Cyberterero to medical institutions with a series of ransomware, how to respond (Masatoshi Fujitani) | Agora Speech Platform

peshkov/istock

政策提言委員・経済安全保障マネジメント支援機構上席研究員　藤谷 昌敏

In January 2022, Tsurugi Municipal Handa Hospital (Tokushima Prefecture) announced that it had restored from ransomware damage received in the past and resumed normal medical treatment.

The Handa Hospital was infected with ransomware in October 2021, encrypted about 85,000 electronic medical records, and printed in English in English.In addition, medical fees and electronic medical record browsing systems became unusable, and office work was severely disabled, such as using paper chart.

At that time, Handa Hospital chose to recover data on its own, regardless of the threats from the criminal, and the hospital restored the damage server on December 29, 2021 and returned to normal operation.It is said that the system restoration amount is 200 million yen.

Cyberterero, called ransomware, attacked Handa Hospital, and several cases of attacks on hospitals have been confirmed.

[What is ransomware] Malvirus requires ransom for ransom instead of recovering the data stolen due to fraudulent intrusion into the system.In May 2021, the US Colonial Pipeline caused a shortage of gasoline supply, and the operating company paid about 500 million yen for cryptographic assets.The damage in the world in 2020 is said to be $ 400 million (about 45 billion yen).

① Fukushima Prefectural Medical University Hospital case (Fukushima City)

In December 2020, Fukushima Prefectural Medical University Hospital announced in August 2017 that it had been affected by the virus "Wanakuri", which had been popular worldwide.

At that time, several facilities, including radiology departments at Fukushima Medical University Hospital, suddenly showed an English sentence on the computer screen saying, "If you want to recover data, pay Bitcoin."For some patients who did not respond to the demands of "ransom" and abandoned data, and could not save the photography data of X -rays and computer fault shooting devices (CT) due to viral infection.I was shooting again without explaining.

The hospital side did not extend to the electronic medical record system, and the hospital did not have external leakage such as patient information, so he did not submit a report to the Ministry of Health, Labor and Welfare or the Ministry of Health, Labor and Welfare or police.。Infected personal computers and medical devices were initialized with priority on resuming business, and did not seem to have conducted detailed surveys to identify the route of infection (Nikkei Shimbun) dated December 4, 2020.

② Uda City Hospital case (Nara Prefecture)

On February 28, 2020, Uda City Hospital published a report on problems over the electronic medical record system that occurred in 2018 at the hospital.

According to the report, on October 1, 2018, Uda City Hospital introduced an electronic medical record system for the purpose of improving operational efficiency with a total of 432 million yen.The trouble occurred on October 16th, and a message that demands a ransom for virus infection and data encryption on the electronic medical record system management screen, was infected with rans -wear.There was found.

When the vendor checked the scope of the infection, four servers in the medical department, including electronic medical records, two client terminals in the medical department, one virus server, and one nursing sector was infected.Data for 1,133 patients in 3,835 patients was encrypted by ransom.A subsequent investigation revealed that the infected ransomware was "GANDCRAB", which was discovered around the world in 2018.

It was also found that the virus software to be introduced was not the latest state, and that the ransomware could not be detected even if it was up to date.In addition, it took time to recover because the data backup failed, and the system log was accidentally deleted, so it was not possible to identify the transmission route.Insufficient system operation, including rules, made the problem even more serious (Uda City Report on February 28, 2020).

③ Municipal Higashi -Osaka Medical Center case (Higashi Osaka City)

On June 22, 2021, the Municipal Higashi -Osaka Medical Center was investigated on the case that the medical shooting image reference system went down on May 31, which was the cause of unauthorized access to the hospital server.It was announced that it was found.Despite the launch of an alternative server and the operation has been restarted, the patient has to go to another hospital because it is difficult to see the image data before the restart.The situation also occurred.

Ransomware infected by the center is called "Revil".A major US network and security company Forty Net, a forty OS, has been reported by a security software vulnerabilities, and has been reported by medical institutions in the United States (Economist online on July 19, 2021).

In the case of Fukushima Prefectural Medical University Hospital, it was clear that there was no external leakage without investigating the transmission route by experts, even though it was clear that it was attacked by ransomware.I did not report to the police.

In addition, since the network in this hospital was not connected to the Internet, it may have been infected by ransomware by malicious third parties inside and outside the hospital, and may have been able to identify the perpetrator by investigating in the event of an incident.unknown.Furthermore, it is possible that other hospitals have been alerted and prevented the damage from expanding.

Examples of these Cybertero cases show that ransomware is not only intended to capture money, but also aimed at hindering hospital medical treatment functions.In order to prevent such serious damage attacks, it is important to analyze the tricks and routes of infection, and to share information on the public and private sectors to strengthen cooperation.

In response to these situations, both the US and Japan government recognized the cyber attacks by ransomware as a security threat, and said, "We share damage between Japan and the United States and share the case of security threats.The analysis is "analyzed", "In cooperation with the United States, the identity of hackers and countermeasures are taken," and "Improve the rarity against companies and other attacks", and each company and hospitals simply have a cyber attack.You should strongly aware that it is not a matter of a company or one hospital.

■

藤谷 昌敏1954年、北海道生まれ。学習院大学法学部法学科、北陸先端科学技術大学院大学先端科学技術研究科修士課程修了。法務省公安調査庁入庁（北朝鮮、中国、ロシア、国際テロ部門歴任）。同庁金沢公安調査事務所長で退官。現在、JFSS政策提言委員、合同会社OFFICE TOYA代表、TOYA未来情報研究所代表、一般社団法人経済安全保障マネジメント支援機構上席研究員。

From the editorial department: This article reprinted the article on February 14, 2022, 2022.If you want to read the original manuscript, please visit the Japan Strategic Research Forum official website.