Computer forensic i...
 
Notifications
Clear all

Computer forensic investigation for misuse of medical record

10 Posts
7 Users
0 Likes
703 Views
(@nadiah)
Posts: 1
New Member
Topic starter
 

Hi guys,

Needs your opinion on the following issue.

Electronic Health Records (EHR) marked as a comprehensive record about the identity of one person and it will be the worst nightmare if it comes into the wrong hand.

In order to prevent this issue from worsening, is there any significant need for medical company to get ready with computer forensic investigation?

Thank your for your reply;)

 
Posted : 23/11/2017 2:10 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Electronic Health Records (EHR) marked as a comprehensive record about the identity of one person and it will be the worst nightmare if it comes into the wrong hand.

In order to prevent this issue from worsening, is there any significant need for medical company to get ready with computer forensic investigation?

A forensic investigation takes place when the "nightmare" already occured. Digital Forensics in general has nothing to do with prevention. As a healtcare provider you should have a business contract with Forensic Experts who can make a forensic investigation for you, but preventing any kind of data theft is much more important. Here a some topics to consider, when it comes to the protection of medical data

- physical access to files (digital and paper)
- authentication and authorization
- logging, recording and archiving of those records
- encryption

….and much more topics from the "SANS Top 20 Critical Security Controls"

Try to prevent the breach, do not analyze it. But if it is already to late, come back and do not forget the money 😉 Here are a lot of Experts who can give you a detailed analysis which Security Controls you did not apply.

best regards,
Robin

 
Posted : 23/11/2017 3:41 pm
(@athulin)
Posts: 1156
Noble Member
 

Needs your opinion on the following issue.

We would like your opinion as well … how come so many first-time posters are from Malaysia, and generally ask questions that sound as if they are taken straight out from some official memorandum?

Is there some kind of big security drive? or examination? going on?

 
Posted : 23/11/2017 4:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Is there some kind of big security drive? or examination? going on?

Maybe the PDPA in Phase 3? ? (and ISO 27001 accreditation)

http//thelawreviews.co.uk/edition/the-privacy-data-protection-and-cybersecurity-law-review-edition-3/1140170/malaysia

http//www.jsm.gov.my/ms-iso/iec-27001-2007-information-security-management-systems#.Whb-6L2f4uM

jaclaz

 
Posted : 23/11/2017 5:02 pm
(@wotsits)
Posts: 253
Reputable Member
 

Electronic Health Records (EHR) marked as a comprehensive record about the identity of one person and it will be the worst nightmare if it comes into the wrong hand.

In order to prevent this issue from worsening, is there any significant need for medical company to get ready with computer forensic investigation?

A forensic investigation takes place when the "nightmare" already occured. Digital Forensics in general has nothing to do with prevention. As a healtcare provider you should have a business contract with Forensic Experts who can make a forensic investigation for you, but preventing any kind of data theft is much more important. Here a some topics to consider, when it comes to the protection of medical data

- physical access to files (digital and paper)
- authentication and authorization
- logging, recording and archiving of those records
- encryption

….and much more topics from the "SANS Top 20 Critical Security Controls"

Try to prevent the breach, do not analyze it. But if it is already to late, come back and do not forget the money 😉 Here are a lot of Experts who can give you a detailed analysis which Security Controls you did not apply.

best regards,
Robin

Very good advice here

 
Posted : 23/11/2017 7:17 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

Preparation for a case like mentioned we here call Forensic Readyness. Making a triage of data misuse stealing or alternating EHRs is problematic but worst would be they are downlocked by a ransomware attack and temporarily encrypted - not accessible for patients treatment.

Its may worth thinking about how you can detect that EHRs were alternated and setting up a worstcase scenario of having EHRs if they got ransomwared. Mirroring EHRs on a daily basis by BEFORE malware deep-testing (already ransomware-based backups are the ultimative blackout) and having them physically disconnected and put asside (disconnect by-hand the fiber or GbE-network cables) helps to be prepared.

Final point very important After a malware-attack most disaster revovery solutions are too slow.
Make sure that the solution is FAST. And then push your CEO to set up a day by surprise to train the Blackout. Without training no surviving.

 
Posted : 23/11/2017 8:27 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Apart from just storing logs, the logs themselves needs to be useful, i.e. you clearly need to be able to see at least

* Date/Time (down to milliseconds if possible, ISO 8601 preferred)
* Username (if separate app username, it is even more important)
* Action (Read/Update/Delete)
* Information altered

Make sure logs can answer Who did what, when and what was changed?

Just logging access and spitting out application logs is rather useless in an investigation, i've seen all sorts from java error logs to pointless database dumps that some lazy infosec muppets tried to pass off as logs to get their compilance checkbox filled.

Is there some kind of big security drive? or examination? going on?

As you may remember, during the last ransomware outbreak we had more than one visitor here on FF from Asia due to the rude awakening that shook the entire world.

 
Posted : 25/11/2017 3:47 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

MDCR - great post. Unfortunately people felt lazy since Splunk does the job. The lack of understanding the whole picture weakens security massively.

Does the machine know ? - Do you (SysAdmin) know ?

 
Posted : 25/11/2017 5:20 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

MDCR - great post. Unfortunately people felt lazy since Splunk does the job. The lack of understanding the whole picture weakens security massively.

Does the machine know ? - Do you (SysAdmin) know ?

The main problem is the compliance minimum security push-button SIEM culture that don't even bother to go the extra step to assure that investigations are even possible. The just sit there and "uh, there are no logs for that" and give up.

The first thing i think of when i hear RSA, Splunk or Arcsight is - uninstall.exe. Any modern DB backend (like ES or Neo4J) with an interactive search interface is way better than that overpriced piece of s**t. Vendors should adapt to the data, not the other way around, products should be non-centric around themselves, the customers business is what is at the centre. Make requirements and go with those.

I spent years in a government agency trying to find a good tool that let met ask complex queries, for a reasonable cost, have an interactive interface and was able to house a bunch of terabytes of data, and while some solutions had some pieces of what i was looking for, i ended up writing my own tools and using database backends that didn't cost taxpayers arms and legs.

Arcsight was installed at another place, i was there when we did the requirements with two idiot consultants and a manager that couldn't tell the difference between a log and a hole in the ground. These requirements were later ignored and the thing was delivered, but the initial org pulled out and the analysts had to fix it.

When i sat down with the analyst the first question that appeared was "so why do we have arcsight when it don't do the job?" and they ended up thinking like me - rolling your own solution. This was the result of f**king compliance monkeys trying to squeeze in a solution without talking to the analysts. Not uncommon in the government world.

 
Posted : 25/11/2017 4:54 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

You are absolutely right. Agree fully especially with ArcSight and consultants (you can fire all of them) - consulting is totally false in general. Step-in and take full responsibility. Speaking is worhtless and endless Powerpoint slides thousand-fold - make me v*mit.

The only approach is defining attack vectors and defining zones. Expect the impossible and act like you were cracy infected. Without training no fireguard can fullfill.

 
Posted : 25/11/2017 6:02 pm
Share: