ASOURCE Times

Medical institution systems are connected to the outside world,
Cybersecurity is becoming increasingly important

Originally, medical institutions maintained the security of medical information by not connecting to external networks. However, with the introduction of cloud-based electronic medical records, participation in regional medical information collaboration networks, remote maintenance of in-hospital systems, and even online qualification confirmation that will become mandatory from April 2023, connections with external systems have become increasingly important in recent years. has become essential. As a result, the importance of cybersecurity is increasing.

　厚生労働省（以下「厚労省」）は、電子カルテなどの医療情報の適切な管理のために「医療情報システムの安全管理に関するガイドライン」を定めています。このガイドラインは適宜見直しが行われており、2023年5月には第6.0版が公表されました。今回の見直しの特徴は、オンライン資格確認の原則義務化を背景に、概説編、経営管理編、企画管理編、システム運用編とに分けて、また、医療機関の情報システムを類型化して、医療情報の安全に関する遵守事項や考え方を示した点です。

　ただ、ガイドラインを見るだけでは、医療機関や介護事業者が何から始めればいいかがわかりにくいため、日本医師会協力のもと、厚労省が「医療機関におけるサイバーセキュリティ対策チェックリスト」（以下「チェックリスト」）を作成し、2023年6月に公表しました。このチェックリストに対応するためのマニュアルも併せて示されています。

“Japan Medical Association Cybersecurity Support System”
make use of

The Japan Medical Association began operating the "Japan Medical Association Cybersecurity Support System" in June 2022. Three points are available: a contact point for consultation in emergencies, a call to use the free site "Tokio Cyber Port" to strengthen security measures, and a temporary support system for medical institutions whose members have suffered a cyber attack or had their personal information leaked. It is a measure. In addition to Nichiyo A① members, other doctors and clerks of A① member medical institutions, nursing care service facilities, and business offices, as well as the secretariats of prefectural medical associations and medical associations in districts, cities, and districts, etc., can also use the service.

The consultation center has received more than 60 inquiries in the one year since its establishment, including ``My electronic medical record was encrypted by ransomware,'' ``What should I do to deal with a virus infection?'' and ``My website was attacked by a cyberattack.'' I received a consultation.

Furthermore, starting in October of this year, we plan to provide materials and videos explaining the Medical Information System Safety Management Guidelines, and also open a consultation desk regarding the guidelines.

Adding cybersecurity to the medical safety system

The first important thing for medical institutions to do is to follow the checklist above to understand how all systems, including computers and medical equipment, both inside and outside the institution, are connected and where they are at risk. This requires the cooperation of vendors related to the supply chain.

We will also review and thoroughly enforce rules within medical institutions regarding information leaks caused by "people" such as leaving behind a laptop or taking out a USB drive.

It is also necessary to decide who will be responsible for managing the security of medical information systems, but many medical institutions cannot afford to hire a specialist. What I would like to propose is not to create a new department for cybersecurity, but to add cybersecurity work to the department responsible for medical safety, such as near-miss incidents. For example, we organize a communication network in the event of an incident such as ``unusual characters appear on the computer screen'' or ``the printer won't stop printing'', create a manual, and conduct training. The operation is exactly the same as medical safety.

I would like medical and nursing care professionals, especially those in management, to first check the items on this checklist. We also hope that you will take advantage of the Japan Medical Association's support system. At the consultation desk, we not only respond to actual cyber-attacks, but also provide detailed consultations such as questions about how to respond to checklists.

Medical institutions lack the knowledge, human resources, and financial resources to address cybersecurity. The Japan Medical Association will continue to request that the government move forward with support such as subsidies and human resource development.

The widespread use of online qualification confirmation will lead to the era of personal health records, where individuals carry medical information on their smartphones. The Japan Medical Association will continue to research and propose future-oriented cybersecurity.

Cybersecurity countermeasure checklist for medical institutions
https://www.mhlw.go.jp/content/10808000/001139055.pdf

Cybersecurity countermeasure checklist manual for medical institutions
https://www.mhlw.go.jp/content/10808000/001105752.pdf