ASOURCE Times

Medical institution systems are connected to the outside world,
Cybersecurity is becoming increasingly important

Originally, medical institutions maintained the security of medical information by not connecting to external networks. However, with the introduction of cloud-based electronic medical records, participation in regional medical information collaboration networks, remote maintenance of in-hospital systems, and even online qualification confirmation that will become mandatory from April 2023, connections with external systems have become increasingly important in recent years. has become essential. As a result, the importance of cybersecurity is increasing.

The Ministry of Health, Labor and Welfare (hereinafter referred to as the "Ministry of Health, Labor and Welfare") has established the "Guidelines for the Safety Management of Medical Information Systems" for the appropriate management of medical information such as electronic medical records. These guidelines have been reviewed as appropriate, and version 6.0 was published in May 2023. The characteristics of this review are that, with the principle of mandatory online qualification confirmation, the review is divided into overview, business management, planning and management, and system operation sections, and also categorizes information systems of medical institutions. This is a point that indicates compliance requirements and ideas regarding information security.

However, it is difficult for medical institutions and nursing care providers to understand where to start just by looking at the guidelines, so in cooperation with the Japan Medical Association, the Ministry of Health, Labor and Welfare has published the ``Cybersecurity Measures Checklist for Medical Institutions'' (hereinafter referred to as ``check list''). A list was created and published in June 2023. A manual to support this checklist is also provided.

“Japan Medical Association Cybersecurity Support System”
make use of

The Japan Medical Association began operating the "Japan Medical Association Cybersecurity Support System" in June 2022. Three points are available: a contact point for consultation in emergencies, a call to use the free site "Tokio Cyber Port" to strengthen security measures, and a temporary support system for medical institutions whose members have suffered a cyber attack or had their personal information leaked. It is a measure. In addition to Nichiyo A① members, other doctors and clerks of A① member medical institutions, nursing care service facilities, and business offices, as well as the secretariats of prefectural medical associations and medical associations in districts, cities, and districts, etc., can also use the service.

The consultation center has received more than 60 inquiries in the one year since its establishment, including ``My electronic medical record was encrypted by ransomware,'' ``What should I do to deal with a virus infection?'' and ``My website was attacked by a cyberattack.'' I received a consultation.

Furthermore, starting in October of this year, we plan to provide materials and videos explaining the Medical Information System Safety Management Guidelines, and also open a consultation desk regarding the guidelines.

Adding cybersecurity to the medical safety system

The first important thing for medical institutions to do is to follow the checklist above to understand how all systems, including computers and medical equipment, both inside and outside the institution, are connected and where they are at risk. This requires the cooperation of vendors related to the supply chain.

We will also review and thoroughly enforce rules within medical institutions regarding information leaks caused by "people" such as leaving behind a laptop or taking out a USB drive.

It is also necessary to decide who will be responsible for managing the security of medical information systems, but many medical institutions cannot afford to hire a specialist. What I would like to propose is not to create a new department for cybersecurity, but to add cybersecurity work to the department responsible for medical safety, such as near-miss incidents. For example, we organize a communication network in the event of an incident such as ``unusual characters appear on the computer screen'' or ``the printer won't stop printing'', create a manual, and conduct training. The operation is exactly the same as medical safety.

I would like medical and nursing care professionals, especially those in management, to first check the items on this checklist. We also hope that you will take advantage of the Japan Medical Association's support system. At the consultation desk, we not only respond to actual cyber-attacks, but also provide detailed consultations such as questions about how to respond to checklists.

Medical institutions lack the knowledge, human resources, and financial resources to address cybersecurity. The Japan Medical Association will continue to request that the government move forward with support such as subsidies and human resource development.

The widespread use of online qualification confirmation will lead to the era of personal health records, where individuals carry medical information on their smartphones. The Japan Medical Association will continue to research and propose future-oriented cybersecurity.

Cybersecurity countermeasure checklist for medical institutions
https://www.mhlw.go.jp/content/10808000/001139055.pdf

Cybersecurity countermeasure checklist manual for medical institutions
https://www.mhlw.go.jp/content/10808000/001105752.pdf