Aizawa Hospital

Jiseikai Aizawa Hospital is a leading acute care provider that plays a vital role in the region’s healthcare system. The hospital is also recognized as a progressive institution driving medical digital transformation (DX), with a focus on improving care quality and creating a more supportive work environment for its staff. Supporting this mission is the Medical Information Systems Department at Jiseikai Headquarters, which manages the hospital’s ICT infrastructure to ensure that patients, medical professionals, and administrative staff can access and deliver care in a secure and reliable environment. The eight-member team handles a broad range of responsibilities—from help desk support to full-scale system operations, all without relying heavily on external vendors.

One of the department’s pressing challenges was the lack of visibility into the hospital’s internal network. A wide variety of devices, including Electronic Medical Record (EMR) systems, radiology equipment, and other clinical systems, are connected to the network. However, the hospital’s existing security relied primarily on perimeter-based defenses such as firewalls, making it difficult to detect suspicious activity occurring within the network itself.

This issue has become more urgent in recent years, as even devices like CT scanners and MRI control systems now run general-purpose operating systems, creating new attack surfaces. Several ransomware incidents in Japan have involved the encryption of data on such devices. While the hospital considered deploying solutions such as endpoint detection and response (EDR) to enhance endpoint protection, regulatory and operational constraints around medical devices made it difficult to apply these tools uniformly. Even if endpoint security were to be introduced, the team would still need to manage devices where it is not possible to install agents.

Faced with these realities, Obinata and his team turned their focus to achieving full visibility and monitoring across the network.

If we can visualize and understand activity across the entire network,” said Takayuki Obinata, “we can detect incidents the moment they occur—before they penetrate deeper into the environment and cause irreversible damage.”

Based on these requirements, Obinata and his team began evaluating available solutions and ultimately selected the Darktrace / NETWORK for Network Detection and Response.

The two main deciding factors were its port mirroring-based architecture, which passively monitors network traffic and requires minimal changes to existing infrastructure, and its AI-driven anomaly detection with real-time autonomous response. Since the hospital already had infrastructure in place to aggregate network traffic, the team saw strong value in a solution that could be implemented without costly redesigns or added operational overhead.

What stood out the most was the platform’s autonomous response capability that instantly blocks suspicious activity.

“For example, if signs of an attack appear outside of office hours, the system can immediately stop the communication and give us time to respond. That kind of ‘buying time’ is extremely valuable for us,” said Obinata.

After learning about Darktrace, the hospital conducted a ‘proof of value’ assessment to test the solution in their environment. During the evaluation, Obinata was impressed by the near-instantaneous reaction time, from detection to notification to the activation of response actions.

“With many flow-based NDR products, you need to integrate them with an authentication server and configure the system to shut down switch ports when abnormal traffic is detected,” said Obinata. “In contrast, Darktrace works right out of the box. We only had to connect and configure a single appliance, and it handled both detection and response autonomously. That kind of simplicity and completeness made it a highly cost-effective solution.”

Other key advantages included its intuitive user interface, the ability to retain and leverage learning data from the proof of value phase, customizable detection models, and hands-on regional support from Darktrace’s team in Japan, all of which contributed to the final decision.

In December 2024, approximately five months after completing the proof of value assessment, the hospital formally placed the order for Darktrace / NETWORK, with full-scale deployment beginning in January 2025.

Since going live with Darktrace / NETWORK, the sense of uncertainty about what might be happening on the network has shifted to a sense of confidence in having visibility and control, according to Obinata. Events that previously would have gone unnoticed or taken significant time to detect, such as suspicious use of administrator privileges or behavior resembling Command and Control (C2) activity, are now captured and alerted in real time, often within seconds or virtually instantaneously, as Obinata emphasizes.

Obinata recalls one particular incident that drove home the value of Darktrace’s capabilities.

Shortly after deployment, the autonomous response function was triggered several times in response to abnormal behavior. Upon investigation, it was discovered that files were being modified via an exploit targeting a vulnerability in the SMB file-sharing protocol. The root cause was that a device – expected to have SMBv1 disabled – had been delivered with the protocol inexplicably enabled. Obinata credits Darktrace with enabling the team to identify and contain the issue before it escalated into a serious incident.

Looking ahead, the team plans to expand its use of Darktrace by integrating it with other systems and moving toward an eXtended Detection and Response (XDR)-like architecture. The goal is to build a more advanced, multi-layered security framework that can deliver effective protection even within the resource constraints typical of a healthcare environment.

What made the deployment a success

For Aizawa Hospital, the success of the deployment came down to two key factors: the ability to implement Darktrace / NETWORK as an agentless solution, requiring minimal changes to their existing infrastructure, and the platform’s powerful combination of AI-driven anomaly detection and autonomous threat response. Together, these capabilities enabled the hospital to enhance its network security posture without overburdening its limited resources, delivering both peace of mind and operational resilience.