embedded-OS compensating-controls plan for long-tenure linacs and TPS hosts
Postmarket plan that addresses fleet recovery, not just individual-device patching

Top concerns

Top cybersecurity concerns for radiation oncology.

Radiation oncology carries the most documented ransomware and outage history of any medical device segment - the Elekta 2021 cloud-storage incident, the UHS and Sky Lakes outages, and multiple linac/OIS advisories define how the FDA and hospital procurement evaluate this category.

TPS-to-linac plan substitution, modification, or replay

OIS as ransomware blast radius for treatment continuity (Elekta 2021 pattern)

Vendor remote-service tunnels and physicist tooling as documented entry points

Long-tenure linacs with EOL embedded OS and treatment-schedule patch constraints

DICOM-RT plan and image integrity on PACS and OIS

IGRT and on-board imaging integration trust

Brachytherapy afterloader source-position control loop integrity

Backup/restore RTO/RPO for treatment-day operations

Operational challenges

Where radiation oncology teams get stuck.

Plan-integrity end to end

The treatment plan from TPS through OIS to linac is safety-critical writable state; every hop needs authentication, integrity, and replay protection validated against IEC 60601-2-1 essential performance.

OIS resilience as a clinical-continuity hazard

Elekta 2021 demonstrated that cloud-OIS outage halts treatment fleet-wide; postmarket plans must document segmentation, RTO/RPO, manual-fallback workflow, and hospital-IR integration.

Long-tenure capital and EOL OS

Linacs and TPS hosts run 10-15 years on embedded OS that goes EOL mid-deployment - per-generation configuration matrix and compensating controls are required deliverables.

Vendor remote-service as continuous surface

Vendor tunnels and on-site physicist tooling have been the entry point in multiple public incidents and belong in the postmarket plan as an ongoing surface, not a one-time review.

Regulatory pathways and standards

Regulatory pathways

FDA pathways we support

510(k) De Novo PMA

Standards & guidance

Applicable standards

FDA 2026 Premarket Cyber Guidance AAMI SW96 AAMI TIR57 IEC 62304 ISO 14971 IEC 60601-2-1 (linacs) IEC 60601-2-17 (brachytherapy) IEC 60601-2-68 (image-guided radiotherapy) DICOM-RT IEC 81001-5-1

Standards & deliverables

What you owe FDA for radiation oncology - at a glance.

Six deliverables FDA and notified bodies expect across MedTech, with the radiation oncology-specific wrinkle on each row. Use it as a scoping checklist before you brief vendors or your QA team.

Deliverable	Status	Cadence	Standard / guidance	Radiation Oncology note
SBOM + VEX Machine-readable SBOM (CycloneDX/SPDX) plus VEX feed for every CVE that touches a listed component.	Required	Premarket + monthly refresh	FDA Cybersecurity Guidance §V · CISA SBOM minimum elements	SBOM must cover linac control, TPS hosts, OIS components, IGRT integration, brachytherapy afterloader firmware, and any vendor remote-service tooling.
Postmarket monitoring Continuous CVE / advisory monitoring against the SBOM, with a documented triage and disclosure path.	Required	Continuous (≤30-day triage)	FD&C Act §524B · FDA Postmarket Cybersecurity Guidance	Postmarket plan must address OIS resilience and treatment-day RTO/RPO explicitly - Elekta 2021 is the reviewer reference.
Penetration test scope Black/grey-box testing across device, wireless interfaces, mobile apps, cloud APIs, and service tooling.	Required	Premarket + on material change	AAMI TIR57 · FDA Premarket Cyber Guidance §VI.A.5	Pen test scope: TPS→OIS→linac plan-delivery path, OIS lateral movement, vendor remote-service tunnels, physicist tooling, on-board imaging integration.
Threat model STRIDE-per-interface threat model with documented mitigations and residual-risk acceptance.	Required	Premarket, refreshed each design change	AAMI TIR57 · FDA Premarket Cyber Guidance §V.A	Treat the OIS as the convergence point for treatment continuity; model plan substitution, replay, and tampering as patient-safety hazards.
Secure update mechanism Signed firmware/software updates with rollback protection, integrity verification, and staged rollout.	Required	Designed premarket, exercised lifecycle-long	FDA Cyber Guidance §IV · IEC 81001-5-1	Updates must work within treatment-schedule constraints; per-generation configuration matrix and compensating controls are required deliverables.
Coordinated Vulnerability Disclosure Public CVD policy, intake channel, and SLAs for triage, fix, and customer communication.	Required	Continuous, lifecycle-long	ISO/IEC 29147 + 30111 · Section 524B(b)(2)	CVD policy must reach physicists, dosimetrists, and biomed engineers, with hospital-IR integration in the postmarket plan.

SBOM + VEX
Required

Machine-readable SBOM (CycloneDX/SPDX) plus VEX feed for every CVE that touches a listed component.

Cadence

Premarket + monthly refresh

Standard

FDA Cybersecurity Guidance §V · CISA SBOM minimum elements

Radiation Oncology note

SBOM must cover linac control, TPS hosts, OIS components, IGRT integration, brachytherapy afterloader firmware, and any vendor remote-service tooling.
Postmarket monitoring
Required

Continuous CVE / advisory monitoring against the SBOM, with a documented triage and disclosure path.

Cadence

Continuous (≤30-day triage)

Standard

FD&C Act §524B · FDA Postmarket Cybersecurity Guidance

Radiation Oncology note

Postmarket plan must address OIS resilience and treatment-day RTO/RPO explicitly - Elekta 2021 is the reviewer reference.
Penetration test scope
Required

Black/grey-box testing across device, wireless interfaces, mobile apps, cloud APIs, and service tooling.

Cadence

Premarket + on material change

Standard

AAMI TIR57 · FDA Premarket Cyber Guidance §VI.A.5

Radiation Oncology note

Pen test scope: TPS→OIS→linac plan-delivery path, OIS lateral movement, vendor remote-service tunnels, physicist tooling, on-board imaging integration.
Threat model
Required

STRIDE-per-interface threat model with documented mitigations and residual-risk acceptance.

Cadence

Premarket, refreshed each design change

Standard

AAMI TIR57 · FDA Premarket Cyber Guidance §V.A

Radiation Oncology note

Treat the OIS as the convergence point for treatment continuity; model plan substitution, replay, and tampering as patient-safety hazards.
Secure update mechanism
Required

Signed firmware/software updates with rollback protection, integrity verification, and staged rollout.

Cadence

Designed premarket, exercised lifecycle-long

Standard

FDA Cyber Guidance §IV · IEC 81001-5-1

Radiation Oncology note

Updates must work within treatment-schedule constraints; per-generation configuration matrix and compensating controls are required deliverables.
Coordinated Vulnerability Disclosure
Required

Public CVD policy, intake channel, and SLAs for triage, fix, and customer communication.

Cadence

Continuous, lifecycle-long

Standard

ISO/IEC 29147 + 30111 · Section 524B(b)(2)

Radiation Oncology note

CVD policy must reach physicists, dosimetrists, and biomed engineers, with hospital-IR integration in the postmarket plan.

Services

How we help radiation oncology teams.

Full-Service FDA Premarket Cybersecurity

Full-service: we own 100% of SPDF, SBOMs, threat modeling, pen testing, and eSTAR documentation.

Explore Full-Service FDA Premarket Cybersecurity

FDA Postmarket Cybersecurity

Continuous compliance, monitoring, and vulnerability response.

Explore FDA Postmarket Cybersecurity

Medical Device Penetration Testing

FDA-compliant device, firmware, app, and cloud testing.

Explore Medical Device Penetration Testing

Medical Device Threat Modeling

FDA-aligned threat models that identify risks early and speed approvals.

Explore Medical Device Threat Modeling

FAQs

Radiation Oncology cybersecurity FAQs.

Why does radiation oncology get more cyber scrutiny than other oncology segments?

Radiation oncology has the most documented ransomware and outage history of any medical device segment - the Elekta cloud-storage incident, the UHS and Sky Lakes outages, and multiple Varian/Siemens advisories define how the FDA and hospital procurement evaluate this category. Reviewers expect the threat model to enumerate plan-integrity, OIS resilience, and vendor remote-service paths explicitly, with positive evidence and a postmarket plan that addresses fleet recovery, not just individual-device patching.

How do you test the TPS-to-linac plan-delivery path?

We scope the entire chain: TPS export, transport (DICOM-RT or proprietary), OIS storage and retrieval, and on-linac verification. Each hop is exercised for authentication, integrity, replay, and substitution, and the device's behavior under tampered or malformed plans is validated against the IEC 60601-2-1 essential-performance bounds. Findings tie back to specific hazard entries in the risk file so safety and security teams act on the same evidence.

Do you cover OIS resilience and ransomware recovery?

Yes. The OIS is scoped as the convergence point for treatment continuity. The postmarket plan documents segmentation between OIS and clinical-network zones, backup/restore RTO/RPO for treatment-day operations, the manual fallback workflow when OIS is unavailable, and the relationship to hospital-wide incident response. Reviewers and hospital security teams both expect this level of explicit operational planning after the public 2021 incident.

How do you handle long-tenure linacs with EOL embedded OS?

Linacs commonly run for 10-15 years on embedded OS versions that go EOL mid-deployment. The postmarket plan documents the configuration matrix per generation, the compensating controls (segmentation, allowlisting, restricted USB/service-port use), the patch cadence under treatment-schedule constraints, and the EOL/EOS communications plan. The matrix is referenced from the SPDF so reviewers and hospital biomed see the same story.

What about brachytherapy afterloaders and proton platforms?

Brachytherapy afterloaders share the TPS-to-device plan integrity concern but add the source-position control loop under IEC 60601-2-17. Proton platforms add real-time gantry control under IEC 60601-2-68. Both are scoped alongside the linac model when applicable, with platform-specific essential performance called out separately.

How long does a radiation-oncology premarket cyber engagement typically take?

For a linac platform with TPS, OIS integration, and IGRT, end-to-end premarket cyber work runs 14-18 weeks. Threat modeling and SBOM front-load in weeks 1-5, pen testing across linac, TPS, OIS, IGRT, and vendor remote-service runs in weeks 5-15, and the consolidated submission package and postmarket plan close in the final weeks - all under a written clearance guarantee.

Radiation oncology cybersecurity

Build the cyber package and OIS-recovery plan reviewers expect after Elekta.

TPS-to-linac plan integrity, OIS resilience and ransomware recovery, vendor remote-service tooling, and long-tenure embedded-OS strategy.

Book a radiation-oncology review

30-min discovery call
Fixed-fee proposal in 48 hrs
No sales pressure

Other segments

Explore more MedTech segments

In their words

Backed by MedTech leaders.

"Blue Goat Cyber's depth of expertise was impressive. We had no in-house cybersecurity experience, and their team guided us through every step of the FDA process. The penetration testing and SBOM testing were thorough and gave us complete confidence."

Hank Tucker

CEO · MedTech Manufacturer

For Radiation Oncology

Get Radiation Oncology cybersecurity that lands.