Widespread Cyberattack Targets Romanian Healthcare
In February 2024, Romania's national cyber-security center (DNSC) faced a critical situation as a sophisticated cyberattack rapidly spread across the country's hospital networks. The criminals exploited a popular medical software system, threatening to incapacitate essential healthcare services. Cyber-chief Dan Cimpean made the decisive, albeit drastic, call to instruct more than 100 hospitals to immediately disconnect from the internet.
This incident is recognized as one of the most severe cyberattacks on healthcare systems globally, highlighting a growing trend. The FBI recently identified healthcare as the most frequently targeted sector within critical national infrastructure.
Manual Workarounds and Coordinated Response
The immediate disconnection effectively halted the attackers' progress, providing crucial time for experts to assess the extent of the breach. However, it also meant that medical staff had to revert to entirely manual processes, without access to connected devices, email, or web browsers. Doctors and nurses improvised workarounds, using pen and paper to manage patient admissions, lab requests, and medication orders, while IT teams worked tirelessly to restore systems.
Dr. Oana Goidescu, a surgeon at Buzău Hospital, described the challenge: "It was quite an unpleasant experience, because an IT record is not just a list of patients. For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone." The 'Hippocrates' system, which was compromised, is central to managing various hospital operations, from payroll to test results.
The ransomware, named 'BackMyData,' encrypted files and demanded a ransom in Bitcoin. Staff at Pitești children's hospital were among the first to detect anomalies, with many other hospitals reporting system outages by Monday morning, following the attack's initiation on a Sunday.
Recovery Efforts and Key Lessons
Working closely with the software vendor, cyber-experts identified 26 hospitals that had been infected. Dr. Vlad Paic from Carol Davila Hospital in Bucharest explained their adaptation: "When we saw the system would not be repaired quickly, we developed an offline method so we could register every patient. We asked the laboratory to give us results on paper. We used Excel and other offline tools to ensure care was not affected." Some medical professionals noted that Romania's relatively recent digitization of healthcare systems made the return to analogue methods somewhat more manageable.
Uninfected hospitals were brought back online with enhanced security measures. The DNSC also utilized media communication to advise the public, urging patients to avoid hospitals unless absolutely necessary. Despite some patient frustration, the national decision was made not to pay the attackers' demand of €160,000 in Bitcoin. Hospitals focused on restoring systems from backups, a strategy that proved vital as most had recent data copies, enabling quicker recovery.
Within five days, most hospitals were largely operational again, with no reported deaths or serious patient harm directly attributable to the attack. Although some data was permanently lost, and weeks were required to re-enter manually recorded information, the response was widely commended.
The Broader Threat Landscape
While police have not commented on the ongoing investigation into the perpetrators, a ransomware group associated with BackMyData had its website dismantled in an international operation last year, leading to arrests outside Russia. Dan Cimpean warned that such attacks could occur anywhere, stating, "The more technology you have, the more digitised you are, the greater the risk."
Recent incidents globally underscore this vulnerability. The UK's NHS confirmed a patient death linked to a cyberattack on a blood testing company last year. In the US, Change Healthcare paid a $22 million ransom after a hack, and another provider, Ascension, also experienced significant disruption. Alina Bîzgă from Bitdefender noted that hospitals are attractive targets for criminals due to the critical nature of their services, which increases the likelihood of ransom payments.
Source: How 100 hospitals switched to pen and paper to defeat a national cyber-attack