Sofukai Foundation Okayama Kyokuto Hospital

A regional wake-up call for healthcare security

Okayama Kyokuto Hospital, with 214-beds, has long embraced information and communication technology (ICT). About 500 staff members used roughly 800 IP-connected devices daily. These included PCs, servers, printers, and diagnostic equipment like CT and MRI systems.

However, as digital infrastructure expanded, apprehensions about cyber threat escalated.

The alarm intensified in October 2021, when a hospital in neighboring Tokushima Prefecture suffered a ransomware attack that rapidly encrypted electronic medical records and backup data, paralyzing clinical operations.

At the time, Okayama Kyokuto Hospital implemented a range of security controls, deploying several endpoint security solutions across operational devices and using vendor-mandated security software within the isolated electronic medical records (EMR) network. These safeguards largely embodied a perimeter-based defense model. Yet it became evident that perimeter defenses alone fell short.

Beyond the limits of perimeter security

There was another challenge. Security tools varied across devices, making it difficult for the IT team to maintain a unified view of activity inside the network. While external threats could be monitored, internal communications between systems remained largely opaque.

Without clear visibility into internal network behavior, it was difficult to determine whether everyday activity was truly normal or quietly drifting toward risk.

“We needed visibility and protection that matched the speed of modern cyber threats,” said Yoshihiro Sakakibara, CIO and Head of the Information Systems Office.

This growing uncertainty prompted the hospital to begin exploring alternative security approaches. And during this process, the team encountered the Darktrace ActiveAI Security Platform, a solution designed to monitor network activity holistically and continuously learn normal behavior across all connected devices to identify anomalies. Unlike traditional, rule-based security tools, the platform focuses on understanding how systems typically interact, enabling it to detect subtle deviations that may signal emerging threats.

Proof of value exposes risks invisible to rule-based defenses

Okayama Kyokuto Hospital initiated a proof-of-value (*) evaluation in February 2022. To minimize operational impact, the assessment initially focused only on endpoints connected to the internet.

(*) Proof of Value: a four-week pre-deployment evaluation.

Even within this limited scope, the results were revealing. The system quickly identified communication patterns that did not align with established norms yet failed to trigger alerts from existing rule-based endpoint products. Darktrace’s AI surfaced activity the team “didn’t even know to look for,” exposing subtle risks long before they could escalate.

This discovery marked a turning point in how the hospital understood its environment. Instead of viewing network activity as a collection of isolated events, the IT team began to see it as an interconnected system of behaviors. As Sakakibara explained, this was the first time the hospital had gained “a live, accurate picture of every connection inside the hospital.”

Crucially, Darktrace was the only solution to surface these signals. Existing endpoint security products generated no alerts.

Seeing the hospital as one living network

As the trial progressed, the hospital’s understanding of its own network began to shift. Instead of fixed rules and thresholds, Darktrace’s Self-Learning AI lets the hospital observe behavior in context and learn what is normal for its environment. This proved valuable in healthcare, where usage patterns vary with time, workload, and emergencies. By focusing on deviations from established baselines, the hospital could distinguish routine fluctuations from activity that truly needed attention.

This network-wide visibility also laid the groundwork for a more proactive response. As confidence in detection grew, the hospital saw the potential to move beyond passive monitoring and toward timely intervention. This shift came from Autonomous Response, a feature within Darktrace ActiveAI that can automatically contain high-risk activity when needed. For a hospital with a small security team of two staff, responding quickly without constant human oversight was a major shift in managing cyber risk.

“We were able to react within seconds, even during nights, weekends, or holidays, a capability that proved invaluable for a hospital with limited staffing,” Sakakibara explains.

From perimeter defense to operational resilience

By December 2022, Okayama Kyokuto Hospital expanded monitoring to include all devices with IP addresses capable of connecting to the EMR network, including those accessed via VPN.

Following deployment, multiple security alerts were generated, including rapid EMR terminal access to multiple servers and significant file deletions on internal file servers. All activity was traced to authorized third-party vendors and assessed as low risk. Identifying these previously unmonitored internal risks fulfilled the hospital's security objectives and met the security team's expectations.

In addition, for Autonomous Response, the team set up communication blocking with controls for time, day, and severity. Depending on conditions, responses needed manual approval or ran fully autonomously, allowing immediate containment after hours.

Together, these steps marked a substantial shift from legacy perimeter-based defenses to a more resilient, behavior-driven security architecture. As Sakakibara pointed out, adopting AI-driven security was "not just a technical enhancement; it was a strategic investment in the operational continuity of our healthcare ecosystem."

‍