How 100 Romanian hospitals switched to pen and paper to defeat a national cyber-attack

How 100 Romanian hospitals switched to pen and paper to defeat a national cyber-attack Just now Share Save Add as preferred on Google Joe Tidy Cyber Correspondent, World Service, Romania BBC Surgeon Oana Goidescu was on shift when her hospital was hit by the cyber attack One after another the calls came in from hospitals; criminals were infecting computer networks in a mass hack that was putting countless lives at risk. At Bucharest's national cyber-security centre (DNSC) they watched helplessly as the hackers spread across Romania through a popular piece of medical software. Cyber-chief Dan Cimpean had a tough decision to make, but it was the only option they had. The order went out to more than 100 hospitals. Disconnect from the internet, now. The cyber-attack on Romania's hospitals in February 2024 is one of the worst to target healthcare systems around the world, but these incidents are becoming increasingly common. Healthcare is now the most targeted area of critical national infrastructure, the FBI has said recently. Cutting off 100 hospitals in Romania from the internet stopped the hackers in their tracks, buying time to work out how bad the attack was. But it meant no connected devices, emails or web browsers. Medical staff had to switch to pen and paper, improvising workarounds to protect patients while IT teams scrambled and the national cyber response centre tried to find out how the hackers had got in - and how they could stop them. Their actions over four days from 10 February 2024, and those of the doctors and nurses, have been widely praised. How they reacted and how they coped has become a test case for disaster planners internationally, as officials look for advice on responding to a mass hospital hack. As head of Romania's Cyber-Security Directorate Dan Cimpean (L) was in charge of co-ordinating the crisis response Surgeon Oana Goidescu was on shift at Buzău Hospital, 120km (75 miles) north-east of Bucharest, when the alert came that attackers had breached Bucharest-based software firm RSC, burrowing into a widely used medical system called Hippocrates. "It was quite an unpleasant experience, because an IT record is not just a list of patients," she said. "For each patient, we request lab tests, radiology, medicines and supplies. All of that was gone." Hippocrates is used by doctors, nurses and surgeons to manage everything from admissions to payroll, pharmacy logistics and test results. Quietly, the cyber-attackers had begun infecting hospitals across the country that used the system with a ransomware strain called BackMyData. Files were being scrambled into gibberish and the demand was a ransom in bitcoin. Staff at Pitești children's hospital, north-west of Bucharest, were the first to notice errors on Sunday morning, the day after the attack had begun. By dawn on Monday, many other hospitals had reported the Hippocrates system was down. With hospitals offline, the cyber-experts worked closely with the Hippocrates maker to wor