A cyberattack on a hospital in Tokushima Prefecture in October occurred after a company disabled anti-virus software on the hospital's computers, according to a report published on June 7. 

The report said the company was involved in providing an electronic medical record system to Handa Hospital in Tsurugi, Tokushima Prefecture.

The hospital, run by the Tsurugi town government, was forced to suspend some of its operations for about two months after being subjected to a ransomware attack.

The report was compiled by an experts panel established within the hospital.

It said before the cyberattack occurred, the company configured the Windows settings of the computers connected to the electronic medical record system to disable functions including anti-virus software and regular Windows updates.

These computers were among about 200 used in the hospital.

The company said that it did so because these functions would have made the electronic medical record system unstable if they had not been disabled.

The report criticized the company by saying it “prioritized enabling the electronic medical record system to operate over the security protection of the computers.”

After the meeting of the town assembly on June 7 to which the report was presented, Yasushi Suto, a doctor and administrator of the hospital, told reporters that, “We were not told by the company at all (about the disabling of these functions).”

When regular Windows updates identify a security vulnerability on a computer, a program is sent to correct the problem.

However, the report points out that Windows was never updated on the computers at the hospital.

The report said, “Every single vulnerability existed in these computers.”

The report also pointed out that a virtual private network (VPN) device that other companies set up at the hospital for maintenance of the electronic medical record system had never been updated.

A VPN enables people to connect to a private network within an organization that is separate from the internet.

Since the device was set up at the hospital in 2019 until the cyberattack occurred in October 2021, a series of cyberattacks on VPN devices occurred around the world after cybercriminals detected defects in these devices that enabled unauthorized intrusions.

Because of this history, the experts concluded that cybercriminals exploited defects in the hospital’s VPN device and made an unauthorized intrusion to have the ransomware infect the hospital’s system, the report said.

As a result of the cyberattack, the data on the hospital’s electronic medical records were encrypted.

The hospital was forced to suspend accepting emergency or new patients, as well as having to use paper-based medical records.

The report noted that only one official was overseeing the hospital’s computer system when the cyberattack occurred.

It meant that the official couldn’t afford to spend the time and effort to protect the security of the computer system, the report said.

Therefore, the report said that it was understandable that the incident occurred.

The report also criticized the companies working for the hospital by saying they didn’t fulfill their responsibilities. For example, it said they didn’t inform the hospital of a program to update the VPN device, even though they were aware of it.

However, the malware attack on the Handa hospital was not unique to it.

A man working for a medical information system company in Tokyo said, “Hospitals used to use closed telecommunications networks separate from the internet. They often disabled automatic updates of programs to deter any potential problems.”

However, hospitals’ networks are now increasingly using equipment such as VPN devices, which enable people to connect to them from outside hospitals.

Therefore, experts warn about overconfidence in the safety of hospitals’ networks.

Takayuki Sugiura, security strategist at the Digital Agency, said, “Networks are not closed if they are accessible from the outside world. Many people working in medical services wrongly think that their networks are closed, though.”

(This article was written by Tatsuya Sudo, senior staff writer, and Takaaki Fujino.)