How 100 Romanian hospitals switched to pen and paper to defeat a national cyber-attack

Calls came from hospitals one after another; criminals were infecting computer networks in a mass attack that put countless lives at risk.
At Bucharest’s national cyber security center (DNSC), they watched helplessly as hackers spread across Romania via a popular medical software.
Cyber chief Dan Cimpean had a tough decision to make, but it was the only option they had.
The order was sent to more than 100 hospitals. Disconnect your internet connection immediately.
Cyber attack on hospitals in Romania in February 2024 It is one of the worst events to target healthcare systems worldwide, but these events are becoming increasingly common.
Healthcare is now the most targeted area of critical national infrastructure, the FBI said recently.
Cutting off the internet connection to 100 hospitals in Romania stopped the hackers and bought them time to figure out how bad the attack was.
But this meant no connected devices, emails or web browsers.
While IT teams scrambled and the national cyber response center tried to figure out how hackers got in and how to stop them, medical staff had to turn to pen and paper, improvising workarounds to protect patients.
Their actions and the actions of doctors and nurses for four days starting from February 10, 2024 were greatly appreciated.
As authorities seek advice on responding to a mass hospital hack, how they respond and cope has become a test case for international disaster planners.
Dan Cimpean (left), head of Romania’s Cyber Security Directorate, was responsible for coordinating the crisis response [BBC]
Surgeon Oana Goidescu was on shift at Buzău Hospital, 120 km (75 miles) northeast of Bucharest, when the alert came that attackers had breached Bucharest-based software firm RSC and broken into a widely used medical system called Hippocrates.
“It was a pretty unpleasant experience because the CT records are not just a list of patients,” he said. “We require lab tests, radiology, medications and supplies for every patient. All of that is gone.”
Hippocrates is used by doctors, nurses, and surgeons to manage everything from admissions to payroll, pharmacy logistics, and test results.
Cyber attackers had quietly begun infecting hospitals across the country using the system with a type of ransomware called BackMyData. Files were being shuffled around pointlessly and the demand was for a ransom in bitcoins.
Staff at Pitești children’s hospital, northwest of Bucharest, were the first to notice the errors on Sunday morning, the day after the attack began.
At dawn on Monday, many other hospitals reported that the Hippocratic system had collapsed.
While hospitals were offline, cyber experts worked closely with Hippocrates’ creator to figure out how many systems were infected and flush out the hackers.
Hospital doctors responded by creating workarounds to protect patients until things came back online.
“When we saw that the system could not be repaired quickly, we developed an offline method to be able to register each patient,” said Vlad Paic from Carol Davila Hospital in Bucharest.
“We asked the lab to provide results on paper. We used Excel and other offline tools to ensure maintenance was not affected.”
Some doctors said the return to more analog processes was helped by Romania’s relatively recent switch to digital systems.
Cyber researchers worked through the night and found that 26 hospitals were infected with BackMyData.
As the communications officer of the national cybersecurity center, Mihai Rotariu took it upon himself to regularly update the media during the attack. [BBC]
The next day, uninfected hospitals were brought back online with additional protections.
DNSC says part of the success of the operation is due to how they use media to communicate with hospitals and the public.
Public messages urged patients to stay away from hospitals unless necessary.
But waiting rooms were still filling up, and Goidescu said some angry patients were taking their anger out on staff.
“We were asked, ‘What if it was your mother?’ he was asked. “They were right to be angry, but we tried to explain that we were not at fault,” he said.
Another important message was that hospitals should not contact hackers or pay ransoms.
After malware all files were renamed and became unusable [BBC]
The attackers had demanded €160,000 (£138,000; $183,000) in Bitcoin, but a national decision was made not to pay.
In hospitals still offline, IT teams raced to restore systems from backups.
Most had relatively new copies of their data; This was an important lesson. Regular backups allow organizations to recover faster.
Within five days, most hospitals were back online and operating near normal; No deaths or serious harm to patients were reported.
It will take weeks longer to enter all the new information recorded on paper during the outage. Some data is lost forever.
Police are not commenting on their investigation into who was behind the attack.
However, last year, the website of a ransomware gang linked to BackMyData was shut down in an international operation.
Four Russians were arrested outside Russia, whose authorities did not cooperate with Western law enforcement.
Cimpean said the attack could have happened anywhere.
“The more technology you have, the more digital you become, the greater the risk,” he said.
Last year, England’s NHS healthcare service confirmed that an attack on a blood testing company had affected nearly a dozen medical centers in London. Contributed to the death of a patient.
This was the first death officially linked to a cyberattack.
Around the same time, Change Healthcare in the US was hacked, causing widespread disruption. The company paid a $22 million (£16 million) ransom to hackers.
Hackers also caused chaos by attacking another US healthcare provider called Ascension later in the year.
Alina Bîzgă from Bucharest-based cybersecurity firm Bitdefender says attacks on hospitals are attractive to criminals trying to create chaos for money.
“Hospitals run critical services and criminals think the more disruption there is, the more likely they are to get a ransom,” he said.
On 23 June, the BBC World Service is launching a Romanian-language offering called BBC News România, which will serve audiences in Romania, Moldova and wider Europe with trusted journalism. It will be published on the BBC News Romania website, Facebook and Instagram.



