The cyber attack on the Hospital Clínic de Barcelona, ​​from within: "It was like taking a trip back in time"

The Hospital Clínic has returned to pen and paper prescriptions.

And to the headaches in the hospital pharmacy to understand the doctor's handwriting.

And to the queues at the doors of the laboratory in search of the results of the analyzes.

The cyberattack that last Sunday rendered its entire computer system useless has turned the care operations of the reference hospital for 540,000 Barcelona residents upside down: 4,000 tests, 11,000 external consultations and more than 300 interventions have stopped.

And while the police investigations continue - the cybercriminals are asking for 4.5 million dollars to release the data - and the technicians try to restore the system, the health workers have used rudimentary processes and analog work techniques to save as much healthcare activity as possible. :

The expertise —and the memory— of the seniors, returning to the work dynamics of their youth, has been imposed by necessity before the incredulous gaze of the youngest.

“It has been like taking a trip back in time,” comments Ana Alonso, Liver Pathology care coordinator, as she keeps papers and more papers in a small filing cabinet.

The cyberattack was an early riser, recalls Antoni Castells, the center's medical director.

He almost got them out of bed.

It was a few minutes after half past eight on Sunday morning when the duty officer raised the first alarm: the system had failed.

He could not access the SAP, which is like "the hospital's Excel", in the words of Castells, where all the care activity is stored.

The technicians began looking for the failure and it didn't take long for them to suspect the worst, recalls David Vidal, director of Information Systems at the center: "A technician tells me: 'I have five server passwords, I've tried and none of them work for me' .

Intuitively, that already smelled like a cyberattack to me.”

After 11 in the morning, the center reported the incident to the Catalan Cybersecurity Agency and the crisis cabinet was launched.

More information

“We are in a global cyberwar and those who can make a difference neither accept nor understand it”

Sunday was relatively saved because activity is limited and the hospital had a kind of contingency plan that allows professionals to have access to basic patient data to continue working: on specific computers, they had downloaded information, basically about treatments , that could be printed and worked on.

By hand, of course.

The big problem was Monday.

And on Tuesday.

And on Wednesday… The volume of activity during the week, with visits to the specialist, tests and interventions, is much greater than on a Sunday and the hospital had its system in black.

Because he did not know, he did not know who he had an appointment with or how to communicate with the patients, Castells emphasizes: “We were totally incommunicado, we did not have access to the patient's history, nor to his telephone number or his email to be able to notify.

We also did not have an intranet and you could not circulate any type of information about the contingency plan ”.

Ransomware

(contraction of the English terms

, ransom, and

,

computer program) is a type of cyber attack that encrypts the data of a system and then demands a ransom in exchange for releasing it.

The recommendation of the authorities, as the Generalitat has said, is not to pay.

Among other things, because there are no guarantees that this will help.

The most widely used attack vector is email, usually in the form of false invoices or package deliveries that appear to come from trusted sources (

) and that contain a link or attachment.

If the victim clicks on it, it will download all the malicious code and the computer will be infected, no matter how many protection and antivirus systems are available.

Another common way of sneaking problematic

onto computers is to take advantage of the fact that computers are often outdated and therefore do not patch the latest security holes detected.

Cybercriminals know how to exploit these gaps and insert their ransomware through them.

Between rage, frustration and anger, those present admit in those first hours of uncertainty after the cyberattack, the hospital's management leadership began to draw up the action plan.

The safety of the patients came first and the pressure of care in the center had to be reduced, especially through the emergencies.

Castells set up a WhatsApp group with the directors of the main hospitals in Barcelona and the Medical Emergency System to coordinate the diversion of the most serious patients likely to reach the Clinic, such as those with stroke and heart attack codes (rapid intervention circuits for this class of sick).

Meanwhile, Gemma Martínez, director of Nursing, toured the intensive care units to ensure operation:

“Each patient has their monitor and there was a central one that collected everything.

If they are connected by cable, the information arrives, but if they are connected by Wi-Fi, no.

What the nursing staff did was personally distribute themselves through the boxes ”to ensure control of critical patients, he explains.

They also reviewed the devices in the operating rooms and the surgical techniques that could be done with the system down and saw if it was feasible to maintain the activity of the day hospital on Monday and of some tests, such as endoscopies or CT scans.

The radiotherapy of about twenty patients who could not delay the treatment, was sent to the Sant Pau hospital due to the impossibility of carrying it out at the Clínic.

Castells assures that the life of no patient has been in danger, but they have been "very complicated" days.

The experience of the seniors, to the rescue

With their hands —computerically— tied, the inventiveness and experience of the seniors took over the hospital.

The pen returned to the gowns and old forms were dusted off, such as laboratory requests, double copy sheets and nursing charts, to put everything in writing, says Martínez.

“The good thing was the knowledge of the senior people in the hospital to say: 'Hey, we have to go back to get the pen.'

People immediately rewound all their brain cells and got going."

Luckily there was the phone to ask each other for favors and WhatsApp, which "has saved this hospital," says Alonso sardonically.

“The patient has always been 100% cared for.

He has not lacked medication or anything.

For him, everything normal.

For us, normality has been like taking a trip back in time.

And those of us who have been working quickly for more than 25 years have taken the contingency.

The new digital generations have had a harder time, because immediacy is clearly not given.

But they have known how to adapt and become dynamic”.

Ana Alonso, care coordinator of Liver Pathology, keeps documentation of admitted patients in a folder. ESTER DELGADO (HOSPITAL CLÍNIC)

Where this return in time has been most noticeable is in the highly computerized hospital pharmacy.

“Medications are kept in a smart, electronic cabinet.

And on Sunday and Monday, they did not know where what was ”, reflects Castell.

Another example: chemotherapy doses, which are customarily prepared with a robot, have had to be done manually.

The logistics of the entire pharmaceutical part have been complicated in all directions and it has been necessary to spend a shoe: since the cyberattack, each change in medication has to be reported manually, that is, going up and down from the plant to the pharmacy to report it.

Another place where rush, papers and white coats accumulate is at the doors of the Core laboratory, where thousands of blood and urine samples from every corner of the hospital are analyzed every day.

It's been years since you've seen those queues waiting for paper results, or folders overflowing with printed petitions with handwritten annotations and results stapled on top.

Until a week ago, everything was automated through a large robot that crossed the laboratory from end to end and processed the samples and their results by computer.

“Now we have to do everything by hand.

Not the [browsing] the tests part, but the return of the results, for example, from the analyzers to the screens of the clinicians reviewing the results, doesn't work and you have to print everything.

Around him, dozens of technicians and other health workers battle with hundreds of papers and, in a kind of assembly line, they gather, staple and check that each request matches what has been analyzed.

On the first day of the cyberattack, Bedini recalls, they even had to transcribe all the results by hand because the printers were connected to the network and not all of them could be printed.

“What we decided on Monday is that we had to do the job however we could.

And we had to look for alternatives.

It has been shown once again that technology is important, but, in the end, the main thing is people and without the group of technicians we have, it would have been impossible”.

restricted system access

The Clínic's computer scientists continue to work against the clock to recover the system.

Vidal assures that the cyberattack has reached 70% of the hospital system.

“Despite the fact that at first the feeling was that everything had fallen, the attack did not reach our central system, which is the SAP, which was still alive.

And we made an alternative way to access that system: with a direct connection to secure computers, we had access to the clinical history.

The only difficulty is that it is restricted because from a machine that we normally have 10, now we go to one”.

Computer hijacking is one of the attack modalities most used by cybercriminals.

They account for 65% of the total, according to data from S21sec.

A report by ESET, another cybersecurity company, places Spain as the second country in the world (only behind Japan) in which the most new methods of stealing information have been detected in the month of February.

"We must take measures so that an unpatched vulnerability, poor permission and password management or not knowing which critical systems need more protection can pose a serious problem for the organization," says Josep Albons, research director at ESET Spain.

The head of the center's systems estimates that as of last Thursday, cybercriminals were circulating through the Clínic's computer systems.

“The entry vector is, with high probability,

100% security does not exist.

In all systems there are always weak links in the chain and the first weak link is human beings, who are the ones who sting”, he points out.

Ransom House, the group that has launched the attack, usually acts like this, explains Marc Rivero, Kaspersky cybersecurity analyst: “They are experts in attacking software versions that are out of date and in using fine-tuned phishing

[techniques to deceive the victim by posing as a trusted person or company] in order to compromise user accounts.”

Raül Roca, CEO of the cybersecurity company Grail Cyber ​​Tech, assures that "it is extremely difficult to get rid of a targeted attack" and appeals to prudence.

“What worries us most in these cases is the persistence of the attackers in the compromised system, who are still inside.

You have to do the restoration of the systems in a thorough way, making virtual barricades.

You can restore the backup, but is it clean or did the attackers leave enough tools to re-encrypt right after the restore?

Sanitary workers from the Clínic laboratory review the requests for analyzes and the results manually after the cyber attack on the center. ESTER DELGADO (HOSPITAL CLÍNIC)

Vidal admits, in effect, that their main concern was to ensure that they had a backup to be able to recover the data and, when they confirmed it, on Monday, they went to work.

But the recovery process, he says, is complex: "We recover the copy, we isolate it, we start it up, we pass some verifications and we see that there are no strange things in the data."

One week after the attack, the hospital has already recovered 90% of complex surgical activity, 40% of the less complex and 70% of outpatient consultations.

It also receives patients for stroke and heart attack code.

The Clínic aspires to return to normality next Tuesday.

If there are no more incidents.

You can follow

Subscribe to continue reading

Read without limits

Keep reading

I'm already a subscriber