A quick-thinking cyber security chief in Romania helped 100 national hospitals thwart efforts by hackers to completely infiltrate their systems but the attack, in February 2024, is still regarded as one of the worst to target healthcare systems around the world, reports the BBC.
One after another the calls had come in from hospitals; criminals were infecting computer networks in a mass hack jeopardising countless lives.
At Bucharest’s national cyber-security centre (DNSC) they watched helplessly as the hackers spread across Romania through a popular piece of medical software.
Cyber-chief Dan Cimpean made a tough decision – the only option they had. The order went out to more than 100 hospitals across Romania. Disconnect from the internet, now.
Cutting off the 100 hospitals from the internet stopped the hackers in their tracks, buying time to work out how bad the attack was, but it meant no connected devices, emails or web browsers.
Medical staff had to switch to pen and paper, improvising workarounds to protect patients while IT teams scrambled and the national cyber response centre tried to find out how the hackers had got in – and how they could stop them.
Their actions over four days, from 10 February 2024, and those of the doctors and nurses, have been widely praised.
How they reacted and how they coped has become a test case for disaster planners internationally, as officials look for advice on responding to a mass hospital hack.
Surgeon Oana Goidescu was on shift at Buzău Hospital when the alert came that attackers had breached Bucharest-based software firm RSC, burrowing into a widely used medical system called Hippocrates.
“It was an unpleasant experience, because an IT record is not just a list of patients,” she said. “For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone.”
Hippocrates is used by doctors, nurses and surgeons to manage everything from admissions to payroll, pharmacy logistics and test results.
The cyber-attackers had begun infecting hospitals countrywide that used the system, with a ransomware strain called BackMyData. Files were being scrambled into gibberish and the demand was a ransom in bitcoin.
Staff at Pitești Children’s Hospital were the first to notice errors on Sunday morning, the day after the attack had begun. By dawn on Monday, many other hospitals had reported the Hippocrates system was down.
With hospitals offline, the cyber experts worked closely with the Hippocrates maker to work out how many systems had been infected and kick out the hackers.
Hospital doctors responded by creating workarounds to protect patients until things were back online.
“When we saw the system would not be repaired quickly, we developed an offline method so we could register every patient,” said Vlad Paic from Carol Davila Hospital in Bucharest.
“We asked the laboratory to give us results on paper. We used Excel and other offline tools to ensure care was not affected.”
Cyber investigators worked through the night and found 26 hospitals had been infected with BackMyData.
The next day, uninfected hospitals were brought back online with added protections. Public messaging urged patients to avoid hospitals unless necessary.
A key message was that hospitals should not contact the hackers or pay the ransom. The attackers had demanded €160 000 in bitcoin, but a national decision was taken not to pay.
At hospitals still offline, IT teams raced to restore systems from backups. Most had relatively recent copies of their data – a key lesson. Regular backups allow organisations to recover more quickly.
Within five days, most hospitals were back online and operating close to normal, with no reported deaths or serious harm to patients.
However, it would take weeks longer to input all the new information recorded on paper during the outage. Some data were lost forever.
Police are not commenting on their investigation into who was behind the attack, but last year a ransomware gang linked to BackMyData had its website taken down in an international operation.
Four Russians were arrested outside Russia, whose authorities do not co-operate with Western law enforcement.
Cimpean said the attack could have happened anywhere.
“The more technology you have, the more digitised you are, the greater the risk,” he said.
Incidents like these are becoming increasingly common, with the FBI recently saying that healthcare is now the most targeted area of critical national infrastructure.
Last year Britain’s NHS confirmed that a hack on a blood-testing company which affected at least a dozen medical centres in London had contributed to a patient’s death.
It was the first case of a death officially linked to a cyber-attack.
Around the same time, Change Healthcare in the US was also hacked, leading to widespread disruption. The company paid a $22m ransom to hackers. Hackers also caused chaos later in the year with an attack on another US healthcare provider called Ascension.
See more from MedicalBrief archives:
Cyber hackers target South Africa’s healthcare system
NHLS targets dented by 2024 cyber attack
Cyber attacks create havoc in state hospitals in SA, and globally
Cyber thieves post patients’ data stolen from Australian medical insurer