TSURUGI, Tokushima Prefecture—Handa Hospital staff here knew something was wrong when more than 10 printers started spewing out streams of paper. But the panic only set in after they read the message, written in English, on the printouts.

It warned that the hospital’s “data are stolen and encrypted” and impossible to decode, and that “the data will be published” if hospital refuses to pay up.

LockBit, an international crime group known for orchestrating ransomware threats around the world, claimed responsibility for the attack.

A virus had been activated in the hospital’s computer network, rendering inaccessible all systems for digitized medical and accounting records. The hospital has been forced to reduce medical services and create a paper-based data system from scratch.

It may take months for the now-financially troubled hospital to fully recover from the ransomware attack that started around 12:30 a.m. on Oct. 31.

CYBERATTACK STATE OF EMERGENCY

Handa Hospital is run by the government of Tsurugi, a town of 8,000 residents in western Tokushima Prefecture. The mighty Yoshinogawa river flows through Tsurugi, which is famous for handmade “somen” noodles.

Handa Hospital has been the core medical center in the town.

Information on 85,000 current and past patients, as well as backup data, was lost in the attack.

Yasushi Suto, the hospital’s chief administrator, quickly established a task force to take countermeasures and declared a state of emergency.

A temporary policy of “providing a minimum level of diagnosis and therapy” was adopted, and the medical center stopped accepting emergency or new patients.

Physicians examined only repeat visitors and those who had made appointments. Healthier patients were asked to return to their homes, and nonurgent surgeries were postponed for as long as possible.

Handa Hospital is the only medical facility in the western part of Tokushima Prefecture that delivers babies. But it had to suspend such services for pregnant women as well.

The hospital said it will rely on handwritten records until the electronic clinical chart system is brought back online.

In mid-November, when the hospital’s reception and payment counter was closed, long tables were installed in the waiting room to separately handle visitors for the internal medicine, obstetrics and gynecology, pediatrics and other departments.

A staff member asked an elderly woman sitting on a chair, “Ma’am, can you write your name and address on this sheet?”

The woman had visited the medical center several times, but the hospital needed to confirm every detail of her personal information for paper-based medical records.

“I am really lost here,” the woman told an Asahi Shimbun reporter.

After seeing Handa Hospital unable to perform its role as a regional medical base, Suto described the situation as nothing but “a disaster.”

MEDICAL, FINANCIAL CRISES

Hospital staff have faced a tough task gathering patients’ information.

Staff members are familiar with many of the patients, so they could jot down personal data and diagnosis results in talks with each visitor.

The hospital has also contacted pharmacies for prescription records and asked other health care facilities currently used by former patients to share past diagnosis details originally provided by Handa Hospital.

The collected information is written or pasted on sheets of paper along with the patients’ health records.

“The process of asking patients when they began coming to our hospital was regrettable and shameful,” Suto said in an interview.

The cyberattack has also hit the hospital’s finances.

With the accounting system down, it is impossible for the hospital to bill its patients.

And patient numbers have dropped because of the hospital’s emergency restrictions.

Under normal conditions, nearly 70 percent of its 120 beds are filled, but the occupancy ratio dropped to 40 percent in late November.

Staff members have grown concerned about whether salaries and annual bonuses will be paid.

Three weeks after the attack, the pediatrics and obstetrics departments resumed operations. Despite uncertainties over when their electronic systems will be rebuilt, they had to lift the suspension on diagnoses because of increased demand from residents.

Handa Hospital announced at a news conference on Nov. 26 that it will restart full-scale operations in January by reconstructing its digital clinical charts.

“We have had no earnings for a prolonged period, and it would become difficult for us to offer diagnoses and treatment if nothing is done to address the circumstances,” Suto said at the news conference.

He said the hospital made the decision because the absence of its services created a void in the regional medical framework.

Suto also expressed outrage over the ransomware attack.

“I will never understand why this small rural hospital was targeted,” he said.

SMALL HOSPITALS AT RISK

Ransomware attacks have targeted businesses and organizations around the world regardless of their size and location.

Attacks on hospitals are seen as particularly serious because a breakdown in their digital systems could put patients’ lives in grave danger.

In October 2018, electronic medical records were inaccessible at Uda City Hospital in Nara Prefecture for two days after a ransomware attack.

Although the medical center was supposed to use a closed telecommunications network in line with the health ministry’s guidelines, its in-house system was likely infected with a virus delivered from the outside.

“It (the hospital’s system) was apparently connected with the outside internet tentatively for some unknown reason,” said Tetsutaro Uehara, a cybersecurity professor at Ritsumeikan University who headed the expert panel to discuss measures to prevent a recurrence of the attack.

The Uda City Hospital allowed each department to procure medical devices independently, so it had no officials with an overall grasp of the entire communications structure. For that reason, the cause of the virus infection could not be pinpointed.

No one at the hospital was responsible for data control, and security measures were simply left to an outside telecommunications service provider.

It is also unknown how the virus infiltrated Handa Hospital’s computer system.

The key could be in the fact that the hospital’s grid was linked to more than one communications device accessible from outside through the virtual private network (VPN).

The devices were designed to enable outside maintenance workers to remotely check the electronic clinical record system. Details of patients were also shared through those units with other medical institutes in Tokushima Prefecture.

In September this year, it was learned that cybercriminals were targeting certain VPN devices after confidential information leaked that the units could be invaded illegally from outside.

Uehara said a lack of security awareness is behind the problem.

“They (medical center officials) appear to mistakenly believe that hospital networks are safe because they are isolated from outside devices,” Uehara said. “This misunderstanding renders it impossible to prepare for the next network invasion that could result in far more terrible damage.”

Takamasa Mikuni, an online security expert, said he has received four complaints about cyberattacks from small and midsize medical institutions since June. In all four cases, he detected signs that internal information had been stolen.

He said cybercriminals seem to be shifting their focus to medical facilities. He noted that such phrases as “medical records,” “outpatient” and “diagnosis” have appeared in keyword search lists incorporated in the data-stealing viruses.

Mikuni said he is most concerned about possible cyberattacks taking control of health care machines.

“It has been shown that hospitals’ networks can be invaded,” he said. “I am worried that medical devices may be exposed to attacks in a life-threatening way.”

(This article was written by Tatsuya Sudo, senior staff writer, and Tomoko Saito.)