Medical organizations and IT vendors should bear part of the cyber damage'

A document released on August 24 by the Japan Medical Association Policy Research Institute (Nichi-Isouken), which aims to plan medical policy, is causing controversy on SNS. Regarding contracts and responsibility sharing between medical institutions and system vendors, based on the ``principle of good faith'', if the vendor's risk explanation is insufficient, the medical institution will assume a certain amount of responsibility even if there is no description in the contract. may be questioned."

photo
 The title of the document is "Responsibilities of System Vendors Regarding Cyber ​​Incidents: To Promote Medical DX." Due to the gap in expertise between medical institutions and vendors, the system vendor has an incidental obligation based on the principle of good faith, and the obligation to appropriately provide the information necessary for the medical institution to fulfill its safety management obligations. It shows the view that

 "Principle of good faith" is a legal principle that "we should act so as not to betray each other's trust." If a vendor does not provide information about known vulnerabilities appropriately and a problem arises due to that vulnerability, even if it is not stated in the maintenance contract, a certain amount of responsibility can be held on the grounds of violation of the principle of good faith. It is said that

 On the other hand, according to the Japan Medical Research Institute, if the obligation to provide information is not specified in the maintenance contract, it is unlikely that the vendor will be recognized as having an implicit obligation to provide such information. The number of cases in which responsibility can be questioned is considered to be "extremely rare."

 According to a questionnaire survey conducted by the Japan Medical Research Institute in fiscal 2022 (4 cases in total), there were no cases in which a system maintenance contract stipulated the vendor's obligation to inform medical institutions about risks such as vulnerability information. There was only one case where vulnerability information was actually disclosed, and there was only one case where the vendor was responsible for a certain percentage of the damage caused by the cyber attack.

 In response to this opinion, some on Twitter said, ``Maybe we should include the obligation to provide information in the contract'' and ``It seems like no one will mess with the medical industry.''

 According to the Japan Medical Research Institute, maintenance contracts to date have generally focused on maintenance inspections and troubleshooting, and have rarely specified security measures. If medical institutions request security measures, they will likely be asked to increase their contract fees, and the government should help cover the costs.

 Medical institutions have been suffering from cyberattacks using ransomware since 2021. The case of Tsurugi Town Handa Hospital in Tokushima Prefecture started as a social issue, and in April 2011, the Ministry of Health, Labor and Welfare enacted the ``Ministerial Ordinance to Partially Amend the Enforcement Regulations of the Medical Care Act.'' It requires medical institutions to "take the necessary measures to ensure cybersecurity to avoid significant disruption to the provision of medical care."