Monday Morning: At 'Oto' General Hospital in
Ibadan, the new week started like any other. Doctors reviewed
schedules, nurses updated charts, and lab technicians logged in to
the Electronic Medical Record (EMR) system.
By 9:15 a.m., chaos erupted: all computers suddenly displayed a
ransom note. Every patient file, appointment record, and X-ray image
on the network was encrypted. Instead of digital files, staff saw a
message demanding payment in cryptocurrency for the decryption key.
Emergency wards were on high alert. The head nurse in the ICU realized monitors and infusion pumps still worked, but the patient charts on screen were inaccessible. In the operating theater, a surgeon’s request for the latest blood test results returned an error. With no electronic lab system, doctors had to scramble. A porter ran to the lab to fetch paper results manually, wasting precious minutes.
Roll-Out of Paper Charts
Because the hospital had no recent full backups, they couldn’t restore systems quickly. The CMAC announced: “We’re going back to pen and paper.” Staff in every department started writing by hand. Patients began to queue in the waiting room. The pharmacy had to manually check inventory. Appointments were cancelled by mid-morning, and elective surgeries postponed.
By Wednesday, conditions were dire: IV drips still
flowed, but vital information did not.
On Thursday, the administration finally called in
external help. Clarensec’s
incident response team arrived late Thursday night. By then, the
hospital had operated on paper for four days, as stated earlier:
“going back to paper is not a backup, it’s a breakdown” when EMRs
are locked.
Clarensec worked through the weekend to isolate the ransomware, rebuild the network, and restore data from the only decent backup (a weekend incremental tape) they found.
What Went Wrong
- No tested incident response plan: Staff didn’t know who should be in charge during a cyber-crisis, so initial reactions were slow and disorganized.
- Unreliable backups: A hard drive backup existed but hadn’t run correctly for months.
- Minimal network monitoring: The breach wasn’t detected until it was too late.
- Unclear roles: IT staff assumed clinical teams would respond, and vice versa, leading to confusion and delays.
In contrast, a well-prepared organization could have followed guidelines: disconnect infected machines, notify key personnel, and rebuild from clean backups. As security experts note, having a practiced response plan with defined roles and communication protocols is crucial for quick recovery.
In our story, lack of preparation turned a cyber incident into a life-and-death crisis, as the WHO has warned can happen with hospital ransomware attacks.
Key Takeaways
- Don’t wait to set up backups: Make sure encrypted copies of patient data are backed up offsite or in the cloud, and regularly test restores. Having recent backups can cut recovery time from days to hours.
- Have an incident response plan: Define who does what if an attack occurs. Drill the plan so everyone knows the communication channel and roles. This keeps staff focused and avoids chaos.
- Train and communicate: All teams – medical, IT, admin – must understand basic cyber hygiene and the response plan. Cross-team drills help break down silos. In the story, better communication between clinical staff and IT could have identified the breach sooner.
- Seek expert support: In a crisis, outside specialists can restore operations faster. Clarensec provides urgent response services, as well as pre-attack services (risk assessments, audits, tabletop exercises) to prepare hospitals. Hospitals that worked with Clarensec after this incident have since reported improved resilience.
Cyber threats are a reality for every hospital today. By preparing in advance – securing data, planning responses, training staff, and leveraging expert help – healthcare teams can ensure that when disaster strikes, patient care continues and trust is maintained.
