Public, private sectors must work together to strengthen defense

Cyber-attacks on medical institutions, which protect people’s lives and health, are extremely heinous. Police authorities need to conduct a thorough investigation to find the source of an attack and bring the perpetrators to justice.

The Osaka General Medical Center in Osaka City was hit by a cyber-attack. The electronic medical records system failed, severely limiting the number of surgeries and the admittance of emergency patients. Although the center’s operations are gradually being resumed, a full recovery will reportedly not be possible until January next year.

With 865 beds and 36 departments, the center is a base hospital that has also been designated by the government as an “advanced critical care and emergency center.” The central government and the Osaka prefectural government should support the restoration of the center’s functions and hasten to alleviate the concerns of patients and prefectural residents.

The failure was caused by ransomware, malware which is sent by attackers who demand money in exchange for data restoration. There is said to be a strong possibility that the ransomware infiltrated the center’s system via the food service vendor’s system.

The center had installed the latest security software, but the food service vendor had not updated the software on its equipment.

The government has been demanding that critical infrastructure providers, such as medical institutions and electric power companies, take thorough measures against cyber-attacks. However, the incident highlighted the fact that if the systems of external business partners are vulnerable, the function of the infrastructure itself will be compromised.

Providers of critical infrastructure must learn from this latest incident and strengthen safety measures by keeping a close eye on their entire supply chain. It is important that the government establishes a system for the public and private sectors to share information about cyber-attacks to prevent the spread of damage.

It is said that the criminal group that launched the cyber-attack could be deduced based on the investigation so far, but that it is not even known where the group is based — in Japan or abroad. The National Police Agency’s special cybercrime investigation squad, in cooperation with overseas investigative agencies, must hurry to uncover the full extent of the incident.

Cyber-attacks against Japan’s infrastructure and defense industry have been increasing recently. The involvement of national organizations overseas has also been confirmed — it is believed that Chinese cyber-attacks are seeking to steal information related to advanced technology and North Korean cyber-attacks are trying to obtain foreign currency.

The United States considers cyber-attacks a serious threat to its national security, and the U.S. Homeland Security Department and the U.S. military monitor cyberspace around the clock.

Japan should also consider establishing legislation for “active cyber defense” that enables the identification of the source of cyber-attacks. Discussion on this issue must be deepened while also taking into consideration the “secrecy of any means of communication” guaranteed by the Constitution.

The government plans to establish a new control tower to deal with measures against cyber-attacks. The working units of the police and Self-Defense Forces that handle cyber-attacks must cooperate with this control tower.

(From The Yomiuri Shimbun, Nov. 13, 2022)