NEC admits password complacency in Japan hospital patient data breach

A ransomware attack last year which led to disruptions in the digital medical records system of the Osaka General Medical Center in Japan for around two months was caused by the use of the same ID and password across the hospital’s medical records system.

NEC, the company that supplied the system back in 2018, has admitted that it was complacent on data security and would reconsider its approach and take “fundamental security measures.”

Details about the cyberattack were disclosed by a team of investigators that was dispatched by the Japanese government to unravel the details of the incident, reports Japanese daily, The Asahi Shimbun (TAS).

The ransomware attack, which happened in October last year, affected the emergency and outpatient care system on the digital patient records platform.

It emerged from the findings that about 2,000 of the hospital’s staff members used the same password with user IDs based on a consistent pattern to access the hospital’s computers.

The system also used chipped employee ID cards for authentication, and is described by a security professional in the report as “cosmetic.”

This, per the investigators, made it possible for hackers to get hold of the login details and access data on some of the computers where they encrypted it and asked for ransom, the publication recounts.

The probe disclosed that once the hackers got access to the system, they introduced a virus on the digital medical records server which then spread to other connected computers which were accessed using the same login details.

NEC reportedly told the outlet that it thought using the same ID and password would not pose any major cyberattack risks as it considered the hospital network system close and secure enough.

But in the wake of the incident, the company’s Director of Medical Solutions Division Seiichiro Nakajima admitted that they were “overconfident” in the way they built the Osaka hospital digital records management system.

NEC officials also told TAS that it did not install an anti-virus system on four of the servers that handle the core aspects of the digital records system, making it vulnerable to virus attacks.

In the meantime, the outlet mentions that a NEC finding last year revealed around 280 hospitals in Japan use a similar records system and each of about half of the number of hospitals uses the same login ID and password to access their computer system, which poses risk of cyberattacks.

Article Topics

cybersecurity  |  identity access management (IAM)  |  medical records  |  NEC  |  passwords