In a time when critical infrastructure has been exposed to cyber-attacks around the world, The Yomiuri Shimbun has learned of 11 hospitals in Japan that have been hit by ransomware attacks since 2016. The actual number of victimized hospitals may be higher.
The attacks have caused such damage as forcing hospitals to stop accepting patients arriving by ambulance, cancel surgeries and restrict the acceptance of outpatients, starkly highlighting how medical institutions’ frontline work has been a target of ransomware attacks.
Ransomware is a type of malware that breaches victims’ systems and encrypts their data, thus making them unusable. Holding the data hostage, attackers demand victims pay a ransom to decrypt it and restore the system.
While various malware have emerged overseas, some have also been confirmed within Japan since around 2015.
Attackers have sometimes also threatened to publicly expose victims’ data unless they pay a ransom.
The number of cases found by The Yomiuri Shimbun was one for 2016, three for 2017, one each for 2018 and 2019, and zero for 2020. But so far in 2021, the number of known cases has already hit five. None of the hospitals are known to have paid a ransom. They have since taken countermeasures against future attacks.
The Health, Labor and Welfare Ministry has asked hospitals to report any cyber-attacks. But as the ministry does not publicize the number of such incidents, there could have been additional cases.
The attacks seen through 2017 caused relatively minor damage, such as disabling the computers used by hospitals for ordinary business that includes sending or receiving email or opening files.
Since 2018, however, stronger attacks have been found to seriously affect medical institutions. They have halted key functions, such as the management of patients’ electronic records, the calculation of medical fees and the management of image data taken with computed tomography (CT).
At these victimized hospitals, clinicians were forced to handwrite records for patients, while hospital operators were driven to restrict accepting patients or carrying out surgeries.
Some hospitals even found that their backup data for electronic patient records was infected with a virus. It took them several months to get their medical services back to normal.
Repairing or rebuilding their systems can cost millions or even tens of millions of yen. In the case of Handa Hospital in the town of Tsurugi, Tokushima Prefecture, a municipal hospital whose computer system was hit by a ransomware attack in October this year, it is expected to cost about ¥200 million to rebuild the system.
The attacks have been evolving from ones that spread a computer virus indiscriminately to ones to targeting a specific company or organization.
Until 2017, there were many cases of computer systems being infected via an e-mail bearing a virus. But recently, as seen in the Handa Hospital case, there has been an increase in attacks in which hackers break into the victims’ computer systems, aiming at vulnerabilities in virtual private networks (VPNs), which are security devices used, for instance, to allow a business operator to link with a hospital’s computer system for remote inspection and maintenance.
The central government has designated 14 sectors, including medical services, financing, railways and electric power, as having key infrastructure that would severely affect people’s lives if their functions were suspended.
Apparent reasons hospitals are often targeted by ransomware attacks include the high value of medical data, the digitization of hospital operations and delays in taking security measures at medical institutions.
Prof. Tetsutaro Uehara of Ritsumei- kan University, who is knowledgeable about cyber-attacks on medical institutions, said: “In the case of ordinary companies, paying ransom would be criticized by society. When it comes to medical institutions, attackers may assume that hospitals would put first priority on the protection of patients’ lives, and thus would be more likely to submit to their demands.
“Medical institutions should build a system in which they constantly check any deficiencies in their computer systems, while the state should support them financially in their efforts to beef up the security of information.”