How a European country managed to defeat a cyber attack against its hospitals thanks to pencil and paper
For four days, dozens of Romanian hospitals were offline as cyber experts tried to defeat the hackers.
The calls from the hospitals followed one after another; Criminals were infecting computer networks in a massive attack that put countless lives at risk.
At the National Cybersecurity Center (DNSC) in Bucharest, they watched helplessly as hackers spread throughout Romania through a popular medical software program.
Cybersecurity manager Dan Cimpean had a difficult decision to make, but it was the only option they had.
More than 100 hospitals were ordered to disconnect from the Internet, immediately.
The cyberattack against hospitals in Romania in February 2024 is one of the worst that health systems around the world have suffered, but these types of incidents are becoming more common.
As the FBI recently stated, healthcare is currently the most attacked sector of critical national infrastructure.
The disconnection of the Internet from 100 Romanian hospitals stopped the hackers in their tracks, buying time to assess the severity of the attack.
But that meant running out of connected devices, email, and web browsers.
Medical staff had to resort to pen and paper, improvising solutions to protect patients while IT teams scrambled to act and the national cyber response center tried to figure out how the hackers had gotten in and how they could stop them.
The actions of doctors, nurses and administrators during that February 10 and the other three days in which the crisis spread have been widely praised.
His reaction and way of dealing with the situation have become a reference case for those responsible for disaster planning internationally, as authorities seek advice on how to respond to a massive computer attack on a hospital.
Payment in bitcoins
Surgeon Oana Goidescu was on duty at the Buzău hospital, 120km northeast of Bucharest, when the alert came that attackers had accessed the Bucharest-based software company RSC and had broken into a widely used medical system called Hippocrates.
“It was a rather unpleasant experience, because a computer file is not just a list of patients,” he says. "For each patient, we ordered lab tests, radiology, medications and supplies. All of that was gone."
Hippocrates is used by doctors, nurses, and surgeons to manage everything from revenue to payroll, pharmaceutical logistics, and test results.
Stealthily, cybercriminals had begun infecting hospitals across the country that used the system with a ransomware variant called BackMyData. The files were altered to gibberish and a ransom in bitcoins was demanded.
Staff at the children's hospital in Pitești, northwest of Bucharest, were the first to spot the errors on Sunday morning, the day after the attack began.
By dawn on Monday, many other hospitals had reported that the Hippocrates system was out of service.
With hospitals offline, cybersecurity experts worked closely with the maker of Hippocrates to determine how many systems had been infected and flush out the hackers.
Hospital doctors responded by creating stopgap solutions to protect patients until things returned to normal.
“When we saw that the system would not be repaired quickly, we developed an offline method to be able to register all patients,” explains Vlad Paic, from the Carol Davila Hospital in Bucharest.
"We asked the lab to give us the results on paper. We used Excel and other offline tools to make sure care was not affected."
According to some doctors, Romania's relatively recent shift to digital systems contributed to the adoption of more analogue processes.
Researchers worked through the night and discovered that 26 hospitals had been infected with BackMyData.
The next day, uninfected hospitals were back up and running with additional protections.
Backups
The DNSC claims that part of the operation's success was due to the way they used the media to communicate with hospitals and the public.
Public messages urged patients to avoid hospitals unless necessary.
But the waiting rooms continued to fill up, and Goidescu says some frustrated patients took out their anger on staff.
“They asked us: 'What if it was your mother?' They were right to be angry, but we tried to explain to them that it was not our fault,” he says.
Another key message was that hospitals should not contact hackers or pay the ransom.
The attackers had demanded 160,000 euros ($183,000) in bitcoins, but a national decision was made not to pay.
At hospitals that were not yet connected, IT teams scrambled to restore systems from backups.
Most had relatively recent copies of their data, which is a key lesson. Regular backups allow organizations to recover more quickly.
Within five days, most hospitals were back online and operating almost normally, with no deaths or serious harm to patients reported.
It would take weeks more to enter all the new information recorded on paper during the service interruption. Some data was lost forever.
Police have not commented on their investigation to determine who was behind the attack.
However, last year, a ransomware gang linked to BackMyData saw its website taken down in an international operation.
Four Russians were detained outside Russia, whose authorities do not cooperate with Western law enforcement.
Cimpean claims the attack could have happened anywhere.
“The more technology you have, the more digitalized you are, the greater the risk,” he says.
The greater the desperation, the greater the possibility of rescue.
Last year, the United Kingdom's National Health Service (NHS) confirmed that a cyber attack on a blood testing company, which affected a dozen medical centers in London, contributed to the death of a patient.
It was the first case of death officially linked to a cyberattack.
Around the same time, Change Healthcare, in the United States, suffered a computer attack that caused serious disruption. The company paid the hackers a ransom of US$22 million.
Hackers also caused chaos at the end of the year with an attack on another American healthcare provider called Ascension.
Alina Bîzgă of Bucharest-based cybersecurity company Bitdefender says attacks on hospitals are attractive to criminals seeking to cause chaos in exchange for money.
“Hospitals run critical services, and criminals think that the more disruption they can cause, the more likely they are to be paid a ransom,” he says.
On 23 June, BBC World Service launched a Romanian-language platform, BBC News România, to deliver trusted journalism to audiences in Romania, Moldova and the rest of Europe. BBC News România will be available on its website, on Facebook and on Instagram.
This article was originally written in English and we used an artificial intelligence tool to translate it. A BBC journalist reviewed the text before publication. Learn more about how we use AI.

