Japan’s healthcare system in danger of cyber attacks
Countermeasures against medical cyber terrorism is an urgent issue
Cyber-attacks on medical institutions that have taken advantage of the spread of the new coronavirus have been increasing in many parts of the world.
In Japan, the 120-bed Handa Hospital in Tsurugi Town, Tokushima Prefecture, came under cyber-attack at the end of October last year, causing an unprecedented crisis.
It was also reported that in early December last year, the Tokyo Metropolitan Government issued an urgent alert to all metropolitan hospitals after receiving information about a cyber attack on them.
Nowadays, countermeasures against medical cyber-terrorism against hospitals are an urgent issue.
In such a situation, there is a company that is researching and developing a new technology that can deal with “medical cyber terrorism” using a completely new methodology. Scrumy, Inc. is a group of “young geniuses” including graduates from the University of Tokyo, Kyoto University, Waseda University, Keio University, and Yale University.
The CEO of Scrumy, Kento Sasano, a graduate of Kyoto University’s Faculty of Law and the University of Tokyo’s Graduate School of Interdisciplinary Information Studies, has been conducting research to strengthen governance and information security.
In the case of the Handa Hospital attack, the attackers probably targeted a vulnerability in the system and hit it indiscriminately.
In the case of the Handa Hospital attack, it was probably a random attack on a vulnerable system.
The crime was committed by a group of professional criminals called “LockBit 2.0”, which is the most powerful group in the world today. The ransom in ransomware means ransom, and it encrypts your data by sending a virus to your computer system, making it unreadable and demanding that you pay the ransom if you want it to be unencrypted.
In addition, LockBit 2.0’s modus operandi is to double threaten you with a ransom payment or your data will be distributed to leak sites on the dark web.
In some cases, the data has actually been distributed. In addition, there is a market for selling stolen information to criminals called ‘Ransomware Other Service’, where criminal groups who buy the information attack ordinary companies.
The amount of damage is about 250 million yen, the second largest in the world… and the success rate of ransomware attacks is 95%!
In fact, according to the 2020 edition of “The State of Ransomware” by research firm Sophos, the amount of damage caused by ransomware in Japan is approximately 250 million yen, ranking second in the world! Moreover, the success rate of ransomware attacks on Japan is 95%, especially in the “healthcare” sector, where about two-thirds of the attacks have progressed to the stage where the damage is encrypted.
In addition, the recovery rate of the system is worse when the ransom is paid.
Incidentally, Turkey, for example, has the lowest amount of ransomware damage. This is due to the fact that the government is used to dealing with real ransoms. On the contrary, the reason why criminals think Japan is an easy target is because it is regarded as a “peaceful country.
But why are hospitals targeted?
One reason is that as medical facilities are stretched thin in response to the new coronavirus, cyber security is also stretched thin. One of the reasons is that hospitals are being targeted because their cyber security is also inadequate.
If important data, such as medical records, are extracted by ransomware or a computer virus, it can contain important patient information, such as biometric data, which can reveal the name of the disease. For example, a more realistic bank transfer scam could be created.
In Japan, many hospitals have adopted the “on-premise” system, in which the data of doctors’ PCs, patient reservation systems, medical accounting systems, laboratory equipment, etc. are connected to the local network and stored on the hospital server. However, even if the system is not connected to the outside world, it is vulnerable to viruses that can easily enter the system by simply plugging a USB drive into a doctor’s PC.
On-premise systems also require the replacement of all equipment every five years, which can be a huge expense.
This is a problem. This is why cloud-based electronic medical records, which store data on a cloud-based server, are being recommended these days. However, when I interviewed doctors, I found that many of them are afraid of their information being released outside the hospital.
In addition, it has been pointed out that one of the reasons for the lack of progress in IT in Japan is the lack of IT literacy among the decision makers who hold the actual power in various fields. In addition, the healthcare industry is complicated by political interests.
Japan is an IT backward country even in the medical field
To begin with, the rate of adoption of electronic medical records in Japan has not progressed at all, and while the rate is over 80% for large hospitals with 400 beds or more, it is less than 40% for hospitals with 200 beds. In Japan, the adoption rate of electronic medical records has not advanced at all.
When we asked them why they still use paper, many of them said that it is difficult for them to remember detailed information about patients, such as when and how they were treated, compared to handwriting, because they can just copy and paste the information into electronic medical records.
Not everything can be digitalized, can it? That is why we provide consulting services to add functions that reflect the actual voices of people in the field, for example, handwriting is always better for diagrams.
In addition, Mr. Sasano launched a non-profit organization when he was a student, and in promoting informatization with school corporations and social welfare corporations, he visited various workplaces and interviewed nurses, doctors, caregivers, and teachers to get their real voices.
As a result, he realized that there were very few security experts in Japan and that there was an urgent need to develop human resources with high IT literacy.
What is important is how to customize the examples from the U.S., where IT is more advanced, to the Japanese way. In the case of Japan, the governance, approval flow, and corporate culture are different, so it is necessary to implement the Japanese way of society in order to promote data and digitalization firmly from the government to corporations.
It’s no good just advancing the technology, but we also need to improve the literacy of the people who are chasing the technology.
There are two specific measures that Sasano is focusing on.
The first is a decentralized electronic medical record that incorporates blockchain technology.
The first is a decentralized electronic medical record that incorporates blockchain technology. “Current cloud-based information is centralized, which has been pointed out as problematic from both a privacy and legal perspective, so I think it is desirable to first decentralize it.
Specifically, each person’s medical record information should be stored on his or her smartphone, and it should also be viewable on the doctor’s computer. I think the most realistic way to do this is to accumulate your own daily physical condition and health status, such as chronic diseases, in therapeutic applications.
For example, it is important to be able to store the information in a wearable watch, etc., so that when it is used to help doctors diagnose a patient, they can center themselves on what information they can share and what information they can keep in privacy.
It can be said that doctors now hold more information than patients in the medical field, and the government is taking the lead in managing financial information. I think it will be interesting to see an era come when we can control our own information and share it with the right people only when necessary. I think it will be interesting to see a time when we can control our own information and share it only when necessary.
This autonomous and decentralized style has already been successfully implemented in Estonia, where all administrative services can be done with a single card. The province of Quebec in Canada has also introduced a decentralized electronic health record, the Personal Health Record (PHR).
In addition, Sasano and his team are working to spread a system of system audits and certifications to ensure the security of medical information.
If a hospital is in danger, we will advise them, and experts will conduct a security health check, evaluate it, and give it a rank guarantee.
I would like to create a security system as one of the criteria for selecting a hospital, and after creating a model case in the region, I would like to expand the system nationwide.
KentoSasano is the CEO of Scrumy Inc. and was born in Okayama Prefecture. When he was in high school, he won a gold medal in the Philosophy Olympiad and participated in the international competition held in Vienna, Austria. After graduating from the Faculty of Law at Kyoto University, he worked as a CIO (Chief Information Officer), overseeing DX promotion for public corporations and companies. Currently, while considering human nature in the age of AI and IoT, he is conducting research and development to strengthen “information governance” and “information security” at Scrumy Inc., a research and development startup from the University of Tokyo, and the University of Tokyo Graduate School of Interdisciplinary Information Studies.
Interview and text by: Wakako Tago
Born in 1973. After working for a publishing company and an advertising production company, she became a freelance writer. In addition to interviewing actors for weekly and monthly magazines, she writes drama columns for a variety of media. JUMP 9 no Tobira ga Openitoki" (both published by Earl's Publishing).
Photography: Mayumi Abe