An in-person on-site discovery will allow you to view what the EMR notes look like at different points in time, and gain access to inactive or deleted records. Check out this blog to learn more!
In-person direct access is what is often required to be able to get a complete view of what happened, because some of the data doesn’t show when you’re just looking at the produced printed charts. Such missing items may include: routing history, what the notes look like at different points in time, access to inactive or deleted records, and communications. Below is a screenshot from a popular Health Information System, Epic.
EPIC
Epic Notes View
So this is Epic and here you see the notes view and when you’re entering into the system, there’s routing which can give you additional detail about what happened in terms of the routing of the notes. You have a note time, a filed time, and a note time. In this case, all these records with exception of this one down here, the 10:04 AM note time was filed 15 minutes later. So it’s important to have both date and timestamps because sometimes, the file times are many days after discharge or nowhere contemporaneously to the events and that’s important if notes are being entered into this EMR days after something awful happened, you really want to know when those notes were filed. If they’re filed long after things went wrong, oftentimes, that suggests that fabrication of the EMR took place. You can see here, here’s some of the routing, it allows for you to specify different recipients and so knowing that routing of information, that’s important because it’s not always evident when you’re looking at the chart. Here’s an example of adding a note and you can see here, there’s the ability to copy and paste different notations. The date and time on these notes when you first go to create a note, default to the current computer’s clock time but it’s totally possible to change the date and time to put it back in time by dates or hours and that information is relevant. Here’s an example of the Cerner notes. Again, Cerner allows the user to change the date to something other than the current date and time. And it still stores, again, the creation time of that note, even if the note purports to be days earlier. And there are also different filters here, when you’re looking at the EMR with power notes on Cerner, there are different filters, such as my notes only, there’s inactive, active, and so on.
Watch other videos making up this 4 part series, Unlocking the EMR Audit Trail.
What are some of the potential problems for an organization trying to secure Windows 7? Cyber Security Experts Lee Neubecker and Atahan Bozdag say it’s analogous to owning a home and not maintaining it, eventually something breaks and it’ll cost you a fortune to fix!
Securing Windows 7 Environments
On January 14, 2020, Microsoft announced support for Windows 7 has ended. As reported by Microsoft, “Technical assistance and software updates from Windows Update that help protect your PC are no longer available for the product. Microsoft strongly recommends that you move to Windows 10 to avoid a situation where you need service or support that is no longer available.” It’s official…it’s the end of Windows 7! We have to end our love affair with Windows 7 and move onto Windows 10. What does that mean for the end-user? Well, if you stay on Windows 7, you will deal with constant security threats, and there will be no more updates or support. If you upgrade it’ll cost you approximately $139 for a home computer, $199 for a small to large business and $309 to upgrade a workstation that needs a faster powerful operating system.
Cyber Security & Computer Forensic Expert Lee Neubecker and “Fellow Forensicator” Atahan Bodzdag break down what impact is imposed on cyber security when computers no longer receive service patch updates or support for Windows 7. They discuss the usage of Windows 7 by the Health Care organizations that are resistant to change or have application that have not been ported to work with Windows 10.
Atahan Bodzdag provides an overview of top three items that all organizations dependent on Windows 7 should be undertaking to maintain cyber security resilience.
Window 7 Security Vulnerabilities
The Video Transcript Follows
Lee Neubecker: Hi, I’m here today with Adahan Bozdag. Thank you for being on the show Adahan.
Atahan Bozdag: Thank you for inviting me, Lee.
LN: Atahan is a fellow forensicator and cybersecurity expert. He works within the healthcare sector and works internally to an organization, doing some of the things I do as an expert witness outside an organization. And today we’re going to be talking about Windows 7, the end of the life cycle of Windows 7, and some of the cybersecurity issues relating to organizations that are in Windows 7 and are trying to prevent future data breaches. So, Adahan, could you tell everyone a little bit about what Microsoft did recently as it relates to Windows 7?
AB: Well, as you said, Windows 7 end of life cycle happened. It’s was January 14, 2020. They stop patching Windows 7 environment, so it is vulnerable to any attack after the date. January 14, 2020.
LN: So then when people report their CVEs, detailing vulnerabilities on Windows 7, eventually they’re up there for the hacker world to see. and to exploit because Microsoft’s not patching that operating system.
AB: Very true. It’s a dream come true for the hackers.
LN: Yeah, well, no more data patches means what exactly?
AB: It means that you are more vulnerable to attacks.
LN: So every day the risk of cyber compromise only grows for organizations still on Windows 7.
AB: Very true.
LN: So, what is for the non-technical person out there, could you explain what this is analogous to?
AB: Well, I can give you the house analogy. You buy a house and you don’t do any upgrades. You don’t do any maintenance. Something is going to break. So this is what’s going to happen with Windows 7. Because there’s no more patch, there are no more updates, there’s no more security involved in it. At one point if you still continue using it, you will get breached.
LN: So, it’s kind of like your locks start to fall off the door at a particular time
AB: Exactly, exactly.
LN: And if you consider the contents of a health care provider, to have sensitive data like patient medical records, electronic medical records, protected health care information, or PII, all of that stuff is vulnerable to exfiltration?
AB: Yes, very, yes.
LN: So, why are people still using Windows 7, given this threat?
AB: Well, some applications are not upgraded to work with Windows 10, and what happens. So then a lot of people working in the corporate environment are resistant to change because the applications are not working with Windows 10. So those,
LN: Or they just like the cleanness of Windows 7, relative to Windows 10, which
AB: Yes
LN: It has a lot of bloatware loaded on it if you’re getting the version off the shelf.
AB: True, true.
LN: Who really needs to have all these games on their environment?
AB: Exactly. But at the same time, every healthcare company that, you know, even my company that I’m working for, we have a golden image that we create, which are stripped down from all those games and stuff like that. So we don’t use those. But, to get there, there is always an image needs to be updated in Windows 10.
LN: So what are some of the potential problems for the organization that stays on Windows 7 and just doesn’t get with the program to migrate off?
AB: Well, first thing is, APT.
LN: What’s an APT?
AB: APT is an Advanced Persistent Threat.
LN: That’s like that nation-state, Big Brother lurking on the chips of the computer device, waiting for a moment to attack, right?
AB: They can infiltrate you. They can do nothing, just sit and wait, and look at your data. And we have seen that in many breaches. The time that you found out that the company was breached, they’ve been in the system for more than six, seven months. So they were collecting data slowly by slowly, and at one point they turned the engine on, and then the doomsday attack starts. Suddenly you start losing data. Deletion happens and then, they grab everything out from your system.
LN: “So there’ ve been a lot of nation-states making threats.
AB: Oh, very much so.
LN: This could be a huge opportunity for certain nation-states to get themselves onto hackable systems and merely wait until the opportune time to strike is such that they could magnify the damage.
AB: Exactly.
LN: We have a power outage,
AB: Yes.
LN: And they were to strike at that time, that would probably magnify the damage significantly.
AB: Very, very much. And now you’ve been talking about those in your other videos about these kinds of things. The cyber realm is another way of attacking our national interests. Health care is one of them.
LN: So let’s assume that an APT gets into a health care environment, health care provider’s systems, and they’re able to access electronic medical records, EMR, patient health care information, what might they want to do with that information?
AB: Well, patient records, especially the names, social security numbers, medical records, everything is sellable in the Darkweb.
LN: And it’s worth a lot more than just giving social security numbers.
AB: It is. True. It’s like a single record may go for $35. If you got about 10,000 records, 10,000 records times about $35.
LN: It’s likewise though, that data exfiltrates, and it gets out there in the market, the health care providers are looking at potentially significant financial damages, as well as reputational damage.
AB: Yes, yes. Because when these things happen, suddenly you have to report this either to the government or to the media. And then afterward the penalties will come. And investigations cost a lot of money. Penalties are really severe And doing all of these things, and if you’re still in the Windows 7 environment you’re actually opening yourself to these kinds of attacks.
LN: Yeah so, when these data incidents happen, as you like to call them, what do you see the role of internal IT investigations versus an outside computer forensic firm like myself specializes in data breaches and EMR. What is the typical role and function of the internal versus the outside expert witness?
AB: Internal it’s you know like myself, we do the investigation internally but we would love to hire, I mean we would like to hire an outside investigation, to give unbiased information. Saying that if you go to the legal ways that you will be able to say that hey, I’m not involved with this company I’m doing this…
LN: Sometimes, there’s benefit to having an outside forensic expert that’s independent speak only to the issues that are relevant and not necessarily have a knowledge of who was in IT that got fired or any of that other stuff that isn’t really relevant to the investigation but could create risk for the health care provider.
AB: True. True.
LN: So with regard to reporting obligations, let’s say you find that there was indeed exfiltration of patient data and that information left the organization, what are the reporting obligations?
AB: Well the best way that I can tell right now is if you were at the hhs.gov or consult your attorney it will actually tell you especially the website, will tell you what are the reporting obligations. There are multiple levels. If I go into details over here, it’s not going to last.
LN: Got it. And so, we talked about exfiltration but what can happen if someone gets in and actually deletes patient medical records?
AB: Well, the first thing is in hospital systems that patient who’s going to be either going into surgery or something like that, they will not be able to get, pull out the data.
LN: And so people who have a need for critical life-saving care, might actually die.
AB: Yes.
LN: Or worse yet, if someone were to alter the medical records
AB: That is a threat
LN: And say instead of your left lung having cancer it’s your right lung and you get the wrong lung removed, that’s a real problem
AB: It’s a big problem.
LN: So if you have to say, wrap it up what would be the top three recommendations you make to health care organizations to help defend against the potential future data breach that’s from running Windows 7?
Top 3 Measures to Defend Windows 7
AB:
First is implementing operate plan to leave Windows 7, immediately. That’s a given fact.
Second, isolate Windows 7 legacy into VDIs which we call the Virtual Desktop Environments. Isolate them from the network.
And the third, make sure that your disaster recovery is in place and you do periodic tabletop exercises.
LN: Well thanks so much, that was really informative. I appreciate you coming on the show.
