INDIANAPOLIS — Two weeks after an attempted cybersecurity attack on Eskenazi Health Systems, we now know the Marion County Public Health Department is also being impacted.
As of Wednesday, August 18, several online services remain offline across both organizations. In a joint statement from both Eskenazi Health and MCPHD, a spokesperson wrote:
The Health and Hospital Corporation of Marion County recently experienced an attempted cyber event that has impacted the Marion County Public Health Department as well as Eskenazi Health. Our monitoring systems functioned as they are designed to, allowing us to proactively shut down our network early on the morning of Aug. 4 to maintain the safety and integrity of our data. We brought our electronic medical record system back online on Sunday, Aug. 8. We continue the steady and intensive progress of analyzing additional systems and bringing them safely back online.Todd Harper — spokesperson with Eskenazi Health
Harper said Eskenazi Health patients can contact Health Connections 24/7 at 317-880-7666 to schedule appointments, request prescription refills and for medical records. They can also visit Eskenazi Health’s website at www.eskenazihealth.edu.
Staff at the Marion County Public Health Department are prepared to take requests and assist with limited services such as birth certificates and immunization records, administrating vaccines, and responding to food and housing complaints. Harper said the health department can be reached by calling 317-221-2000.
Both Eskenazi Health and the Marion County Public Health Department did not respond to our specific questions regarding whether personal data was compromised during the cyber-attack.
Companywide email and online medical record keeping are all a part of the self-imposed network shutdown at Eskenazi Health.
Eskenazi Spokesperson Tom Surber said they decided to shut down their network after detecting an attempted ransomware attack Wednesday morning.
Since then, any ambulances that would have headed toward the Eskenazi emergency room are now being diverted to other hospitals.
The good news is, Surber said none of the inpatients or patients coming for appointments have been affected by the attack.
Mitchell Parker, the Executive Director and Chief Information Security Director at IU Health, said they’ve seen a significant uptick in hospital cyber-attacks since the pandemic began.
Parker said hospitals have become prime targets because they need to care for their patients.
“A lot of hospitals these days are reliant on the internet for looking up information on patients,” Parker said.
Surber said, at the moment, they don’t believe any patient or employee data was compromised.
But Parker said these attacks can affect far more than private records. He said it also affects the way the hospital operates. In Eskenazi’s case, it is having to divert ambulances.
“It has a cascading effect and what ends up happening is you increase the capacity at every other hospital in the radius that has an emergency room,” Parker said.
Both Parker and Scott Shackelford, the Chair of Cyber Security Risk Management at IU, said this is a constantly evolving fight.
“It’s an arms race and both attackers and defenders are learning from each other in real-time,” he said. “Unfortunately, it’s still a lot easier to be an attacker than a defender. You only need to find one point of vulnerability, one chink in that armor to get in.”
Shackelford said everyone, from employees to executives, needs to be prepared for these types of attacks.
“Ultimately we also have to empower people, to give them the knowledge to exercise basic cyber hygiene in the way we’re all doing our part to exercise personal hygiene these days,” Schackelford said.
As for tracking down whoever might have done this, Parker said that is generally a very difficult thing to do. He said most attacks come from outside of the U.S.
“They operate in foreign jurisdiction where law enforcement is much less likely to prosecute them,” Parker said.
Both Shackelford and Park agree, every company needs to be prepared for this and make cybersecurity a top priority. Small businesses, hospitals, and even bigger companies or organizations can be victims.
“It’s not a hopeless situation, there are resources out there for any sized healthcare organization to improve their security stance,” said Parker.
Shackelford suggested resources like the Indiana Office of Technology, the Indiana Information Sharing and Analysis Center and also the IU Cyber Security Clinic
Right now, investigators with Eskenazi Health are going system by system, analyzing each one before they decide to turn their network back on.
In response to the cyber-attack, an Eskenazi spokesperson sent CBS4 this statement.
“Eskenazi Health has experienced an attempted ransomware attack. Our monitoring systems functioned as they should and out of an abundance of caution and to maintain the safety and integrity of our patient care we proactively shut down our network. Our current monitoring indicates that no patient or employee data has been compromised. We are working system by system with a high level of due diligence to analyze all systems before bringing them back online. We appreciate your patience and understanding as we continue our process of thorough evaluation and restoring functionality.”