In February 2024, Romania’s healthcare system faced one of the most severe cyber-attacks globally, impacting over 100 hospitals nationwide. The coordinated assault saw criminal elements infiltrate computer networks through a widely used medical software system called Hippocrates. As the ransomware, identified as BackMyData, rapidly encrypted vital patient data and operational files, the National Cyber-Security Centre (DNSC) in Bucharest was forced to make a critical decision. Under the leadership of cyber-chief Dan Cimpean, an unprecedented order was issued: disconnect all affected hospitals from the internet immediately to halt the spread and mitigate further damage.

The sudden disconnection plunged medical facilities into an analog era, forcing doctors, nurses, and administrative staff to revert to manual processes. Surgeon Oana Goidescu at Buzău Hospital recounted the chaos, explaining how the loss of digital records for lab tests, radiology, medications, and supplies created immense challenges. Hippocrates, a system integral to everything from patient admissions and payroll to pharmacy logistics and test results, was rendered unusable. Staff improvised rapidly, developing offline methods to register patients, requesting paper results from laboratories, and utilizing basic tools like Excel to ensure continuous patient care. This swift adaptation, though arduous, was crucial in protecting lives during the four-day outage.

Investigators worked tirelessly with the software maker to identify the extent of the infection, ultimately confirming 26 hospitals had been compromised by BackMyData. A ransom demand of €160,000 in Bitcoin was issued by the attackers, but a national decision was made not to comply. Instead, IT teams focused on restoring systems from recent backups, a practice highlighted as a key factor in the relatively quick recovery. Within five days, most hospitals were back online, operating near normal capacity, with no reported patient deaths or serious harm directly attributable to the attack. While some data was permanently lost and weeks were spent manually inputting paper records, the response has been lauded internationally as a model for managing mass hospital cyber incidents.

The incident underscores a growing global vulnerability, with the FBI recently identifying healthcare as the most targeted sector of critical national infrastructure. Experts like Alina Bîzgă from Bitdefender note that hospitals are attractive targets due to the critical nature of their services, which criminals believe increases the likelihood of ransom payments. This trend is evident in other recent high-profile attacks, including a UK NHS blood testing company breach linked to a patient death, and significant disruptions to US providers like Change Healthcare and Ascension, with Change Healthcare reportedly paying a $22 million ransom. The Romanian experience serves as a stark reminder that while technology advances, so too must resilience strategies, emphasizing the need for robust backup systems and decisive crisis management in the face of escalating cyber threats.

Key Takeaways

• Romanian hospitals successfully mitigated a major cyber-attack in February 2024 by disconnecting from the internet and reverting to manual operations.
• The incident, which involved the BackMyData ransomware targeting the Hippocrates medical software, highlighted the critical importance of robust data backups and decisive crisis management.
• The response has become an international case study, underscoring healthcare's increasing vulnerability to cyber threats and the need for resilient strategies against such attacks.

Editor’s Analysis & Impact

This incident in Romania provides a crucial blueprint for healthcare systems globally facing escalating cyber threats. The decisive action to disconnect and the rapid adaptation to analog processes prevented a potentially catastrophic outcome, demonstrating that human ingenuity and preparedness can be powerful defenses against sophisticated digital attacks. The healthcare sector remains a prime target for ransomware, driven by the critical nature of its services and the perceived willingness to pay ransoms. This event reinforces the urgent need for significant investment in cybersecurity infrastructure, regular staff training, and comprehensive disaster recovery plans, particularly robust backup strategies. The broader implication is a shift in focus from solely preventing attacks to building resilience and rapid recovery capabilities, acknowledging that breaches are increasingly inevitable.

Frequently Asked Questions

Q: What was the primary cause of the cyber-attack on Romanian hospitals?
A: The cyber-attack was caused by the BackMyData ransomware strain, which infiltrated hospital networks through a widely used medical software system called Hippocrates.

Q: How did Romanian hospitals manage to continue operations during the cyber-attack?
A: Hospitals managed by disconnecting from the internet, reverting to manual, pen-and-paper record-keeping, and implementing improvised offline workarounds for patient registration, lab results, and medication management.

Q: What was the outcome of the ransom demand made by the attackers?
A: The attackers demanded €160,000 in Bitcoin, but a national decision was made not to pay the ransom. Instead, efforts focused on restoring systems from backups, which proved successful in bringing most hospitals back online within five days.