At Oto General Hospital in Ibadan, the new week started like any other. Doctors reviewed schedules, nurses updated charts, and lab technicians logged in to the Electronic Medical Record (EMR) system. By 9:15 a.m., chaos erupted: all computers suddenly displayed a ransom note. Every patient file, appointment record, and X-ray image on the network was encrypted. Instead of digital files, staff saw a message demanding payment in cryptocurrency for the decryption key.
Emergency wards were on high alert. The head nurse in the ICU realized monitors and infusion pumps still worked, but the patient charts on screen were inaccessible. In the operating theater, a surgeon's request for the latest blood test results returned an error. With no electronic lab system, doctors had to scramble. A porter ran to the lab to fetch paper results manually, wasting precious minutes.
before help arrived
plans in place
run correctly
Roll-Out of Paper Charts
Because the hospital had no recent full backups, they could not restore systems quickly. The CMAC announced: "We're going back to pen and paper." Staff in every department started writing by hand. Patients began to queue in the waiting room. The pharmacy had to manually check inventory. Appointments were cancelled by mid-morning, and elective surgeries postponed.
By Wednesday, conditions were dire: IV drips still flowed, but vital information did not. On Thursday, the administration finally called in external help. Clarensec's incident response team arrived late Thursday night. By then, the hospital had operated on paper for four days.
Going back to paper is not a backup, it is a breakdown. When EMRs are locked, patient care is compromised at every level.
Clarensec worked through the weekend to isolate the ransomware, rebuild the network, and restore data from the only decent backup (a weekend incremental tape) they found.
What Went Wrong
- No tested incident response plan: Staff did not know who should be in charge during a cyber-crisis, so initial reactions were slow and disorganized.
- Unreliable backups: A hard drive backup existed but had not run correctly for months.
- Minimal network monitoring: The breach was not detected until it was too late.
- Unclear roles: IT staff assumed clinical teams would respond, and vice versa, leading to confusion and delays.
In contrast, a well-prepared organization could have followed guidelines: disconnect infected machines, notify key personnel, and rebuild from clean backups. As security experts note, having a practiced response plan with defined roles and communication protocols is crucial for quick recovery.
In this story, lack of preparation turned a cyber incident into a life-and-death crisis, as the WHO has warned can happen with hospital ransomware attacks.
Key Takeaways
- Do not wait to set up backups: Make sure encrypted copies of patient data are backed up offsite or in the cloud, and regularly test restores. Having recent backups can cut recovery time from days to hours.
- Have an incident response plan: Define who does what if an attack occurs. Drill the plan so everyone knows the communication channel and roles. This keeps staff focused and avoids chaos.
- Train and communicate: All teams, medical, IT, and admin, must understand basic cyber hygiene and the response plan. Cross-team drills help break down silos. In the story, better communication between clinical staff and IT could have identified the breach sooner.
- Seek expert support: In a crisis, outside specialists can restore operations faster. Clarensec provides urgent response services, as well as pre-attack services (risk assessments, audits, tabletop exercises) to prepare hospitals.
Cyber threats are a reality for every hospital today. By preparing in advance, securing data, planning responses, training staff, and leveraging expert help, healthcare teams can ensure that when disaster strikes, patient care continues and trust is maintained.
Preparedness is the difference between disruption and disaster.