Blog

Understanding EMR Audit Trails

Understanding EMR Audit Trails is important to any company dealing with (PHI). They must have all the necessary security measures in place and follow them to ensure HIPAA Compliance.

Understanding EMR Audit Trails is essential to a patient’s medical history In medical malpractice litigation. The Health Insurance Portability and Accountability Act (HIPAA) requires that the Electronic Medical Records (EMR) maintain an audit trail including all of the metadata. This EMR audit trail is a piece of highly relevant evidence as to who accessed what in the record, what entries were made and/or changed, by whom and when. Computer Forensic experts are key to effective electronic discovery during medical malpractice litigation.

How do hospitals record, protect, and store data? HIPAA sets the guidelines for the most highly sought after information by the world’s best technology hackers. Medical records are worth 4 times more than credit card information. Managing Personal Healthcare Information (PHI) places Healthcare facilities at risk of cyber attack 24/7, 365 days a year.

Check out this video with Enigma Forensics, President & CEO, Lee Neubecker, and John Blair, a noted Healthcare Industry Cyber Security Expert where they discuss the importance of protecting Personally Identifiable Information (PII).

Lee Neubecker and John Blair

Understanding EMR Audit Trails video transcript follows:

This is the third of the last video in the three-part series on Health Care Industry Cyber Threats:
Watch Part 1, Watch Part 2

Lee Neubecker: Hi, I have John Blair, a cyber security expert in the field of healthcare, and John is also involved with understanding patient medical, electronic medical record (EMR) audit trails, so I asked him to come on the show and talk a little bit about that with me. John, thanks for coming back on the show.

John Blair: Thanks, Lee. Glad to be back.

LN: So John, can you tell everyone a little bit about what HIPAA requires of healthcare organizations as it relates to tracking data of caregiving and the patients?

JB: Sure. Most of this is obviously directed at hospitals, but HIPAA also has things called business associates, and any interaction from any entity with, or any user with, PHI is going to be subject to these audit logging. Hospitals use systems called EMRs, so generally those, the audit trails are built into the EMRs by default, but obviously entities can turn those off if they so choose or configure them differently. HIPAA requires that you pretty much log any interaction, whether it’s read-only, view-only, edit, whatever that interaction might be. Identify the user, identify the time, what was done to the record, and that has to be maintained for several years. So it doesn’t matter what a user does with the record. Even if they just view it, that counts as a valid interaction and has to be logged and maintained.

LN: In fact, all of these hospital software systems out there have to be HIPAA compliant, or else the hospitals wouldn’t be able to use the software packages. Isn’t that true?

JB: Right, right. There’s a lot of federal regulations regarding that, that the standards that these systems have to meet in order to get refunds or rebates from the government.

LN: So Medicare funding, reimbursement, obviously is important.

JB: All of that stuff. And audit logs of user activity and interactions, or any interaction with PHI, is a critical component of that.

LN: You know, what I’ve seen is sometimes despite the software packages being EMR, audit trail compliant, that there’s the ability for the software that’s deployed to be altered so that the audit trails aren’t retained as long as required by law.

JB: Yeah, sometimes the storage of the audit logs, it can be overwhelming. So oftentimes they are archived offsite or inappropriate access is given to the audit log itself. And then it possibly can be changed, which ruins the integrity of the log, obviously, and that would be a very bad thing should something come up down the road and you needed that log.

LN: Yeah, and certainly, someone who has the master database administrator password to that back-end system, they could do whatever they wanted.

JB: Yup. But there’s supposed to be logs of that activity, as well, and reviews of those logs, but you’re absolutely right. If you’re an administrator, you can do a lot of damage.

LN: Yeah, I’ve assisted clients before involved in litigation, medical malpractice litigation, with just seeking the truth of what’s there in the records. Most of the time, they think many hospitals are compliant and do have those audit trail records.

JB: Absolutely.

LN: But, they don’t necessarily want to make that data readily available.

JB: No, they don’t. And it depends, it’s a case-by-case scenario, under the advice of counsel and things like that, but it’s very, very sensitive information, and obviously, it’s a public relations nightmare to have a breach of patient data, so they take those things very, very seriously.

LN: Absolutely. So can you tell everyone what PHI stands for?

JB: It’s Protected Health Information, as defined by HHS, there are 18 very specific fields that comprise PHI. PHI is a subset of PII, which is Personally Identifiable Information, but with respect to healthcare, it’s primarily PHI that we’re worried about and those 18 identifiable fields.

LN: Why would hackers want to target health care records?

JB: It’s far more valuable now than several years ago, it was credit card information, basically for year after year. Now, the credit card companies and technology with respect to how quickly a card can be replaced and deactivated. And so, just more money in it to steal medical information. And there’s more flexibility, as well. You can go get drugs, you can do a variety of things, whereas, with the credit card, it’s just money.

LN: If people wanted to launch a targeted scam on individuals, certainly having records that would enable them to filter patients that have Alzheimer’s, might give them an unfair advantage at duping people out of their savings.

JB: Absolutely. Because generally if you get someone’s entire record, you’re getting everything about them: their Soc number, their address, phone numbers, relatives, I mean, all this information is now at your disposal. And loans can be taken out in their names, it’s just a disaster waiting to happen.

LN: So Electronic Medical Records, known as EMR, represent an important target that hackers seek, because of the value of that information, and the uniqueness.

JB: Yup. The price of those records, per record, now varies, but I believe it’s in the $150, $200 range per record if it’s a breach now, and laptops can hold hundreds of thousands of records. So it can be very, very expensive.

LN: But it seems that this is a problem, too, that it isn’t just localized to any one area, it’s universal.

JB: Yeah, it’s across the board. Anyone dealing with PHI has this problem.

LN: How does the cost of a patient medical record compare to a credit card record, compare to the black market?

JB: Yeah, for the last several years, medical records have gained in value every year, while financial records, credit card information have devalued. And it’s to the point now where medical information’s worth four times as much as financial information. And that’s only increasing.

LN: So does that mean that people that work in the healthcare sector in IT and security are going to get paid four times as much as the people of the financial sector?

JB: I wish.

LN: Well, thanks again for being on the show, this was a lot of good stuff. I appreciate this.

JB: Thanks, Lee, appreciate it.

Other related stories about EMR Audit Trails

Other resources to learn more about EMR Audit Trails.

https://www.cdc.gov/phlp/publications/topic/hipaa.html

Keys to a Secure Supply Chain

The world is data-driven. Companies face an overwhelming barrage of big data. Neubecker and Blair discuss the certifications necessary to ensure constant data security.

Cyber Security is Crucial to Supply Chain

Companies face an overwhelming barrage of endless data that contains sensitive information and involves a variety of supply chain vendors. The world is data-driven and securing your supply chain will help minimize your risk of cyberattacks. Here are some keys ways to help you understand more about securing your data beginning with supply chain vendors.

Check out this video with Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert dissect big data and the certifications needed to understand how to secure your supply chain to help monitor the risks.

2nd video in a three-part series

This is the second video transcript of a three-part series.

Lee Neubecker: Hi, thank you for doing this show, John.

John Blair: No problem.

LN: I appreciate you coming back on.

JB: Thanks Lee, glad to have you here.

LN: So, we’re going to talk today a little bit about what organizations should be doing to monitor the risk associated with their supply chain.

JB: Okay.

LN: And John, if you can, give me an understanding of what are things that you look for when selecting a vendor or city that might be hosting your data.

JB: Right.

LN: Or running parts of your operation.

JB: Well, the world is data-driven, and so your evaluation of vendors is critical and should be focused on their interaction with your data, what their subcontractors are going to do, are you going to allow them to have subcontractors? Where are those subcontractors located? And by all means, get some sort of attestation, that their environment that you’re now relying on, has been audited, you know, the SOC 2’s, those types of things, go a very long way in giving you some level of comfort that they’re operating their controls effectively and that you can rely on ’em.

LN: Great, can you explain to our viewers what essentially a SOC 2 certification is, and why you care about that with a vendor?

JB: That one, the SOC 2, there are multiples ones, but a SOC 2 Type 2 is the standard. There are five Trust Principles associated with it. The biggest one used probably, 75 percent of the time is security. And that’s where you, the vendor would offer, whatever service you’re interested in, the SOC report would be scoped for that service, and then the auditors evaluate that service according to the security principle that’s defined by SOC.

LN: So, typically they’re looking at physical security measures, as well,

JB: Yep.

LN: that extend just beyond data,

JB: Right.

LN: but physical security measures that help to protect your data.

JB: Right, SOC defines objectives, and then the organization defines controls within those objectives, so the objectives are the boundaries, and then the organization defines the controls, but generally speaking, they are the IT basics, chain management, software development, life cycle, physical security, logical security, network security, data storage and security, transmission security, those types of things are almost always covered under the security principle.

LN: Isn’t it true that someone could have all the certs out there and still get compromised?

JB: Oh, absolutely. The certs are not a guarantee, by any stretch. They are just, you know, as we’ve said, they’re meant to give you a level of comfort in the control environment of the people you are now, basically trusting with your data.

LN: And so, as you go out, and you select vendors if you do this diligence and you find vendors that have a certain level of attestation, and various certs that you care about, that might help you if data breach happened, to show that you actually practiced good faith and due diligence, in selecting your vendors.

JB: No, absolutely, and HIPPA requires it, so if you did some sort of due diligence at least, at least you have a story to tell. If you don’t have a story to tell, then that’s where things start going off the rails almost immediately, because you didn’t do anything, and that’s never a good thing.

LN: Well, thanks for being on the show again.

JB: My pleasure, thank you.

More about cybersecurity

Information on HIPPA website for security professionals

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Iranian Cyber Threat Readiness

DHS has issued an advisory warning of potential cyber attacks by Iran against the U.S. Organizations should watch this short video detailing the top ways to protect yourself from Iranian Cyber Attacks.

D.H.S. Alert – Iran Cyber Threat Readiness

On January 4, 2020 Department of Homeland Security (DHS) has issued an advisory warning that Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out cyber attacks with temporary disruptive effects against critical infrastructure in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets. The Iranian Cyber Threat is real and warrants proactive measures to ensure cyber threat readiness and minimize the risk of a successful cyber attack.

Check out Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert to learn more about what can be done to deter such cyber-attacks and maximum readiness to an Iranian originated cyber attack.

Video Discussion on Iran Cyber Threat Readiness

1st Video in a three-part series with John Blair

This is the first video transcript of a three-part series.

Lee Neubecker (LN): So John, thank you for being on the show.

John Blair (JB): Thanks, Lee.

LN: John is a cybersecurity expert that focuses on the healthcare sector. Can you tell us a little bit about what organizations should be doing right now in response to concerns about potential Iranian cyber strikes on U.S. companies?

JB: Sure. I’m a pragmatist, so I think you should execute the basics first. Make sure your devices, it’s a border level of your network, and the devices are patched. You might want to start increasing your network monitoring for the next few weeks, to monitor the activity coming through, check your firewall rule sets, these types of things, just to make sure that you get a comfort level. I’m a firm believer in executing the basics solidly, and then monitoring. Because if you’re a target, and the people know what they’re doing, there’s not much you can do to prevent it anyway.

LN: So one of the things too, that I would add to that is, I think it’s important that people have a command of what’s on their network, which is basic inventory of your digital assets, so you know what your devices are.

JB: Yes, you do need to know your environment.

LN: Like you said, knowing what’s on your network, monitoring your log files and patching your devices, those three things go a very long way.

JB: A very long way. And they’re just good practice anyway. That’ll prevent most things from going bad.

LN: Great, well thanks for being on the show.

JB: Sure, thank you.

Articles & Resources Related to Cyber Threat Readiness

Resources on the Internet Related to Cyber Threat Readiness

Click here to view the DHS Iranian Cyber Threat Advisory.

Cyber Essentials: Building a Culture of Cyber Readiness– a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
Department of Homeland Security

“Cybersecurity for Small Business: The Fundamentals” – a set of training slides and speaker notes to help small business owners educate themselves and their employees about cybersecurity best practices and resources.
National Institute of Standards and Technology

Cyber Readiness Program  â€“ The Cyber Readiness Program is designed to provide practical resources and tools to help organizations like yours take action to become cyber ready. Completing the Program will make your organization safer, more secure, and stronger in the face of cyber threats. (Note: account with login is required.)
Cyber Readiness Institute

Hospital Data Breached

Hospital Data Breach

Hackers will continue to pummel the sector with targeted attacks.

Have you heard the news about the most recent Chicago, Illinois area hospital data breach?  We’re referring to the article in the Chicago Tribune, By Lisa Schencker on December 31, 2019.  “Personal information of nearly 13,000 people may have been exposed in Sinai Health System data breach” Click here to view the article.

After reading this article many questions came to mind.  Who would hack a hospital system?  Are cyber attacks on hospitals becoming more frequent? Could a foreign hacker be targeting hospitals to conduct cyber warfare?  Could it be a disgruntled employee who maliciously wants to obtain patient electronic medical records (EMR) and target a particular patient?

It has been reported that 70% of hospital data breaches include sensitive demographic or financial information of that could lead to identity theft. The Sinai Health System data breach included 13,000 patients’ names, addresses, birth dates, Social Security numbers, health information or health insurance information were potentially exposed. 

One could easily assume that if a hacker was armed with this information, they could sell patient electronic medical records and financial data to the highest bidder. The potential for patient harm is exponential.

Data Breach Incident Response

What happens next? Computer Forensic Experts are called to initiate a data breach response. Experts start with immediately stopping the breach, accessing the damage, notifying those affected, conducting a security audit. Forensic experts create a recovery plan to prepare for future attacks.  Finally, Forensics experts train employees to protect the data and enforce strong passwords.

Computer Forensic Experts A.K.A. Cyber Security sleuths or electronic detectives are really excellent at detecting where and how the breach occurred and accessing the damage.  In cases of litigation due to a data breach or medical malpractice, Computer Forensics Experts are hired by law firms to serve as expert witnesses to help win the litigation. In addition, many hospitals hire Computer Forensic Experts to assist in auditing their records to prove their side of the case. 

Prepare a Data Breach Incident Response Plan

Looking forward to 2020. Cyber Forensic experts agree the entire sector needs to adjust its security approach to keep pace with hackers. The Department of Health and Services and many states may impose fines on those who are not following security guidelines. It’s vitally important to create a Data Breach Incident Response Plan.

Enigma Forensics are experts in Data Breach Incident Response. To learn more about Enigma Forensics read below.

If you think you have been breached…contact Enigma Forensics.com

Holiday Tech Gift Ideas

Holiday Tech Gift Ideas For the Technology Geek

Holiday Tech Gadgets for Power Grid Outage Survival

Enigma Forensics CEO & President Lee Neubecker along with Associate Sammy Macrito discuss holiday gift ideas for the tehnology geek on your list. Recently, California has been experiencing massive power grid outages and most people were not prepared because they simply didn’t think about what happens when you loose power. Techno gadgets will help you survive during a power grid outage. No matter how long it is! Tune is as our technology geeks, Lee and Sammy have some fun and share their favorite techno gadgets. These are great gift ideas for the technology geek on your holiday list.

Holiday Gift Ideas for the Technology Geek

The transcript of Holiday Gift Ideas follows:

Lee Neubecker: Hi, so today we’re going to talk a little bit about some of those techno gadgets that you might want to consider buying your loved one who might be concerned about losing power and not having their techno gadgets. So today I’ve got Sammy Macrito on with me, and we’re going to talk about some of those items that you can pick up. Many of them are available for under a $100 or even less online. We’ll have a link on our page that shows items if you’re interested in buying them. So the first one we have here is this flashlight which is a combination, it’s flashlight that you can crank up, you can turn on the light, and it’s powered both by manual energy, so you can get it powered up. It’s got a solar cell, and then it also has a convenient USB charging port so you can, if you had to, you could hand crank and recharge your tablet or smart phone to give you power if you’re in the darkness for a long period of time. And one of the most important things about it is that it’s got a FM/AM band on it, so if there were an emergency or outage you’d be able to get news and find out where resources are.

Sammy Macrito: Right, and something I feel is so important about this one is having the functionality of being able to crank it, as well as the solar, because let’s say the power grid is out, you can leave this outside all day with a phone next to it and get a charged phone at the end of the night.

Lee Neubecker: Or you can crank it all night. Or you can crank it all night.

Lee Neubecker: So we’ve got, speaking of solar, there’s a real neat gadget that if you wanted to make sure that you could power your laptop, this battery power system by Voltaic produces 20 watts, which is enough to charge some of the newer laptops, and there’s a cell that they, a battery pack they sell with this that you can charge up, which can really charge a good number of devices. This can even be strapped, you can tie it to your back when you’re hiking, and pick up…

Sammy Macrito: Exactly, yeah. And it’s super important to have one of these, especially if you have more than just a phone that you’re trying to recover, because you can basically just go with this solo thing and be able to charge not only your laptop, but also your phones. It’s always better to have more wattage, yeah.

Lee Neubecker: Now, those are great devices for the short term, but if the power is out for a while you’re going to want some other things. One of the things that most people are going to want is, they’re going to want the ability to start a fire, to cook food, to sterilize water, and whatnot. This device here is a USB chargeable electric lighter. I thought I hit it the wrong way. It produces an arc flame which is just electricity. And so using the battery cell, the radio, you could recharge it and you basically have unlimited abilities to start fires, and you don’t need matches. It can be, it makes a great torture device too.

Sammy Macrito: Yeah, and it’s windproof.

Lee Neubecker: Yeah, so that’s one, nice device. This is another device that’s pretty handy. It’s a flashlight. It can also be used for signaling. So if you’re trying to get help, it might be useful to be able to do that. It’s got a solar cell here. It also has this handy metal tip that can be used to shatter a car windshield, so it’s not a bad thing to keep hanging around in your glove box.

Sammy Macrito: Yeah, absolutely. And one thing that this is, can be commonly used for, you might ask, why would you want to break your car windshield? Let’s say you went off the road and are now in water, sinking with your car.

Lee Neubecker: Sinking, yup.

Sammy Macrito: You can pull this out of your glove box and be safe.

Lee Neubecker: It’s got some other things too, it’s got a magnetic tip so you can magnetize a paper clip if you needed to, to float it on water and get your direction to the North Pole. It’s also got a handy clip and it’s got a siren so if wildlife is approaching you, that might be enough to scare wildlife off, or an attacker. And this tip too, you could also use it to whack at something if it’s coming towards you.

Sammy Macrito: Absolutely.

Lee Neubecker: Pretty handy device. One of the most important things you probably need if you’re going to survive a long term power outage would be access to water and ability to have purified water. This device here is Portable Aqua Pure, it’s electrolytic water purifier. And how it works is you’re able to hook up hoses to pump water from one source into another source, so you need to have two water bottles with it ideally. But it has a solar cell on it and you add salt to it, and the salt gets converted into chlorine, so you can purify water and get rid of biohazards. So very handy. Pretty handy device.

Sammy Macrito: Awesome.

Lee Neubecker: And again, with your flashlight, or with your radio, you can recharge it and with very little salt you have virtually unlimited ability to purify water for quite a long time.

Sammy Macrito: And what do you do in the case that you don’t have power? How can you purify water without the ability to make fire, without the ability to use that device?

Lee Neubecker: That’s a good question, so if you have a clear bottle like this one, you can actually scoop water up out of a river or stream. Now you can’t do this with salt water. The sun has the ability to sterilize water biohazards, it’s not going to get rid of contaminants, chemical contaminants, but it could purify water. So having clear bottles, laying them out in the sun for a few hours, the sun will purify the water, so that’s another thing that could be useful. Well great, we hope these tech ideas are good last minute shopping gift items for your nerds at home. Talk to you soon.

Sammy Macrito: Thank you.

Holiday Tech Gift for Geeks: links associated with the gifts discussed.

Related Posts about Tech Gadgets & Power Outage Survival

FBI Warning: Smart TV’s may be spying on you.

Smart TV’s may be recording you or your children without your knowledge.

Enigma Forensics, CEO & President, Lee Neubecker talks about the FBI’s warning about Smart TV’s and other smart home devises that are not secure. Lee adds to that warning that a hacker can actually see through to your living space by using the built in camera on your Smart TV. They can also listen to you and record your conversations, or exploit your TV to show content that is not suitable for your children to watch. In fact, most of our smart devises don’t have any security at all. Fortunately, there are a few things you can do to strengthen your security. Tune in to engimaforensics.com to learn more.

The transcript on FBI Warning on Smart TV’s follows:

Lee Neubecker:

Hi, so all of you should be aware that FBI has issued an advisory and warning to consumers purchasing Smart TV’s for your homes.

Specifically, you should be on the lookout for TV’s that have cameras. It could be recording you or your children without your knowledge. One popular measure they recommend is using black electrical tape to cover the top of the camera. If the camera’s physically covered you can’t record.

However, you have to be aware that many of these TV’s are also listening to you and maybe taking up voice commands, recording your conversations and possibly even retransmitting that information to other parties. It’s also possible that a hacker could get into a TV and exploit your TV display inappropriate content that your children might see.

So for more tips on how to secure your home, check out our website, we have a link that gives advice on this and as it relates to your TV, you want to make sure you know what you’re buying and it’s best to buy a TV that doesn’t have a known camera in it if you’re concerned about not being recorded.

Related articles to keeping your home secure

Cyber Insurance Coverage

Cyber insurance and security protection

Engima Forensics CEO & President Lee Neubecker and Tressler, LLP, Cyber Insurance Coverage Attorney Todd Rowe sit down for a video discussion. These experts stress the importance of understanding the full scope of your data risk in case of a cyber attack. Both agree cyber attacks are getting more and more sophisticated and urge every company no matter the size to take the necessary steps to protect themselves before a date breach occurs. Prepare your company by working with computer forensics experts and legal counsel and create a game plan to lessen the potential threat posed by a cyber attack. Tune in to find out more about cyber insurance and maximizing your potential for coverage when a cyber attack strikes.

Evolution of Cyber Insurance and Security

The transcript on Cyber Insurance Coverage follows:

Lee Neubecker: Hello, today I have Todd Rowe on the show. Todd is a specialist in cyber insurance related litigation and data breach litigation Todd, thanks for being on the show.

Todd Rowe: No, thank you, this is great. I appreciate it.

Lee Neubecker: And so, Todd, can you tell us a little bit about how cyber has evolved over the last five years?

Todd Rowe: It’s wide open, I mean, we’ve seen everything. First, I think, when we look at the threats, and the evolution of a cyber threat or a privacy threat, we’ve seen things from the classic data breach, which would have been the target data breaches move into more of a social engineering component and tricking users that way, by emails and things like that. Getting around the technology safeguards a little bit and getting in there and tricking people is the biggest development I think we’ve seen in the evolution of threats.

Lee Neubecker: And, how has coverage evolved for cyber insurance over the last five years?

Todd Rowe: Yeah, I mean, we’ve seen huge leaps in insurance coverage and what the policies look like and what we would call cyber policies. We’ve seen the developments first in what would be considered first party insurance coverage, which would be actually responding to the damage that happens. And then, the third party liability piece, responding and giving a defense in the case of an incident. While we’ve seen a lot of developments, I think, with cyber insurance, we still don’t see the uniform policy language. So, there’s still a lot of uncertainty there, but we’ve seen some big developments recently.

Lee Neubecker: So, when a company suspects that they have a data breach incident, what’s your first role on the ground, talking with the client in terms of what you’re advising them?

Todd Rowe: Yeah, all things being equal, we would have loved to have been in there before there was an incident. Preparation is always the best scenario, and what preparation should look like is a corporation or a business working with forensics and legal and getting a game plan together, assessing what those threats might be, and what to do if there are those threats. But, afterward, hopefully you have the game plan. If you don’t, it’s pretty much all boots on ground, getting in there with forensics and legal, and understanding what the threat was, and making sure that the threat is extinguished, and moving on and notifying people that were involved in the threat.

Lee Neubecker: I know from experience that companies that take the time to proactively assemble their team before something happens, and bring in legal, forensics, and outside help, are often in a much better situation when something goes down. They face less downtime, their business can be back up and running. I think the biggest challenge I’ve seen is when companies have no idea what is legitimately their, what their devices are, because when you’re trying to assess are we still compromised, you need to know what good looks like. And if you haven’t mapped out your organization’s IT resources, that really creates a problem.

Todd Rowe: From our point, there’s always been, it’s been a tough sell to go in and try to get in before there’s an incident. A lot of corporations don’t want to think about something until it actually happens. But, the sort of, the wisdom in getting in there beforehand is getting that game plan together, figuring out what data you’re storing and what data you can get rid of. And so, the more data you can get rid of, the better you do on cutting down your liability in the end. Also, working on technology safeguards and having those in place. So, working with forensics, legal, and even PR a little bit really helps in the long run, no doubt about it.

Lee Neubecker: So, if you have cyber insurance, does that mean that you don’t have to worry about a cyber incident?

Todd Rowe: The thought right now, I think, and it has been for a number of years, is an incident’s going to happen, and it just, you need to go in and do things to prep. And while we were discussing earlier, the preparation that you need to do to get sort of an inventory, cyber insurance is another piece of that preparation that needs to be in place. Once again, working with professionals, insurance professionals, brokers, forensics, legal, on what that cyber product that best suits your needs, is the best situation to have that in place once something happens. It will happen, it’s just a matter of having all the right pieces in place when it does happen.

Lee Neubecker: So, if a company has, is storing biometric information, which could even include video cam footage of a certain resolution, what are some of the unique challenges that are raised by some of the laws here in Illinois and elsewhere?

Todd Rowe: Really, being in Illinois is, and I don’t want to use a cliche, but is on the cutting edge of biometric data. And we have BIPA, which is the Biometric Information Protection Act. And what that does is it protects a lot of things like face scans, and finger and thumbprint templates. And, I think one of the biggest issues we see is recently, now BIPA’s been around for 10 years or so, it’s been around for a long time. But we’re seeing a huge uptick in BIPA cases right now, because a number of businesses went in and put in timekeeping systems for their employees that work on thumb and finger scans rather than the old punch card systems. So, the law didn’t change, but the technology did, and so now, there was warnings that should have been put in place before you take that biometric data with those systems. So, they put the systems in, and they didn’t necessarily have the law in place. That’s a perfect scenario where we could’ve had forensics and legal all working together beforehand to avoid a lot of liability, so.

Lee Neubecker: So, what do you see happening in the future with the insurance coverage laws? Especially, you know, one of the concerns I have is, you know, there’s this act of war exclusion, and if you have cyber insurance and you’re hacked by someone outside of the country, what happens there, is that covered?

Todd Rowe: It depends, really, on the policy form. So, we’ve seen, once again, Illinois is on the cutting edge of that law as well. A lot of insurance policies, CGL, commercial liability policies, and even some cyber policies to some extent, have terrorism or war exclusions, excluding acts of war. And that was fine when we were looking at Pearl Harbor, perhaps, or something like a real act of war where a government might declare war on a country, and some damage that results of that would be an act of war. But, with privacy and hackers, and hackers sitting in nation states, but maybe not being an agent of that nation state. So, the case that we have right now that gives a good example of this is a Zurich case, insurance case with Mondelez, they’re a snack food maker. And, Zurich denied coverage, and it looks like the hacker may have come from perhaps China or North Korea. So, what do you do with that, as far as, if you’re going to exclude coverage for that, nobody’s declared war on any of those countries, so that’s going to be a struggle. And I think that demonstrates some of the strengths and weaknesses of cyber coverage right now, as it stands.

Lee Neubecker: And, what do you see happening, what’s the likelihood that the federal government stops in, steps up to the plate should a major data breach happen that could be considered an act of war?

Todd Rowe: Yeah, I mean, well first off, the government brings up another point, as far as right now as it stands, privacy and data laws, we just have a patchwork of things here in the U.S. Of course, there’s frameworks that have been adopted in, for example, the E.U. with GDPR, and we don’t really have that in the U.S. So, we first don’t really have a clear idea of who would do the response in the government. Would it be the Federal Trade Commission, or who would handle that type of situation? So, we have a lot of state laws, so we have a lot of problems like that. And, we have California, which is adopting some stronger guidelines as well. So, what would happen there as far, it’s going to be really left to ironing things out with the insurers and the insurance. Once again, what a great opportunity to sort of look at this issue before an incident happens. You really wouldn’t want to get into this complex of an issue when you’re trying to respond to an incident. So, another reason is, to go and prep a little bit, would be exactly what we’re discussing right now.

Lee Neubecker: Yeah, I know from experience that clients of ours that have had data breach incidents, if they’re working with someone that’s experienced litigation professional in the area of cyber and insurance, the likelihood that, you know, my firm’s fees get covered goes way up, and there are, there’s a potential for coverage of that forensic response. But ideally, you want to have your own team. You want to be picking your team. You don’t want the insurance companies assigning your people, if you can avoid it.

Todd Rowe: Yeah, a lot of insurers do have panels, and there are a lot of insurers that prefer that, because they don’t know where to go. So, that actually, if there’s an incident, that helps out. But, the best scenarios, and we’ve been involved in a lot of responses, and the best scenario is when we’ve had an opportunity to sit down, and maybe you and I talk, the forensic side of things and the legal side of things, and figuring out exactly how we can cooperate and what that response would look like. So, absolutely, if you can sit down and chat beforehand, you’re going to really save yourself a lot of stress and pressure.

Lee Neubecker: Well, thanks a bunch Todd, for being on the show. This has been great.

Todd Rowe: Absolutely, thank you so much, I appreciate it.

More articles that relate to data breach response and cyber insurance coverage follow:

https://enigmaforensics.com/blog/secure-home-from-cyber-attacks/
https://enigmaforensics.com/news/wgn-cyber-security-chicago-2018/

https://www.thebalancesmb.com/what-s-covered-under-a-cyber-liability-policy-462459

Cyber Readiness: Power Grid Outages

Are you ready for a power outage? Check out this video for Cyber Readiness and Power Outages tips.

Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, President of Logical Management Systems, tackle the strategies you need to know to prepare for a cyber attack. Each describes in detail the importance of cyber readiness starting with power outages.

Be prepared for a cyber attack or power outage

The transcript of the video follows:

Lee Neubecker: Hi, I’m here today with Geary Sikich. Geary is the President of Logical Management Systems. Thank you, Geary, for being on the show.

Geary Sikich: Thank you, Lee.

Lee Neubecker: So we’re here to talk a little bit about cyber attacks on the power grid, and what impacts that could have on businesses and individuals alike. All right, Gary, is the future of war likely to be cyber, in your opinion?

Geary Sikich: Well Lee, I think there’s three aspects of that that we need to look at. There’s what I’ll call a strategic aspect, which in effect, we’re already in a cyber war in many respects. Nation states are using cyber in a lot of different ways. Not necessarily as disruptive as it could be, but it’s got the potential to expand. There’s then another level down from there which I’ll call operational, which is targeting specific locales and areas. And then, what I’ll call a tactical level where you’re targeting individual facilities to include even neighborhoods at this stage. And one of the things I think you’re going to see in the future is that there’s going to be more of a reliance on these disruptions because of the great impact they have on businesses as well as the general population.

Lee Neubecker: Yeah so, one of the things that I had lectured on before was some research that came out of Princeton University on a topic called MadIoT, which relates to manipulation of end user demand by attacking insecure Internet of Things, IoT, devices in homes and whatnot. And essentially, what the researchers found was that by taking over enough routers in homes, you could compromise Wi-Fi devices attached to high-wattage appliances like Internet-enabled microwaves, toasters, heaters, things like that that would draw a lot of current, air conditioning systems and that by attacking adjacent neighborhoods, you could manipulate power demand in one neighborhood such that the power’s going off or down low, and then the adjacent neighborhood causing all these appliances to come on, which by only creating a small disturbance in balance of power, Kirchhoff’s law that dictates the flow of electricity could cause faults in lines as electricity moved from one neighborhood to another in spikes, and that that type of attack could effectively knock out parts of the grid. There are a lot of factors, obviously, that could knock out the grid, but what have you been advising your clients to do in advance of such an outage, to help them mitigate the risk and protect themselves?

Geary Sikich: One of the things we look at with that issue, and it’s a very big issue, and it ties into the areas I previously mentioned, the strategic, operational, and tactical, is to begin to look at how you can be resilient as an organization. So, I’ll give you an example. A colleague who was at a firm in Southern Illinois, they were about to move to a larger building. And one of the things he was charged with was developing the plans and then getting the move set up. They didn’t have a generator, and I highly recommended to him that they get a generator. They decided to do it, and to their benefit, once installed and once they got it in the building, they had a localized power outage which, for them, was a non-event so to speak because the generator immediately kicked on. They didn’t lose any power. As a commodities trading firm, they’re very dependent on the ability to communicate electronically for trade. So when we got to analyzing things, I asked, “What did you think?” and he said, “Well, it cost “probably a quarter of a million.” And then I asked the second question, which I think was more relevant and important as he understood it, “What was the cost in lost trades, if you’d have not “had the generator?” He said, “About $2 billion.” So the immediate impact on these things is that organizations really need to think about how can they secure a power supply for themselves so that they can effectively operate independently of the grid in times of a crisis?

Lee Neubecker: So an adversary of a financial services company could actually cause massive harm by targeting and causing a power disruption, knocking out the trading facilities–

GSL Yes. LN:Costing them billions of dollars.

Geary Sikich: Yes. And the interesting part about that is, that when you begin to look at it, it’s not just that immediate impact, it’s the cascading impact that goes throughout the entire system. So you knock out the trading aspect, you suddenly knock out the logistics of movement of products and services, and it cascades throughout the entire system if you will.

Lee Neubecker: So what do you see are the other downstream potential impacts to a prolonged outage?

Geary Sikich: Oh, prolonged outages are one of the concerns that a lot of organizations have. What do I do to keep my business in business if we’re faced with a long-term outage? Natural disasters have shown us that it can take up to and beyond a couple of years to recover. A lot of organizations literally could go out of business as a result of not being able to have the financial resources to weather a storm like that.

Lee Neubecker: Well, this has been great stuff. I really appreciate you coming on the show, Geary. Thanks a bunch.

Geary Sikich: Thank you, Lee, I appreciate it.

Cell Phone Forensics

Personal Cell Phone Forensics inlcudes social media, business and personal messages, photos, emails and GPS.

Leading computer forensics Expert Lee Neubecker, discusses the complexities of cell phone forensics with Debbie Reynolds from Debbie Reynolds Consulting. We both agree the litigation involving cell phones becomes personal and proves difficult to gain possession. Personal and business text messages, social media posts, photos, GPS records, emails, are all weaved together and become part of the discovery equation. eDiscovery in today’s era is incomplete without including data from smart phone including text messages, Skype, WhatsApp, Slack, Signal and other messaging platforms. Learn more about eDiscovery as it relates to personal cell phone messaging systems by watching Reynolds and Neubecker discuss the topic in today’s blog video interview.

The video interview transcript follows:

Lee Neubecker: Hi, I’m here today again with Debbie Reynolds, and we’re going to talk about something interesting, which every piece of litigation now is getting into. We’re talking about cell phone forensics. What’s been your experience with litigation involving cell phones and discovery?

Debbie Reynolds: Well, whenever they’re cell phones involved eye-rolling begins because people take their cell phones very personally. As opposed to someone’s laptop, which maybe they don’t want to give up, they will fight tooth and nail not to give up their cell phones. And obviously people, they mix work with pleasure and they’re doing different things. They may not want you to see, even if it’s nothing criminal going on, people just feel very tied to their cell phone. The hardest thing is actually getting possession of it and letting them know that you’re not going to look through their juicy texts or their photographs, especially if it’s not an issue in the case.

Lee Neubecker: I know that whenever you need to get into text messages, it becomes a sensitive topic for people. But there are effective ways to get effective discovery without totally trampling over someone’s privacy in many issues involving contract disputes or other civil litigation, what’s important is to identify the relevant custodians. Let’s say we have your cell phone in the conversation with mine, we can then take that, we can create a single PDF document showing each conversation thread and then you could quickly go through it, if it’s your phone in which your attorney identify relevant, not relevant, and then only take the ones that are between the relevant parties and load that up into the review platform.

Debbie Reynolds: Right. And to one thing, one very effective thing that people are doing now, and that’s something that you do, Lee, is where someone, they don’t want the other side to see their whole cell phone so they’ll have a forensic company collect the phone and say, only give them X. That’s actually a very secure way. It gives people peace of mind knowing that they’re not giving everything over, that the forensic folks can actually do some of this pre-work before people actually start looking at things.

Lee Neubecker: Yeah. And like what I’ve done is, they’re not going to pay me to spend time looking at their photos, nor do I want to look at that stuff.

Debbie Reynolds: No. No one cares. I think that’s what people don’t understand. We’ve been working on cases for over 20 years and I really don’t care what’s on the phone or what you said or what videos on there. It really makes a little difference to us.

Lee Neubecker: What I try to do is I try to quickly create almost a summary index of okay, these are the conversation threads. Tell me which phone numbers are relevant, aren’t relevant, who are the relevant parties, and then we can just pull those specific threads out, put them up into the review platform.

Debbie Reynolds: Exactly.

Lee Neubecker: Now, sometimes there’s issues where photos are relevant specifically, if it’s important that you know the whereabouts or someone on a given date and time. Photos often can establish whether or not someone was really at home sick or out on vacation somewhere. There’s embedded GPS data that is recorded into most photos that are taken with smartphones.

Debbie Reynolds: Unless someone decides to strip it out. I think if you don’t do anything to it, it will collect that data. But there are ways to strip that information out. And also, people can turn off GPS tracking on their phone.

Lee Neubecker: Yeah. Well, thanks for being on the show again today.

Debbie Reynolds: Well, thank you for having me.

Trade Secret Theft

When employees leave a company, it is common that departing staff may take electronic files belonging to their former employer. Matthew Prewitt, a trade secret litigator shares his experiences pursuing and defending against such litigation. The role of computer forensics and the importance it plays in getting to the truth is discussed in this informative interview.

Leading computer forensics Expert Lee Neubecker discusses trade secret misappropriation by a departing employee and how that can lead to a competitor gaining an unfair competitive edge. The Chair of Schiff Hardin’s trade secret practice, Matthew Prewitt, emphasizes the importance of working with a computer forensics expert to preserve digital evidence and perform effective discovery that can later be used if litigation is necessary. Enigma Forensics staff are experts when investigating a departed employee using computer forensics.

The transcript of the video follows:

Lee Neubecker: Hi, I’m here today with Matt Prewitt. Matt is the chair of Schiff Hardin’s trade secret practice, and is an experienced litigator that focuses on the area of trade secret theft. Matt, thanks for being on the show.

Matthew Prewitt: Thanks for having me, Lee.

Lee Neubecker: We’ve had cases we worked on before involving departed employees. Could you tell everyone a little bit about your experience in this area, dealing with trade secret theft?

Matthew Prewitt: Sure, I mean as a trial lawyer, I’ve litigated both sides, sometimes, defending the departing employee, and/or that employee’s new employer, other times representing as the plaintiff, the company that the employee left.

Lee Neubecker: So, can you tell people generally what happens when you’re on the side of that had the employee that left? What happens at ground zero?

Matthew Prewitt: Well, ideally, the company would already have in place a structure of trade secret protection, and contractual, policy, and technology protections against unfair competition by the departing employee. So, that framework consists of, typically, a confidentiality agreement with the employee, perhaps a set of restrictive covenants, like a non-compete agreement, and then, hopefully, handbook policies that govern the conduct of the employee. Those will be coupled with restrictions, of course, that integrate with the company’s relationships, with its vendors and customers. Basically what the company ideally should be doing, is sitting down with outside counsel, in-house counsel, IT, and thinking about all the places where the company has sensitive, competitive information, trade secrets, or other confidential information, that are at risk when an employee turns out to be disloyal.

Lee Neubecker: So, when a client calls you, and they suspect that someone took stuff, what do you advise them to do, initially?

Matthew Prewitt: Well, I mean the first is to assess the situation and, that consists of identifying, with these days, almost everything is electronic of course, so, the first part of the assessment is to identify the types of electronic information that the departing employee would have access to. Either legitimately, during the course of that employee’s work, or, by exceeding the policy limits or protections that the company had in place. You’re doing, you’re identifying those areas for two reasons, one, preservation of evidence is very very important. And there’s no way to know what you need to preserve if you don’t know what the employee had access to, or potentially could’ve stolen. And then the other reason is to assess the competitive risk, and to begin to develop a plan for the investigation, and perhaps litigation response if it turns out to be warranted.

Lee Neubecker: And, so, typically, I know part of that initial response, when I’ve worked with you in the past, you want a forensic image made of the employee’s computer, before anyone mucks it up.

Matthew Prewitt: That is a, certainly an important starting point. With the changes in technology, for better or for worse, the places where the relevant data reside and the places that need to be preserved are, are multiplying instead of getting narrower, so, the hard drive of the laptop remains a very important source, because, forensically, it is often times the area that is most susceptible to forensic analysis and investigation. But there certainly are other places, as well. Cloud storage, the company’s computer network, personal email account of the employee, personal phone, company-issued phone, it goes on.

Lee Neubecker: I know when I first started in this area many years ago, the misappropriation was on a CD-ROM, and now, you’ve got smart phones, you’ve got USB drives, but the cloud is a whole other area of concern, because, companies can connect to Dropbox, Box.com, various other place, AWS, and move data to the cloud, so that, that becomes another point of concern in a need to be able to collect and preserve data from sources other than the computer.

Matthew Prewitt: You’re absolutely right, Lee.

Lee Neubecker: So can you tell us any war stories about what, what’s happened in the past when you’ve used forensics to pursue a case, and what kind of result you’ve been able to get for your clients?

Matthew Prewitt: Sure. I mean the forensic examination is really a critical part of a trade secrets case, especially if you’re on the plaintiff side, because, in, when you’re in court, trying to enforce restrictions against a departing employee, the, for better or for worse, the court is typically going to start that process with having, with some sympathy to the departing employee. I mean we are in America, and people are supposed to be rewarded for their ingenuity and hard work, and, employee mobility from one company to another is a basic value of our society. So, showing the court that the employee cannot be trusted to do the right thing, to be an honest and ethical employee at the new employer, at the new, at the competitor that she or he’s goin’ to, is really really important for building an effective non-compete case, or trade secrets theft case as a plaintiff.

Lee Neubecker: So for instance, if your client had a policy of no USB drives, and didn’t use USB drives, but yet, your forensic expert reported that a USB device was plugged into the computer the day before they filed their resignation, and that various files appear to have been copied to that drive, that would be something that would be compelling in support of an injunction, correct?

Matthew Prewitt: It’s certainly a brick in the building that you’re trying, or the story that you’re trying to build from court, absolutely.

Lee Neubecker: So there’s other pieces too, have you had situations where you’ve petitioned the court to allow discovery of that departed employee’s home computer, or the new workplace computer?

Matthew Prewitt: Yes, part of the forensic exercise is demonstrating the need for that discovery. And so, what you’ll want to start with as part of your initial investigation, is to have your forensic expert look for evidence that will show that the employee has used her home computer, has used external devices, has copied to the cloud, and once you can show the migration of data, under suspicious circumstances, off the realm of the company-owned hardware or accounts, then that’s the central starting point for demonstrating the court that you need a more invasive approach into the personal devices and accounts of the departing employee.

Lee Neubecker: Great so, let’s say that the plaintiff attorney has established convincingly with their forensic expert that data was misappropriated, and that the data clearly is confidential, and trade secret-type information. If you’re advising the new company that hired the sales person, and you saw the report and you believed the report to be credible, how might you try to help that new employer end the litigation and get things to a peaceful place?

Matthew Prewitt: Hopefully that they, the new employer has already laid the foundation for that scenario by instructing the employee before arriving, that they should not copy or take things with them, from their previous employment, should not load things onto the company network that are… belong to the previous employer, et cetera. And, to have done that in writing. If that’s happened, that puts the new employer in a potentially awkward spot, because you have an employee who not only has, has taken his former, his or her former employer’s stuff, but then has also disregarded the instructions of the new employer as well. That’s the situation where the new employer may be seriously considering terminating its relationship with the new employee.

Lee Neubecker: I’ve seen that happen, I’ve also seen situations where, the employee who departs agrees to have forensic inspections on his computer, and, signs an agreement that pretty much guarantees that if he’s caught doing something with this, that he’s going to have, face massive legal costs, and admit to wrongdoing.

Matthew Prewitt: That’s where that trust factor or credibility factor, that comes, that’s one example of where it becomes really critical. Not only is the court typically going to be inclined to the defendant departing employee’s situation, and want that employee to be able have gainful employment, many courts are also going to want to give that employee a second chance. And the second chance here is the chance to turn over the, turn over the information, and provide exactly the kind of affidavit or certification you’re referring to.

Lee Neubecker: Great well, I appreciate you being on the show and talking about this topic. It’s one that impacts most businesses, so, thanks again for being on the show.

Keys to Investigating Departed Employees using Computer Forensics

  • Forensically preserve the departed employee’s computer storage media before any examination of the contents occurs
  • Look for recently accessed files as reported by shortcuts and other system activity logs
  • Analyze recently deleted files to look for evidence of trade secret theft
  • Investigate recent connections of external storage to the computer
  • Build a timeline of events that led up to the departure to assist in an efficient investigation
  • Hire an experienced computer forensics expert – that’s us

Read More on Trade Secret Theft: