It probably came down to a swift response that averted major damage in the Lukas Hospital in Germany's western city of Neuss. One morning, hospital staff noticed the system wasn't running smoothly anymore. There were error messages popping up, and the system was suspiciously slow.
"We then pulled the plug on everything," spokesperson Dr. Andreas Kremer told DW. "Computers, servers, even the email server, and we went offline."
The incident happened over two weeks ago, but the hospital's website still advises patients to call them or send a fax - the email system is still not up and running. Malware has brought the hospital's computer system to a halt.
"Our IT department quickly realized that we caught malware that encrypts data. So if the X-ray system wants to access system data, it failed to find it because it's been encrypted, so it displays an error message," Kremer said.
The hospital had fallen victim to ransomware - a type of malware that makes data inaccessible to its rightful owner. Hackers then demand ransom payments in exchange for a key that unlocks the files.
The hospital reported this to the authorities, to the State Criminal Investigation Office (LKA), Kremer said, which then came to investigate.
"We haven't received a concrete demand for money, but we've seen these pop up windows that appear if you don't stop the ransomware on a computer," he told DW. The message in broken English points to an anonymous email address to get in touch with. "Following the Criminal Police Office's advice, we didn't do that," Kremer said.
Back to pen and paper - and a fax machine
While the hospital's security experts developed a special software to cleanse the infected system and scan the over 100 servers and some 900 devices, hospital operations went on as best they could. Instead of computers, staffers used pen and paper - and the good old fax machine to exchange patient's reports. "High-risk surgeries were pushed to later dates due to safety reasons, but 80 to 85 percent of all operations took place as planned," Kremer said.
But things slowed down considerably, and the staff will have to deal with a backlog of handwritten notes fromthe past weeks that still need to be entered into computers eventually.
But first, they might have to free those files that were encrypted by the virus.
Files still locked
"We have regular backups, so that isn't a problem. If the virus encrypted data we have backed up, we just restore the backup files," Kremer said.
The data that was locked in between the last scheduled backup and when the hospital pulled the plug can either be entered again if it's results from lab tests, or they might be restored once the malware has been analyzed. "But it really just affects data from within a few hours."
It will take weeks until all systems are running the way they used to before the attack, "probably not before early summer," Kremer said.
Not an isolated case
Just two days after the Lukas Hospital was hacked, another hospital in the German state of North Rhine-Westphalia was attacked by a virus. It's not clear whether it's the same malware.
"According to present knowledge, it was an attachment in an email that allowed the virus to enter the system," Klinikum Arnsberg spokesperson Richard Bornkeßel told DW.
Staffers detected the virus on one of the 200 servers and then switched off the entire system.
"Fortunately, it was only one server that was affected. The virus had started to encrypt files, but we could simply restore them from a backup," he said.
Taking care of patients was possible at all times, he added, because all significant medical devices work without network access. Investigations are ongoing, but it's not believed to be a targeted attack on the hospital, Bornkeßel said.
However, at least one other hospital in the same state has reportedly shut down its systems to avoid a potential hack and filed charges.
Ransom payments in Hollywood
Blackmailing hospitals into paying ransom has also been reported in other parts of the world, most notably in the US state of California where a Hollywood hospital paid about $17,000 (15,000 euros) in the digital currency bitcoins to hackers this month.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Hollywood Presbyterian Medical Center's President Allen Stefanek said in a statement.Sarah Steffen