Case study: Osaka Prefectural Government

Protecting the People of Osaka with Swift Implementation and Measures to Address Cyber Threats

Project information

Osaka Prefectural Government

Solutions from WithSecure
WithSecure™ Cloud Protection for Salesforce

Government agency, public sector


Short description
Osaka Prefecture is a central city in western Japan with a population in excess of 8.8 million. With the aim of measures to address COVID-19 and recovery from the COVID-19 pandemic, Osaka Prefectural Government is prioritizing “promotion of maximum measures to address infection for the protection of life,” “promotion of initiatives for the recovery of the economy and industry and the support of jobs affected by the COVID-19 pandemic,” and “enhancement of safety nets supporting people’s lives.” Address : 2-1, Otemae, Chuo-ku, Osaka-shi, 540-8570 URL:

In response to the national government’s policy of revising the tracking of all infections in measures to address COVID-19, Osaka Prefectural Government built and began operating its own system for registration of infected people. 

Registration of an infected person requires image files of an identification document and a test result to be uploaded. Strengthening anti-malware measures was unavoidable for preventing the risk of cyber attacks caused by uploaded images when doing so. To address this, Osaka Prefectural Government adopted WithSecure™ Cloud Protection for Salesforce because it was possible to quickly implement content scanning in a Salesforce environment that could not be supported by conventional endpoint protection products in a system utilizing Salesforce. Operation of an infection registration system ensuring security was achieved.

Measures urgently needed to be taken to address malware concealed in images uploaded to the public system

Osaka Prefectural Government is constantly taking pioneering steps to address COVID-19. In addition to its own measures such as the “Osaka Model” that is an indicator of the spread of infection and the state of stress on the healthcare system, it is engaged in measures  effectively utilizing ICT.

One such example is the “Osaka-Covid19- Information-System” (O-CIS). It is a system aimed at sharing information such as application details and customer information with relevant personnel such as health centers and accommodation care facilities to coordinate accommodation and hospitalization for the care of COVID-19 patients.

Information was previously shared using spreadsheet software combined with e-mail, telephone and fax, but the introduction of O-CIS enabled unification of information and real-time sharing of information, and brought about the simplification of administrative processes. Before O-CIS was implemented, at least two days were required for the accommodation procedures for people infected with COVID-19, and procedures can now be completed as quickly as the same day since the system was implemented. Furthermore, it enables real-time tracking of bed occupancy by medical institutions, and also significantly contributes to the visualization of data. The platform used by Osaka Prefectural Government for this system is Salesforce.

Meanwhile, in response to the announcement on September 12, 2022 by the national government to revise the policy of tracking all infections reported, Osaka Prefectural Government newly opened the “Osaka Prefecture Infection Registration Center” on O-CIS, and created a system enabling people infected with COVID-19 to directly register their status. When an infected person registers, it is necessary to upload image files of an identification document such as a driver’s license and test result documentation. For this reason, a key point was ensuring security by adding a function to mitigate the risk of cyber attacks caused by uploaded images.

Shinji Teraoka, Senior Manager of the Infectious Disease Control Support Division in the Public Health and Medical Administration Office within Osaka Prefectural Government Department of Public Health and Medical Affairs reflected, “If a person posing as a citizen of Osaka uploads an image containing malware, O-CIS would be subject to significant damage. Also, uploading of images on O-CIS was previously utilized by limited members in medical institutions, but ensuring additional security through anti-malware was essential for allowing registration by people infected with COVID-19. In addition, being able to implement this in a short period to enable registration by people infected with COVID-19 as soon as possible was also a high-priority requirement.

Opened an infection registration system equipped with anti-malware using CPSF in a short period

Based on these requirements, Osaka Prefectural Government received a proposal from the company supporting implementation, and decided to adopt WithSecure™ Cloud Protection for Salesforce (CPSF). It is a cloud-based solution for protecting user companies and users from cyber attacks using malicious files and URLs uploaded to a Salesforce environment. CPSF was jointly designed and developed with Salesforce, and ensures reliability and seamless integration with the Salesforce environment. It can be easily implemented without requiring middleware through native cloud-to-cloud integration with Salesforce. CPSF is designed to supplement the native security functions of the Salesforce environment, and is designed to keep latency felt by users to a minimum and maintain the original ease of use of Salesforce.

Teraoka says CPSF was adopted because “Mitigating cyber risks caused by uploaded images was an important requirement. In addition, being able to reliably launch the system in a short period within a limited time was an absolute requirement. With regard to that point, CPSF was the optimal solution for our requirements.”

The O-CIS upgrade was completed, and registration with the Osaka Prefecture Infection Registration Center began, with operation starting on September 30 due to being able to implement and commence operation of the system in a short period. CPSF itself can be implemented on Salesforce in minutes, so acceptance of delivery including verification was completed in one day.

It is also highly regarded for its ease of operation. When registering positive test results, all image files uploaded by citizens of Osaka are automatically scanned to detect malware. The Osaka Prefectural Government personnel in charge of O-CIS also require no special training, and these is little administrative burden because any image assessed to be harmful is automatically deleted or blocked.

“We rate it highly because security is ensured and both citizens and personnel can use the system without being conscious of CPSF. It has been operated without any major problems, and approximately 480,000 infections have been registered as of January 31, 2023.” (Teraoka)

Anti-malware measures using CPSF will continue in future in the system for uploading images by citizens. In addition, CPSF is also expected to provide additional functions related to uploading images. “Although they do not contain malware, images unrelated to identification documents and test result documentation may be uploaded. The content is currently checked visually to delete such images, but if CPSF is equipped with a mechanism using image recognition AI to automatically detect and delete such images, we think it could be used in more situations other than O-CIS.” (Teraoka)

O-CIS as a whole will also be quickly upgraded with the necessary addition of functions to strengthen the system for protecting the people of Osaka from COVID-19. In addition, there are also plans to utilize O-CIS more effectively while implementing DX (digital transformation).

Location implementing CPSF

Osaka Prefectural Government’s infection registration form. CPSF is used to detect malware when images of identification documents and test results are uploaded.

* This case study was prepared based on information current as of February 9, 2023.

Required field.

Invalid field.

Required field.

Invalid field.

Required field.

Invalid field.

Required field.

Invalid field.

Required field.

Invalid field.

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.