In October 2022, Osaka General Medical Center suffered a ransomware attack, which disabled its medical record system and caused significant disruption. Many would have faltered – but the hospital managed to turn the crisis into an opportunity and decided to undergo an institution-wide security revamp, prompting major IT investment.
Osaka General Medical Center is an emergency medical service centre operated by the Osaka Prefectural Hospital Organization. It is one of the largest hospitals in the city.
On the day of Halloween, October 31st, 2022, it suffered a major ransomware attack that cut access to its medical systems, disrupting outpatient care, scheduled operations, and new emergency admissions for roughly two months.
But today, three years later, Osaka General Medical Center serves as an example of an institution that managed to turn the attack into a valuable lesson – and emerged more tech resilient as a result.
The day of the attack
On October 31st, hackers disabled access to Osaka General Medical Center’s electronic medical records and demanded a ransom. They managed to get access via a common security issue: reused login credentials (ID and passwords) within the hospital’s systems, which allowed the malware to spread following the initial network breach.
On top of that, around 2,000 staff members were assigned the same password to access hospital computers. According to NEC Corp., which supplied the hospital’s electronic medical record system, each member was required to enter a different authentication code after tapping their IC card, which, upon authentication, would send a common password and an individual ID for each staff member to allow access to the electronic medical records system.
However, the code followed a regular pattern, and the password turned out to be reused across staff members, which posed a high risk of external infiltration.
NEC later said that it suggested using the same password as it generally considered the risk of cyberattack to be low, as it believed the network in the Osaka hospital was an isolated one.
NEC also explained it had not installed antivirus software on four of the roughly 100 servers that run the core part of the electronic medical records system, based on the assumption that the hospital’s network was isolated.
It wasn’t – in fact, the network was connected to a food service contractor’s system. Once the attackers accessed the provider’s system, they managed to spread the malware because the electronic medical record server shared the same ID and password as other internal servers.
The aftermath
Osaka General Medical Center was forced to halt new outpatient admissions and surgeries. Although the operations were gradually resumed, it wasn’t until January of the following year that the full restoration of medical functions was achieved.
Following the attack, the hospital claimed damages of about ¥2 billion ($12.8 million) and reached a settlement in which three private contractors, whose systems were linked to the intrusion route, agreed to pay the hospital ¥1 billion ($6.4 million).
Although there is no confirmation as to whether the ransom was paid, at the time, the hospital insisted that it would not negotiate with the attackers.
The security revamp
Following the attack, Osaka General Medical Center partnered with Microsoft for a security upgrade, made generous investments into digital tools, and introduced better security flows across the hospital.
The hospital president, Takeshi Shimazu, said: “We were due to replace our sixth-generation systems anyway by March 2024. But after the ransomware attack, we realized that the same cybersecurity measures wouldn’t be enough. So, we had to decide between adding something new to the seventh-generation system or do a complete overhaul.”
They went with a systems upgrade from an existing vendor, but “added a Microsoft environment on top of that.”
According to Microsoft, since 2024, the institution has deployed Microsoft Defender to identify threats and block malware, and Microsoft Entra ID to control access to its network, both on-premises and in the Microsoft Azure cloud.
As part of its transition to a zero-trust architecture, the hospital now requires its staff to enable multi-factor authentication for logging into the system, including security badges, chip readers, facial recognition software, and passkeys. Access is strictly limited to job-necessary tasks.This approach essentially means that no one is trusted by default and should be verified before proceeding to start each session.
The tech team also actively monitors security updates and sends out patches for the hospital’s 200 servers and 2,300 computers.
“At the time we didn’t understand VPNs or firewalls inside the hospital well,” said Awakura of the administration office, according to Microsoft. “So, we didn’t realize how important these monitoring systems were.”
Part of the hospital’s core system, including consultation records and prescription orders, has also been migrated to the cloud, using Microsoft Azure.
Staff members now use Teams and SharePoint to “share images while protecting patient confidentiality,” said Dr. Haku Tanaka, one of Osaka General’s neurosurgeons. Before that, the team had what they describe as “top-down communication”, having to track down individual email addresses.
Workplace reforms have also made hospital employees more efficient and can contribute to a healthier work-life balance.
And yet, challenges remain. Shimazu acknowledged that Japanese hospitals are struggling financially, so every decision to invest in technology “is a tough one.” That is why they are focusing on using the tools they have to their maximum potential.
For instance, the management has turned to younger employees for fresh ideas. A cited example is an idea of a digital patient feedback form taken from the Young Members Teams Utilisation Project. It allows patients to access the forms using a QR code – and saves people in charge of feedback time reviewing the responses.
Artificial intelligence (AI) also finds its use at Osaka General Medical Center. Staff members are already using Microsoft's AI-powered conversational assistant, Copilot Chat, to organize opinions aired at meetings, summarize the issues, and suggest next steps. Nurses also tend to use it to summarize information and find missing details in their work – and would like to see more AI support in the future.
For Osaka General, the ransomware attack marked a turning point, reinforcing the lesson that prevention is far less costly than recovery.
Your email address will not be published. Required fields are markedmarked