TOKYO -- Hospitals have always had to be careful about the spread of infections. But in this modern era of networked healthcare, the danger of viruses has taken on new meaning. Threats from both opportunistic computer viruses and deliberate cyberattacks are part of the new reality.
Patient charts and other important personal information are now being entered into computers, instead of being written down. At the same time, computer networks are now linking hospitals with local pharmacies and households to provide more medical services to patients at home.
All of that is good for improving the efficiency of healthcare, but digital records make information more susceptible to hacking.
''White hat'' hacker
Building a bulwark of protective security measures is fast becoming a matter of life and death. One company helping hospitals defend themselves from cyberattacks is IT venture Eyes, Japan in Fukushima Prefecture.
By acting as a ''white hat'' hacker -- an ethical hacker -- probing for holes in hospitals' networks, the company wants to help programmers develop security software for medical institutions.
Eyes, Japan checked for weaknesses in four kinds of software programs used by medical institutions. It discovered 39 holes in the defense where hackers could steal or alter data and gain control remotely.
Of those gaps, 27 concerned medical records for prescriptions and health insurance claims. Another 11 were related to MRI and other medical imaging devices, and one involved the total healthcare system.
Large hospitals, such as those affiliated with universities, have implemented strict protocols for handling private patient information. Their networks are closed systems cut off from the Internet, "but even they are vulnerable to attack," said Eyes, Japan President Jun Yamadera.
Danger on our doorstep
More hospitals are introducing tablet computers that connect wirelessly to the hospital server. Those devices are convenient to use, but all a hacker needs to do to steal personal patient information is park outside a hospital and hack its Wi-Fi network.
If a staff member's personal tablet is unknowingly infected with a virus and that device is connected to a hospital computer, the virus could then spread around the entire hospital.
It is also not hard to imagine somebody deliberately sticking a USB memory device into a hospital computer to steal information. "The danger is there on our doorstep," said Yasunori Yamamoto, an Oracle Japan executive officer.
Japan's hospitals have not faced any serious attacks yet, but if the U.S. is any example, it may be just a matter of time. Having started digitizing medical records earlier than Japan, the U.S. is now dealing with unintended consequences. At the start of the year, for example, the country's second-largest health insurer, Anthem, was hacked, putting the records of 80 million people at risk.
The global healthcare industry was the largest single victim of data breaches in 2014, accounting for 37%, according to the U.S. security software company Symantec. Hackers resold the stolen health data.
Medical devices themselves are also at risk. In a report released in March, Intel Security Group -- previously known as McAfee -- predicted cybercriminals might begin exploiting vulnerabilities in medical devices to cause harm, for example by "forcing an insulin pump to overdose a patient or instructing a heart implant to deliver a deadly jolt of electricity."
In Japan, financial institutions and other large corporations are fortifying their defenses against cyberattacks. But medical institutions are a different story. "They are naive," said Eiji Sasahara, a member of the board of the Healthcare Cloud Initiative.
The very unpreparedness of Japan's healthcare industry creates business opportunities for those who can help it strengthen its defenses against cyberattacks.
Deloitte Tohmatsu Consulting, a risk-management consultancy, began a service this spring offering to act like a "secret shopper" for hospitals. With client permission, it dispatches employees pretending to be regular people to see what areas of a hospital they can enter. They also masquerade as hospital workers to see if they can get passwords over the phone. The company then combines this with network technologies to propose comprehensive defense strategies.
Fujitsu, a leading provider of information systems to medical institutions, insists that systems be strictly managed by registering the serial numbers of all terminals in a hospital and denying access from any other devices.
Japanese IT service provider NEC watches globally for targeted threats to networks and moves quickly to link medical-related systems for centralized management.
Oracle Japan adopts a method called "defense in depth" for medical institutions in Japan, building security into the data itself for medical charts, health insurance claims, images and other data. With this arrangement, even if there is a breach of the hospital network, the health data itself remains in a form that is unreadable and unalterable.
As home care becomes more common in Japan, medical networks are spreading wider, linking the central hospital in a region with local clinics, pharmacies, nursing care facilities, and even homes.
In these far-flung networks, cyberdefense is no longer a problem just for IT companies and government agencies. The dangers will linger until medical institutions wake up to the threat, and even local clinics realize that things are not OK just because their patient information is not directly connected to the Internet.