Tech & Innovation in Healthcare

Toolkit:

5 Expert Tips Show You How to Prep for a Forensic Investigation

Warning: Don’t destroy evidence.

After a cyber attack, your organization may determine — or the feds may require — a forensic probe of your systems. If that happens, there are a few things you can do to get ready for the investigators.

For example, experts warn organizations to stop the incident, but keep the proof intact.

“First, contain the breach,” says Jen Stone, MCIS, CISSP, CISA, QSA, principal security analyst, with Security Metrics in Orem, Utah. “Don’t wipe affected systems because you might destroy evidence needed by the forensic team to determine what [electronic protected health information] ePHI was compromised and how to prevent it from happening again.”

Adam Kehler, director of RSP Healthcare Services with Online Business Systems, agrees. “When an organization finds out they have an incident such as ransomware, the temptation is to immediately power down the systems and wipe drives. In doing so, they may actually be destroying evidence that could be useful in investigating the incident,” he adds.

Evaluate the Breach Level

Depending on the severity of the data security incident, the parties involved, and the information usurped, you may need to get the authorities involved. More significant and nefarious breaches may warrant a call to your local law enforcement agency or the Federal Bureau of Investigation (FBI), counsels Kehler.

It’s a good idea to get in touch with your IT vendors and cyber insurers, too. And if the breach is major, a lawyer might be next in line of those to contact.

“These resources can help determine the most appropriate steps to take to ensure that they are able to limit the impact and quickly recover while maintaining evidence and meeting their compliance requirements,” Kehler says.

Take a Look at the Timeline

If cybersecurity experts, law enforcement, or the HHS Office for Civil Rights (OCR) think that a forensic investigation may help, several things will follow.

Consider these five expert tips on what to expect:

1. Brace Yourself for an In-Person Audit

“A forensic team will typically come onsite to your practice and carefully evaluate the state of your systems,” says Stone. They’ll do this “so you know exactly what happened and how the breach occurred,” she explains.

2. Get Ready for a Comprehensive Review

The investigation will look closely at your IT products, machines, and protocols. This analysis will help the team determine the nitty gritty of the breach.

3. Understand These Investigation Logistics

“This evaluation is typically performed by taking an image and memory dump of affected systems,” maintains Kehler. “The investigation is performed on these images and dumps in order to avoid tampering with the evidence and maintaining chain of custody.”

4. Keep systems Up and Running

Your first inclination may be to shut everything down, but that’s not a good idea. When you power off, the memory will be lost — and that could have catastrophic repercussions. “Many malware systems these days never write to disk; they are located in memory only,” Kehler says.

5. Take the Forensic Team’s Advice Seriously

This kind of investigation is usually required after a costly, complicated cyber attack, so it is critical to work with the forensic team and listen to their instructions to eradicate problems. “They will tell you what you need to know to remediate the issue and offer recommendations for implementing security controls that will prevent future breaches,” instructs Stone.