In a dramatic response to a widespread cyberattack in February 2024, Romanian officials made the critical decision to pull the plug on internet access for more than 100 hospitals nationwide. This unprecedented move, orchestrated by cyber-chief Dan Cimpean, aimed to halt the spread of a ransomware attack that had begun to cripple digital systems across the country's healthcare infrastructure.
While successful in containing the threat, the shutdown plunged hospitals back into an analog era, forcing doctors and nurses to abandon screens and digital records in favor of pens, paper, and manual processes. This challenging transition highlighted the resilience of medical staff and the vulnerabilities of modern healthcare systems.
Nationwide Shutdown to Combat Ransomware
The attack began to unfold on a Sunday morning, with staff at Pitești children's hospital among the first to report system failures. By Monday, the ransomware, identified as BackMyData, had infected 26 hospitals, scrambling files and demanding a ransom payment in bitcoin. The hackers targeted the Hippocrates medical system, used for everything from patient admissions and pharmacy management to test results and payroll.
Witnessing the rapid progression of the attack through vulnerabilities in medical software, the national cyber-security centre (DNSC) in Bucharest decided on a drastic course of action: disconnect affected hospitals from the internet. This swift intervention prevented the attackers from gaining further control but left medical facilities operating without essential digital tools.
Hospitals Revert to Manual Systems
The immediate aftermath of the shutdown was chaotic. Doctors, like surgeon Oana Goidescu at Buzău Hospital, found themselves unable to access crucial patient data, order tests digitally, or manage prescriptions. "It was quite an unpleasant experience, because an IT record is not just a list of patients," Goidescu explained, detailing the loss of access to lab tests, radiology, medicines, and supplies.
In response, hospital staff quickly devised temporary, offline methods to ensure continuous patient care. Vlad Paic from Carol Davila Hospital in Bucharest described how they "developed an offline method so we could register every patient." Laboratories began providing results on paper, and staff utilized basic offline tools like Excel to manage operations. Some doctors noted that Romania's relatively recent shift to digital healthcare meant many staff still remembered older manual methods, aiding the adaptation.
Refusal to Pay Ransom, Focus on Recovery
The attackers demanded €160,000 (approximately $183,000 USD) in bitcoin. However, Romanian authorities firmly decided against negotiating or paying the ransom. Instead, hospitals collaborated with IT teams to restore systems using backups. Fortunately, most facilities maintained relatively recent data copies, significantly accelerating the recovery process.
Within five days, the majority of hospitals were back online and operating near normal capacity. While no deaths or serious patient harm were reported, staff spent weeks manually transferring paper records back into digital systems, and some data was permanently lost.
Healthcare: A Growing Target for Cybercriminals
Cybersecurity experts warn that healthcare systems are increasingly becoming prime targets for cyberattacks. Alina Bîzgă from Bucharest-based cyber-security firm Bitdefender highlighted that criminals target hospitals because they provide essential services. "The more disruption that can be caused, the more likely they are to get paid a ransom," she stated.
The FBI has echoed these concerns, identifying healthcare as one of the most targeted sectors of critical national infrastructure. This incident in Romania serves as a stark reminder of the escalating risks as more services migrate online, underscoring the urgent need for robust cybersecurity measures in the medical field worldwide.