Ministry to issue guidelines against ransomware attacks on hospitals

Yomiuri Shimbun file photo
The Health, Labor and Welfare Ministry building

Following a spate of ransomware attacks targeting medical institutions, the Health, Labor and Welfare Ministry will compile information security guidelines designed for hospitals within fiscal 2021, which ends on March 31, 2022.

The guidelines will state that backup data, such as electronic medical records, should be kept separately from hospital networks in order to limit damage.

According to ministry sources, backup data could be infected with ransomware and become inaccessible if it is connected online to the hospital’s system. The ministry therefore will ask hospitals to save their backup data in a separate system, and also to specify the type of media to be used for saving it and the frequency of updates.

Infection of backup data could cause long-term problems. Tsurugi municipal Handa Hospital in Tokushima Prefecture, for example, suffered a cyber-attack on its backup data at the end of October, and it is expected to take about two months for the hospital to resume treatment as normal in the wake of the incident.

Under the guidelines, email senders are urged not to attach any file but instead to text the content via a message board, because viruses can hide in attached files. The guideline will ask hospitals to introduce anti-ransomware software and conduct cyberattack drills.

In 2005, the ministry drew up guidelines on information security in response to extensive use of electronic charts, and urged medical institutions to deploy a cybersecurity officer. These existing guidelines, however, are about 160 pages long, and the ministry plans to condense the contents and make it easier to understand. Its draft plan will be drawn up this month to undergo a public comment session in February before being officially issued.

Ryuichi Yamamoto, who heads the Tokyo-based Medical Information System Development Center and also is in charge of the team compiling the new guidelines, said, “We must create effective guidelines that can be understood and utilized easily to cope with the rampant cyber-attacks on medical institutions.”