Laxness and overconfidence allowed a cyberattack that halted services at a major Osaka hospital last year, as the hospital was found to have used the same ID and password for its electronic medical records system.

An investigation revealed systematic problems in the hospital’s servers and computers, flaws that also exist at many hospitals’ computer systems. 

The ransomware cyberattack against Osaka General Medical Center in Osaka’s Sumiyoshi Ward disabled its medical record system in October 2022, affecting the acceptance of emergency patients and outpatients’ medical care for about two months.

Hackers encrypted the data on at least several dozens of computers and demanded a ransom to recover it.

The government dispatched experts to the hospital to investigate the cause.

In their investigation, they found that the same password and ID were used and notified NEC Corp., which installed the electronic medical record system.

In addition, a password assigned to around 2,000 staff members for using the hospital’s computers was the same.

According to NEC, each hospital staff was required to enter a different authentication code after tapping their IC cards when using a computer.

Once the code was verified as correct, the authentication system sent a common password and an individual ID for each staff member to the computers, allowing them to connect to the medical record system, NEC said.

The identification method utilized a staff code with a regular pattern and the same password was also used. These access methods posed a high risk of infiltration by outside parties.

Security expert Takayuki Sugiura said, “It can be described only as a cosmetic security measure that looks like it is ensuring safety on the surface by requiring authentication with IC cards.”

OVERCONFIDENCE IN CLOSED NETWORK

NEC admitted in an interview with The Asahi Shimbun that it suggested using the same password as part of its system operation.

In 2018, when the system was put into operation, NEC was told that the network in the Osaka hospital was an isolated one. It thought that the risk of cyberattack would be low even with using the same passwords.

However, the hospital’s network was actually connected to a dedicated communication line with a food service provider.

In the October cyberattack, hackers who gained access to the provider’s server planted a virus on the electronic medical record server. As the ID and password were the same, the damage spread to other servers.

“It is a fact that we were overconfident in the hospital’s closed network and built the system based on that assumption,” said Seiichiro Nakajima, director of NEC’s Medical Solutions Division.

“We will reconsider our approach and take fundamental security measures,” he said.

CONVENIENCE OVER SECURITY

The system’s operation was handled by a contractor that the hospital entrusted with its management.

The contractor created a manual that includes using a common password based on procedures decided by NEC.

An NEC official said, “There was a risk that IDs and passwords would be leaked if they were shared with hospital staff. So, we set a common password in an invisible manner by using IC card authentication.”

NEC also said that it “prioritized the convenience” of the contractor’s work, such as responding to computer malfunctions and configuring the settings after replacing equipment.

Passwords for staff members were changed following the October cyberattack, according to NEC.

Sugiura said that there are other cases of prioritizing ease of management on the IT vendor side, so it is not surprising if cyberattacks occur in electronic medical record systems developed by other companies.

ANTI-VIRUS SOFTWARE NOT INSTALLED

The NEC said it did not install the anti-virus software on four of its approximate 100 servers that run the core part of the electronic medical records due to previous problem with such software affecting the hospital’s operation.

An NEC official said the company didn’t install the software on the assumption that the hospital’s network would be isolated and not connected to any other network.

The system has since been improved and anti-virus software has now been installed.

MORE THAN HALF OF 280 HOSPITALS USE SAME ID

In November, NEC surveyed the 280 hospitals nationwide that use the same electronic medical record system.

More than half of the hospitals were found to have been using the same IDs and passwords for servers and computers in each hospital.

These hospitals are gradually implementing security measures including changing their passwords.

Some hospitals had set their own security standards and asked their staff to change IDs and passwords for each server and computer, but there were few such hospitals, according to NEC.

‘HOSPITALS SHOULD MANAGE PROACTIVELY’

The medical record system, which can be considered the heart of the hospital, requires connections to much medical equipment. It operates with a complex mechanism.

Only the developer can understand the system, and it is difficult for the hospitals to train staff to have specialized system knowledge.

A hospital staffer said, “We left the setting and management of the system to NEC.”

Sugiura said that if damage is caused, the hospital could be held responsible. So, it can no longer leave the responsibility for managing the system up to the company it has contracted with. 

“Hospitals should take the initiative in managing their systems since they handle patients’ confidential information,” he said.