Widespread Cyberattack Targets Romanian Healthcare
In February 2024, a major cyberattack impacted over 100 hospitals across Romania, prompting a swift and decisive response from national cybersecurity authorities. The incident, which saw criminal elements infect computer networks through a widely used medical software system, highlighted the growing vulnerability of critical infrastructure to cyber threats.
According to reports, the attack spread rapidly through the Hippocrates medical software, used by numerous hospitals for everything from patient admissions to pharmacy logistics. The perpetrators deployed a ransomware strain known as BackMyData, encrypting files and demanding a ransom in Bitcoin.
Emergency Disconnection and Analog Workarounds
Upon detecting the widespread infection, Romania's national cyber-security center (DNSC) made the critical decision to order more than 100 hospitals to disconnect from the internet. This drastic measure effectively halted the hackers' advance, buying crucial time for IT teams to assess the damage and formulate a recovery plan.
The disconnection meant medical staff had to revert to manual processes, utilizing pen and paper for patient records, lab requests, and medication management. Dr. Oana Goidescu, a surgeon at Buzău Hospital, described the challenge: “For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone.” Hospitals improvised, creating offline registration methods and requesting paper results from laboratories to ensure patient care remained uninterrupted.
"When we saw the system would not be repaired quickly, we developed an offline method so we could register every patient," said Vlad Paic from Carol Davila Hospital in Bucharest. "We asked the laboratory to give us results on paper. We used Excel and other offline tools to ensure care was not affected."
This rapid adaptation to analogue systems has been lauded internationally as a successful case study for managing mass hospital cyberattacks.
Investigation and Recovery Efforts
Cyber-investigators worked tirelessly to identify the extent of the breach, ultimately discovering that 26 hospitals had been directly infected with the BackMyData ransomware. The attackers demanded €160,000 in Bitcoin, but a national decision was made not to pay the ransom.
During the crisis, the DNSC effectively used public messaging to communicate with hospitals and the public, advising patients to avoid hospitals unless absolutely necessary. Despite some patient frustration, medical staff continued their efforts to provide care.
A key factor in the recovery was the availability of recent data backups at most affected hospitals. Within five days, the majority of hospitals were back online and operating near normal capacity, with no reported deaths or serious patient harm directly attributable to the attack. However, it took weeks to manually input the information recorded during the outage, and some data was permanently lost.
The Broader Context of Healthcare Cyberattacks
This incident in Romania underscores a global trend: healthcare systems are increasingly becoming prime targets for cybercriminals. The FBI has identified healthcare as the most targeted sector of critical national infrastructure. Recent incidents in other countries, such as the UK's NHS and various US healthcare providers, further illustrate this escalating threat.
Alina Bîzgă from Bitdefender, a Bucharest-based cybersecurity firm, explained the motivation: "Hospitals handle critical services, and the criminals think that the more disruption that can be caused, the more likely they are to get paid a ransom."
While police have not commented on the ongoing investigation into the perpetrators, a ransomware group linked to BackMyData had its website taken down in an international operation last year, leading to arrests outside Russia.
Source: How 100 Romanian hospitals switched to pen and paper to defeat a national cyber-attack