Handa Hospital suspended operations for 2 months due to cyberattack

According to a report published on June 7, a major hacker attack on a hospital in Tokushima Prefecture in October occurred after a firm disabled anti-virus software on the hospital's computers.

The firm reportedly was involved in providing an electronic medical record network to Handa Hospital in Tsurugi, Tokushima Prefecture.

The hospital, run by the Tsurugi town government, was forced to suspend its operations for about two months after being subjected to a ransomware attack.

The report was compiled by an experts panel established within the hospital. It said before the cyberattack occurred, the company configured the Windows settings of the computers connected to the electronic medical record system to disable functions including anti-virus software and regular Windows updates.

These computers were among about 200 used in the hospital.

The firm said that it did so because these functions would have made the electronic medical record system unstable if they had not been disabled.

The report criticized the firm by saying it:

prioritized enabling the electronic medical record system to operate over the security protection of the computers.

When regular Windows updates identify a security vulnerability on a computer, a program is sent to correct the problem. However, the report points out that Windows was never updated on the computers at the hospital. The report said:

Every single vulnerability existed in these computers.

The report also pointed out that a virtual private network (VPN) device that other companies set up at the hospital for maintenance of the electronic medical record system had never been updated.

A VPN enables people to connect to a private network within an organization that is separate from the internet.

As a result of the cyberattack, the data on the hospital’s electronic medical records were encrypted.

The hospital was forced to suspend accepting emergency or new patients, as well as having to use paper-based medical records.

The report noted that only one official was overseeing the hospital’s computer system when the hacker attack occurred.

It meant that the official couldn’t afford to spend the time and effort to protect the security of the computer network, the report said. The report also criticized the companies working for the hospital by saying they didn’t fulfill their responsibilities. For example, it said they didn’t inform the hospital of a program to update the VPN device, even though they were aware of it.

Shields Health Care Group also suffered a data breach that compromised personal information of nearly 2,000,000 people in the United States after threat actors breached their IT systems and stole data.