When healthcare organizations suspect they’ve been breached, reliable forensic data about a hacker’s actions is critical to rapid recovery. In the best case scenario, forensic data can reduce or eliminate an organization’s legal and regulatory exposure. For example, in a recent incident I worked, a call center employee of a provider organization was suspected of stealing millions of patient records. By reconstructing his database queries, our team found he only searched a very specific segment of the database — elderly people over age 80 in specific states — and likely used this data to defraud the U.S. government by filing false tax returns. As a result of our forensic analysis, we were able to prove that the number of patient records compromised in the breach was drastically lower than originally thought. What could have been national breaking news for the healthcare organization became just another low-level scam.
A thorough forensic investigation can also help an organization determine how to kick out an external attacker, and the data uncovered can focus remediation efforts so vulnerabilities aren’t repeatedly exploited. Additionally, proof of a thorough and well-organized investigation enables a company to more effectively defend itself in the event of litigation and to better withstand scrutiny by the U.S. Department of Health and Human Services, the Federal Trade Commission, insurance commissioners, Attorneys General, and other regulatory bodies.
But undertaking an efficient and effective forensic investigation takes significant preparation well before an incident occurs. This applies whether a healthcare organization has 200 or 200,000 employees. Start by determining where PHI and other highly sensitive information is stored — knowing this in advance allows an investigation to progress rapidly during a cyberattack, avoiding days spent searching for and tracking PHI to identify which machines or log files to preserve at a point when every minute counts.
In short, preparation breeds success. Here are additional actions that healthcare organizations can take before a breach to help ensure more compelling forensic results:
Teach employees and IT professionals to quickly set aside compromised machines. If an employee receives a ransomware notice on his or her screen, that employee should know the relevant security protocols — quickly disconnecting that computer from the network, but not from its power source, will help protect the rest of the organization from infection, preserve the machine’s live memory, and provide clues about the ransomware functions. IT administrators should also disconnect potentially compromised servers from the network and resist the urge to “poke around” with standard IT tools. Each prod can overwrite timestamps, delete file fragments, and destroy important clues that otherwise could be recovered by first responders with forensic tools. These simple steps can make a major difference during a breach response.
Be ready to provide investigators with access. The longer forensic investigators need to wait for access to compromised machines and database logs, the more time an intruder has to cause damage. Facilitate timely access by knowing, for example, whether PHI and other sensitive data is stored on virtual machines that can be easily cloned, or on physical machines in a co-location facility that require the cooperation of a third-party vendor. If third-parties are involved, ensure their guidelines and processes are well understood. I’ve been in situations where third-parties have required 6-10 days to forensically image a server — an eternity in a data breach.
Have a spare server and a pre-configured slate of software. Many systems compromised by a breach need to be rebuilt to avoid re-contaminating the network. An organization that has a spare server and a pre-configured slate of software can complete a fast swap and get back up and running in a fraction of the time, rather than delaying recovery by waiting for shipment of new machines and having to manually configure each one.
Other recommendations include: Create an inventory of critical log files by type, location, and retention period so investigators immediately know how much visibility they have into historic network activity; and develop a phone tree of key IT and security personnel (e.g. CISO, email administrators, database administrators) so the right people can coordinate effectively and quickly escalate alerts of suspicious activity.
The mantra behind all of these tips is: save time and save data through early preparation. Planning ahead is the key to remaining resilient. It provides for better forensic results during a breach investigation, helps to limit the organization’s exposure, and may ultimately save its reputation. In this day and age — with healthcare making headlines as the most attacked industry in 2015 — anyone can be a victim.