One after another the calls came in from hospitals; criminals were infecting computer networks in a mass hack that was putting countless lives at risk. At Bucharest’s national cyber-security centre (DNSC) they watched helplessly as the hackers spread across Romania through a popular piece of medical software.
Cyber-chief Dan Cimpean had a tough decision to make, but it was the only option they had.
The order went out to more than 100 hospitals. Disconnect from the internet, now.
The cyber-attack on Romania’s hospitals in February 2024 is one of the worst to target healthcare systems around the world, but these incidents are becoming increasingly common.
Healthcare is now the most targeted area of critical national infrastructure, the FBI has said recently.
Cutting off 100 hospitals in Romania from the internet stopped the hackers in their tracks, buying time to work out how bad the attack was.
But it meant no connected devices, emails or web browsers.
Medical staff had to switch to pen and paper, improvising workarounds to protect patients while IT teams scrambled and the national cyber response centre tried to find out how the hackers had got in – and how they could stop them.
Their actions over four days from 10 February 2024, and those of the doctors and nurses, have been widely praised.
How they reacted and how they coped has become a test case for disaster planners internationally, as officials look for advice on responding to a mass hospital hack.
Surgeon Oana Goidescu was on shift at Buzău Hospital, 120km (75 miles) north-east of Bucharest, when the alert came that attackers had breached Bucharest-based software firm RSC, burrowing into a widely used medical system called Hippocrates.
“It was quite an unpleasant experience, because an IT record is not just a list of patients,” she said. “For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone.”
Hippocrates is used by doctors, nurses and surgeons to manage everything from admissions to payroll, pharmacy logistics and test results.
Quietly, the cyber-attackers had begun infecting hospitals across the country that used the system with a ransomware strain called BackMyData. Files were being scrambled into gibberish and the demand was a ransom in bitcoin.
Staff at Pitești children’s hospital, north-west of Bucharest, were the first to notice errors on Sunday morning, the day after the attack had begun.
By dawn on Monday, many other hospitals had reported the Hippocrates system was down.
With hospitals offline, the cyber-experts worked closely with the Hippocrates maker to work out how many systems had been infected and kick the hackers out.
Hospital doctors responded by creating workarounds to protect patients until things were back online.
“When we saw the system would not be repaired quickly, we developed an offline method so we could register every patient,” said Vlad Paic from Carol Davila Hospital in Bucharest.
“We asked the laboratory to give us results on paper. We used Excel and other offline tools to ensure care was not affected.”
Some doctors said the fallback to more analogue processes was helped by Romania’s relatively recent shift to digital systems.
Cyber-investigators worked through the night and found 26 hospitals had been infected with BackMyData.
The next day, uninfected hospitals were brought back online with added protections.
The DNSC says part of the success of the operation was how they used the media to communicate with hospitals and the public.
Public messaging urged patients to avoid hospitals unless necessary.
But waiting rooms were still filling up and Goidescu said some frustrated patients took their anger out on staff.
“We were asked, ‘What if it were your mother?’ They were right to be angry, but we tried to explain we were not at fault,” she said.
Another key message was that hospitals should not contact the hackers or pay the ransom.
The attackers had demanded €160,000 (£138,000; $183,000) in bitcoin, but a national decision was taken not to pay. At hospitals still offline, IT teams raced to restore systems from backups.
Most had relatively recent copies of their data – a key lesson. Regular backups allow organisations to recover more quickly.
Within five days, most hospitals were back online and operating close to normal, with no reported deaths or serious harm to patients.
It would take weeks longer to input all the new information recorded on paper during the outage. Some data was lost forever.
Police are not commenting on their investigation into who was behind the attack.
However, last year a ransomware gang linked to BackMyData had its website taken down in an international operation.
Four Russians were arrested outside Russia, whose authorities do not co-operate with Western law enforcement.
Cimpean said the attack could have happened anywhere.
“The more technology you have, the more digitised you are, the greater the risk,” he said.
Last year the UK’s NHS health service confirmed a hack on a blood testing company that affected around a dozen medical centres in London contributed to a patient’s death.
It was the first case of a death officially linked to a cyber-attack.
Around the same time, Change Healthcare in the US was hacked, leading to widespread disruption. The company paid a $22m (£16m) ransom to hackers.
Hackers also caused chaos later in the year with an attack on another US healthcare provider called Ascension.
Alina Bîzgă from Bucharest-based cyber-security firm Bitdefender says attacks on hospitals are attractive to criminals who try to cause chaos for money.
“Hospitals handle critical services, and the criminals think that the more disruption that can be caused, the more likely they are to get paid a ransom,” she said.
By BBC News
Email your news TIPS to Editor@Kahawatungu.com — this is our only official communication channel
