Personal Cell Phone Forensics inlcudes social media, business and personal messages, photos, emails and GPS.
Leading computer forensics Expert Lee Neubecker, discusses the complexities of cell phone forensics with Debbie Reynolds from Debbie Reynolds Consulting. We both agree the litigation involving cell phones becomes personal and proves difficult to gain possession. Personal and business text messages, social media posts, photos, GPS records, emails, are all weaved together and become part of the discovery equation. eDiscovery in today’s era is incomplete without including data from smart phone including text messages, Skype, WhatsApp, Slack, Signal and other messaging platforms. Learn more about eDiscovery as it relates to personal cell phone messaging systems by watching Reynolds and Neubecker discuss the topic in today’s blog video interview.
The video interview transcript follows:
Lee Neubecker: Hi, I’m here today again with Debbie Reynolds, and we’re going to talk about something interesting, which every piece of litigation now is getting into. We’re talking about cell phone forensics. What’s been your experience with litigation involving cell phones and discovery?
Debbie Reynolds: Well, whenever they’re cell phones involved eye-rolling begins because people take their cell phones very personally. As opposed to someone’s laptop, which maybe they don’t want to give up, they will fight tooth and nail not to give up their cell phones. And obviously people, they mix work with pleasure and they’re doing different things. They may not want you to see, even if it’s nothing criminal going on, people just feel very tied to their cell phone. The hardest thing is actually getting possession of it and letting them know that you’re not going to look through their juicy texts or their photographs, especially if it’s not an issue in the case.
Lee Neubecker: I know that whenever you need to get into text messages, it becomes a sensitive topic for people. But there are effective ways to get effective discovery without totally trampling over someone’s privacy in many issues involving contract disputes or other civil litigation, what’s important is to identify the relevant custodians. Let’s say we have your cell phone in the conversation with mine, we can then take that, we can create a single PDF document showing each conversation thread and then you could quickly go through it, if it’s your phone in which your attorney identify relevant, not relevant, and then only take the ones that are between the relevant parties and load that up into the review platform.
Debbie Reynolds: Right. And to one thing, one very effective thing that people are doing now, and that’s something that you do, Lee, is where someone, they don’t want the other side to see their whole cell phone so they’ll have a forensic company collect the phone and say, only give them X. That’s actually a very secure way. It gives people peace of mind knowing that they’re not giving everything over, that the forensic folks can actually do some of this pre-work before people actually start looking at things.
Lee Neubecker: Yeah. And like what I’ve done is, they’re not going to pay me to spend time looking at their photos, nor do I want to look at that stuff.
Debbie Reynolds: No. No one cares. I think that’s what people don’t understand. We’ve been working on cases for over 20 years and I really don’t care what’s on the phone or what you said or what videos on there. It really makes a little difference to us.
Lee Neubecker: What I try to do is I try to quickly create almost a summary index of okay, these are the conversation threads. Tell me which phone numbers are relevant, aren’t relevant, who are the relevant parties, and then we can just pull those specific threads out, put them up into the review platform.
Debbie Reynolds: Exactly.
Lee Neubecker: Now, sometimes there’s issues where photos are relevant specifically, if it’s important that you know the whereabouts or someone on a given date and time. Photos often can establish whether or not someone was really at home sick or out on vacation somewhere. There’s embedded GPS data that is recorded into most photos that are taken with smartphones.
Debbie Reynolds: Unless someone decides to strip it out. I think if you don’t do anything to it, it will collect that data. But there are ways to strip that information out. And also, people can turn off GPS tracking on their phone.
Lee Neubecker: Yeah. Well, thanks for being on the show again today.
When employees leave a company, it is common that departing staff may take electronic files belonging to their former employer. Matthew Prewitt, a trade secret litigator shares his experiences pursuing and defending against such litigation. The role of computer forensics and the importance it plays in getting to the truth is discussed in this informative interview.
Leading computer forensics Expert Lee Neubecker discusses trade secret misappropriation by a departing employee and how that can lead to a competitor gaining an unfair competitive edge. The Chair of Schiff Hardin’s trade secret practice, Matthew Prewitt, emphasizes the importance of working with a computer forensics expert to preserve digital evidence and perform effective discovery that can later be used if litigation is necessary. Enigma Forensics staff are experts when investigating a departed employee using computer forensics.
The transcript of the video follows:
Lee Neubecker: Hi, I’m here today with Matt Prewitt. Matt is the chair of Schiff Hardin’s trade secret practice, and is an experienced litigator that focuses on the area of trade secret theft. Matt, thanks for being on the show.
Matthew Prewitt: Thanks for having me, Lee.
Lee Neubecker: We’ve had cases we worked on before involving departed employees. Could you tell everyone a little bit about your experience in this area, dealing with trade secret theft?
Matthew Prewitt: Sure, I mean as a trial lawyer, I’ve litigated both sides, sometimes, defending the departing employee, and/or that employee’s new employer, other times representing as the plaintiff, the company that the employee left.
Lee Neubecker: So, can you tell people generally what happens when you’re on the side of that had the employee that left? What happens at ground zero?
Matthew Prewitt: Well, ideally, the company would already have in place a structure of trade secret protection, and contractual, policy, and technology protections against unfair competition by the departing employee. So, that framework consists of, typically, a confidentiality agreement with the employee, perhaps a set of restrictive covenants, like a non-compete agreement, and then, hopefully, handbook policies that govern the conduct of the employee. Those will be coupled with restrictions, of course, that integrate with the company’s relationships, with its vendors and customers. Basically what the company ideally should be doing, is sitting down with outside counsel, in-house counsel, IT, and thinking about all the places where the company has sensitive, competitive information, trade secrets, or other confidential information, that are at risk when an employee turns out to be disloyal.
Lee Neubecker: So, when a client calls you, and they suspect that someone took stuff, what do you advise them to do, initially?
Matthew Prewitt: Well, I mean the first is to assess the situation and, that consists of identifying, with these days, almost everything is electronic of course, so, the first part of the assessment is to identify the types of electronic information that the departing employee would have access to. Either legitimately, during the course of that employee’s work, or, by exceeding the policy limits or protections that the company had in place. You’re doing, you’re identifying those areas for two reasons, one, preservation of evidence is very very important. And there’s no way to know what you need to preserve if you don’t know what the employee had access to, or potentially could’ve stolen. And then the other reason is to assess the competitive risk, and to begin to develop a plan for the investigation, and perhaps litigation response if it turns out to be warranted.
Lee Neubecker: And, so, typically, I know part of that initial response, when I’ve worked with you in the past, you want a forensic image made of the employee’s computer, before anyone mucks it up.
Matthew Prewitt: That is a, certainly an important starting point. With the changes in technology, for better or for worse, the places where the relevant data reside and the places that need to be preserved are, are multiplying instead of getting narrower, so, the hard drive of the laptop remains a very important source, because, forensically, it is often times the area that is most susceptible to forensic analysis and investigation. But there certainly are other places, as well. Cloud storage, the company’s computer network, personal email account of the employee, personal phone, company-issued phone, it goes on.
Lee Neubecker: I know when I first started in this area many years ago, the misappropriation was on a CD-ROM, and now, you’ve got smart phones, you’ve got USB drives, but the cloud is a whole other area of concern, because, companies can connect to Dropbox, Box.com, various other place, AWS, and move data to the cloud, so that, that becomes another point of concern in a need to be able to collect and preserve data from sources other than the computer.
Matthew Prewitt: You’re absolutely right, Lee.
Lee Neubecker: So can you tell us any war stories about what, what’s happened in the past when you’ve used forensics to pursue a case, and what kind of result you’ve been able to get for your clients?
Matthew Prewitt: Sure. I mean the forensic examination is really a critical part of a trade secrets case, especially if you’re on the plaintiff side, because, in, when you’re in court, trying to enforce restrictions against a departing employee, the, for better or for worse, the court is typically going to start that process with having, with some sympathy to the departing employee. I mean we are in America, and people are supposed to be rewarded for their ingenuity and hard work, and, employee mobility from one company to another is a basic value of our society. So, showing the court that the employee cannot be trusted to do the right thing, to be an honest and ethical employee at the new employer, at the new, at the competitor that she or he’s goin’ to, is really really important for building an effective non-compete case, or trade secrets theft case as a plaintiff.
Lee Neubecker: So for instance, if your client had a policy of no USB drives, and didn’t use USB drives, but yet, your forensic expert reported that a USB device was plugged into the computer the day before they filed their resignation, and that various files appear to have been copied to that drive, that would be something that would be compelling in support of an injunction, correct?
Matthew Prewitt: It’s certainly a brick in the building that you’re trying, or the story that you’re trying to build from court, absolutely.
Lee Neubecker: So there’s other pieces too, have you had situations where you’ve petitioned the court to allow discovery of that departed employee’s home computer, or the new workplace computer?
Matthew Prewitt: Yes, part of the forensic exercise is demonstrating the need for that discovery. And so, what you’ll want to start with as part of your initial investigation, is to have your forensic expert look for evidence that will show that the employee has used her home computer, has used external devices, has copied to the cloud, and once you can show the migration of data, under suspicious circumstances, off the realm of the company-owned hardware or accounts, then that’s the central starting point for demonstrating the court that you need a more invasive approach into the personal devices and accounts of the departing employee.
Lee Neubecker: Great so, let’s say that the plaintiff attorney has established convincingly with their forensic expert that data was misappropriated, and that the data clearly is confidential, and trade secret-type information. If you’re advising the new company that hired the sales person, and you saw the report and you believed the report to be credible, how might you try to help that new employer end the litigation and get things to a peaceful place?
Matthew Prewitt: Hopefully that they, the new employer has already laid the foundation for that scenario by instructing the employee before arriving, that they should not copy or take things with them, from their previous employment, should not load things onto the company network that are… belong to the previous employer, et cetera. And, to have done that in writing. If that’s happened, that puts the new employer in a potentially awkward spot, because you have an employee who not only has, has taken his former, his or her former employer’s stuff, but then has also disregarded the instructions of the new employer as well. That’s the situation where the new employer may be seriously considering terminating its relationship with the new employee.
Lee Neubecker: I’ve seen that happen, I’ve also seen situations where, the employee who departs agrees to have forensic inspections on his computer, and, signs an agreement that pretty much guarantees that if he’s caught doing something with this, that he’s going to have, face massive legal costs, and admit to wrongdoing.
Matthew Prewitt: That’s where that trust factor or credibility factor, that comes, that’s one example of where it becomes really critical. Not only is the court typically going to be inclined to the defendant departing employee’s situation, and want that employee to be able have gainful employment, many courts are also going to want to give that employee a second chance. And the second chance here is the chance to turn over the, turn over the information, and provide exactly the kind of affidavit or certification you’re referring to.
Lee Neubecker: Great well, I appreciate you being on the show and talking about this topic. It’s one that impacts most businesses, so, thanks again for being on the show.
Keys to Investigating Departed Employees using Computer Forensics
Forensically preserve the departed employee’s computer storage media before any examination of the contents occurs
Look for recently accessed files as reported by shortcuts and other system activity logs
Analyze recently deleted files to look for evidence of trade secret theft
Investigate recent connections of external storage to the computer
Build a timeline of events that led up to the departure to assist in an efficient investigation
Hire an experienced computer forensics expert – that’s us
Data Diva Debbie Reynolds and Enigma Forensics’ CEO Lee Neubecker discuss what to look for in selecting a computer forensics expert to assist with preservation, litigation and eDiscovery.
The transcript of the video follows
Lee Neubecker: Debbie, thanks for being on the show again today. I’m here with Debbie Reynolds, she is Eimer Stahl’s data protection officer and she also is the director of their eDiscovery subsidiary. Thank you for coming in and being on the show.
Debbie Reynolds: Thank you, it’s always a pleasure, Lee.
Lee Neubecker: So, today we’re going to talk a little bit about the differences between eDiscovery and computer forensics and when it’s necessary to bring in an expert to actually be the testifying expert or to handle more sensitive issues, and what you look for when you’re pulling in a computer forensic expert to assist one of your projects?
Debbie Reynolds: Well, it’s never not a good idea to bring in a forensic person, so I try to get someone who’s a professional in forensics on every case that we have, so, just depends. Some big corporations, they actually have people, ’cause they do so much litigation, they have people who are captive to their organization that do it. More times than not, they either farm out that work, to a company like Lee’s company, or they come to me, they ask me for recommendations. Just depends on where they are, what their ability, who’s available. For me, it’s really important that I work with people that I trust, smart people like Lee, who knows what they’re doing. Me, I tell people, I don’t chase company names, I chase the talent, so, I’ve had situations where I’ve had an investigator or forensic person go from one company to the next, and as a stipulation of us working with them, that case went with them ’cause they had the knowledge, so for me, the thing that I look for is a company, again, people that I know and trust, people that I know are smart that know what they’re doing, people who can really present themselves, ’cause a lot of times you’re going into a situation, you’ve not met these people, you’re going in there, touching their data, people are very sensitive about it, IT people can be very territorial, so having someone who can really put people at ease and be very professional in a situation where it’s semi-hostile, where you know that the IT guy takes pride in what he’s doing, thinks he’s the expert, so you have to kind of disarm that person.
Lee Neubecker: How often are IT people hostile?
Debbie Reynolds: Oh, 1000% of the time. They’re always hostile in some way, some are more passive aggressive than others, but you know, this is their baby, you have to work with them to get access to the data, and a lot of times they feel like, well why can I do this?
Lee Neubecker: And part of the problem, when I’ve worked with the IT people, usually they’re defensive because they’re having extra work to do.
Debbie Reynolds: Oh, absolutely.
Lee Neubecker: And they’re involved in litigation, so what I try to do is I try to sit down with them and say, “hey look, “this is my role, I need to understand enough of your stuff “so that you don’t have to talk to the attorneys, “and then I can buffer you from that so that you can “do your daily work,” and when they hear that, it helps them to understand, okay, you’re here to save me from a deposition.
Debbie Reynolds: Oh, absolutely.
Lee Neubecker: Then they’re more relieved, more willing to work with you.
Debbie Reynolds: Absolutely. I think the challenge is to get, when you start a litigation, companies, in order to try to save money, that’s where they want to save money. They don’t want to spend money on a forensic person, but if I compare cases against one another, two cases are very similar, one they had a forensic person, one who doesn’t, the one that has a forensic person, down the line, their case is more smooth, ’cause we don’t have a lot of questions about who did what, what is where, we don’t have a question about who needs to sign affidavits, who needs to go to court, all that stuff, so all that headache down the line is eliminated when we bring in someone. And I’ve had people on our cases tell me, who’ve decided that they didn’t want to bring in someone, they said no, but bad decision, we should have really brought in someone.
Lee Neubecker: In my opinion, I think it’s important to know who the person to be responsible for that data, if they’d never testified in court before, that’s a potential problem, and a lot of times people don’t ask those questions. Other things like, do they have some type of certification that shows that they mastered the field of computer forensics? And did they have to take a exam that was proctored by some independent party to assess that so that you know that your person truly has the knowledge, they didn’t just attend a class and got a certificate, because that’s a little bit of a difference, and there are many people, though, that I’ve encountered, that haven’t had the formal certifications, and they’re very bright, but when you’re putting the people up, they’ve got to survive a challenge against their admissibilities expert, if they don’t have cases of record, if none of the judges know who the person is, those things are definitely problems.
Oftentimes, I’ve seen new experts get up and make basic beginner mistakes where they let the attorney override what their report is, they let the attorney write the affidavit for them, and then it gets stretched too far, and then there might have been many good things that they had to say, but all of it goes out the window because they didn’t know how to manage the hard, nose-driven litigator that wants that report to be aggressive, so you have to listen and understand those driven litigators, but you also have to protect them from killing the case, and they assume that whatever expert you put there has those skills and a lot of them don’t know when they’re getting into trouble, and they need to be able to stand up for themselves, and do it professionally, and objectively.
Debbie Reynolds: Absolutely, absolutely. A lot of times, they don’t know what they don’t know. We had a person that actually went out and got a cell phone for a case, and we were like, we don’t want anyone to touch it, we want the forensic people to look at it, or whatever, he thought, oh well you know, I’m smart, I know how to do this stuff. Not that he wasn’t smart, but this was not his area of expertise, and he turned this phone on, and basically, the person who had the data on the phone, had sent a command to the phone to be erased, so when they turned it on, it wiped out all the stuff.
Lee Neubecker: So they didn’t put it in a Faraday bag?
Debbie Reynolds: No, they didn’t put it in a Faraday bag, they didn’t put it in airplane mode, they went to Walgreens, got cords, stuck the cord in the thing and turned it on, and that was it.
Lee Neubecker: So then that becomes some spoliation claim against–
Debbie Reynolds: It was spoliation, yeah. Everyone thinks, oh I have a cell phone, so I can do this, and it’s like no. I think people need to understand that what you guys do is very different than what we do in eDiscovery and what a normal person who’s doing IT can do, ’cause you have a different aim in my mind, and you understand spoliation of evidence, and how to get data in the right formats, where another person would not know that ’cause that’s not their background, that’s not their training and that’s not the purpose of what they’re handling data for.
Lee Neubecker: Well I really thank you for being on the show, again, to talk about this, it’s great. I look forward to seeing you again soon.
Are Computer “Bots” Making Your Healthcare Decisions?
Are Computer “Bots” Making Your Healthcare Decisions?
Enigma Forensics CEO Lee Neubecker and David Bryant from Bryant Legal Group discuss computer “bots” used by insurance companies as a way to underwrite policies and making insurance claims decisions. Bots are now determining how a given claim should be scored. See how ediscovery plays a role in getting success for your client.
The transcript of the video follows
Lee Neubecker: I’m here today with David Bryant from the Bryant Legal Group and we’re going to talk a little bit about health insurance claims in his work, helping people get the coverage they deserve.
David Bryant: Nice to be here, Lee, thanks for taking the time to stop by. We’re seeing a very significant shift in the insurance industry with respect to claims adjudication and claims determinations. One way of looking at how this change is happening is to look at the dollar volume that’s being invested into underwriting insurance policies and making claims decisions. The first metric I’d like to share with you is there is a company out of Europe that did some research on money flowing into what’s now called Insurance Tech, and approximately two billion dollars went into the Insurance Tech arena in 2016. This money is being deployed into not only underwriting, but how claims are made and I think everyone out there is familiar with Watson and the new term artificial intelligence. And how that’s playing out in the insurance industry is that a lot of claims decision-making is being taken out of the hands of individuals and being given to what we’ll call “bots”, robots, or termed a “bot” in tech speak. So these algorithms which will be designed by very bright people, such as yourself, to determine what a given claim should be scored. And if there’s a certain score, then a claims individual will be required to deny that claim. This is problematic for some of the insurance companies because if it’s discovered, through the discovery process, it can wind up hurting them in litigation for bad faith denial of a claim.
Lee Neubecker: So, David, can you tell me a little bit about what you do at the onset of one of your case matters to help make sure that you could argue your case in court?
David Bryant: So there’s really two phases to insurance claims. There’s the appeal process and then there is court. If your claim is denied I can always sue an insurance company in court. Typically that’s in Federal Court. I primarily practice in Federal Court but I do State Court as well. So once I wind up in a court setting I will send a litigation hold letter to the general counsel of the insurance company and that letter secures that all of the data in its electronic format is preserved. So if I want the emails on a particular claim individuals hard drive, that information should be present when I request that information by way of that litigation hold letter. When I do discovery in Federal Court we’re looking for electronically stored information. I’m not looking for paper any longer because we’re looking to get the metadata that’s embedded in that electronic information so we can find out who looked at it, when it was looked at, when it was altered. So, Enigma Forensics having the skill set to be able to determine who touches electronic files, who views electronic files, we will bring in your firm in those circumstances when we want that type of information in litigation. Lee Neubecker: So can you give me an example of when you’ve had to rely upon our computer forensic services for us to help you out with a matter and how that played a role in getting success for your client?
David Bryant: So we handle primarily health insurance and disability insurance claims on behalf of individuals and physician groups. So one of the matters that you handled for us dealt with a disability insurance claim and we were looking for certain key words and key word phrases that were on the server or hard drives of the particular individuals at the insurance company. Being able to cull through all this data is a Herculean task and would be extremely expensive for the defendants. So the defendants will typically go to the Court and say, “Judge, this is going to cost us way too much “money and interrupt our normal course of business. “We don’t want, Mr. Bryant, to have access “to this information or put us through the trouble “and cost of doing it.” I brought in your firm and your services and you were able to explain to the judge that you could do a search of all of the information held by the insurance company and find these key words and submit them to the Court in-camera, so there was no privacy concerns, and report to the judge what your findings were. The case soon settled thereafter.
Lee Neubecker: They usually do. Well thank you for being on the show today. If you need to reach David, his info is on the screen. Thank you.
Enigma Forensics, Lee Neubecker reviews with Eric Fish, the Federation of State Medical Boards, Senior VP of Legal Services, about the positive impact of artificial technology and machine learning on medical standards and regulations. Find answers how this technology will improve the patient experience in the future.
The transcript of the video follows
Lee Neubecker: Hello, I’m here today with Eric Fish, Senior Vice President of legal services. He’s with the Federation of State Medical Boards and he’s going to be talking to us a little bit today about his organization and how they’re using technology to change how things work.
Eric Fish: Thank you, well the Federation State Medical Boards is the organization that represents the 70 state medical and osteopathic boards who are charged by state law to regulate the practice of medicine within the various states, in that we help build standards for regulation, best practices. We also work with states on our data and other things that are exchanged that really help improve the regulation of medicine for the patient, the end user of medicine.
Lee Neubecker: Eric can you tell us a little bit about how artificial intelligence and machine learning are impacting your organization and membership?
Eric Fish: Well, Lee, we’re actually at a, what I believe to be, a crossroads of cultural, social, and technological change that are really going to change the way that we have to look at regulation for the public benefit. There’s going to be a lot more data on patient/provider interactions. There is also going to be much more data consumed by state regulators to see which of these interactions comply with the standards. One of the things that I see developing out of this A.I. and machine learning is that we’re going to be creating much more data that can be mined as a regulator to see what interactions are good and which interactions are bad.
Lee Neubecker: Eric can you tell us a little bit about how A.I. and machine learning are being implemented to improve transparency?
Eric Fish: Well, one of the things that’s going to occur, I believe, is that as patients and providers start turning to algorithms to help with that continuation of care. Really the people who implement these systems have to prove up to the regulators how these comply, how these algorithms, how other things are going to comply with the standards that are there. Artificial intelligence has been in medicine for a long time. Machine learning is a little bit new, where we’re taking some of the discussions and building a knowledge base that’s then going to be applied to the patient experience and regulation isn’t standing in the way of these things. The regulations are there so that they are done the right way and in comply with the standards and being transparent on that beginning end is a really great step toward complying with regulations and making the regulatory process better.
Lee Neubecker: Great, and so, you told me that your organization runs some services that consumers might want to be aware of. What are those and what are they used for?
Eric Fish: Well, one of the things that we do on behalf of our members is collate all the disciplinary and regulatory actions that are taken against a provider, and we have a service called Doc Info, where a member of the public can go look to see if an action has ever been taken against their physician. We have access to all 900,000 plus licensees and their information, and it’s really a great service and use of data that we’ve collated and given out to the public.
Lee Neubecker: Great. Well thanks for coming on today. I know you’ve brought your colleague, Mike Dugan. Who’s going to talk for a little bit. Thanks again for coming to the show.
Eric Fish: Thanks, thank you.
Lee Neubecker: I have Eric’s colleague, Mike Dugan, he’s the CIO of the organization, and Mike can you tell me a little bit more about some of the things that you’re doing to improve the quality of the data and integrity of the information?
Mike Dugan: Sure, surely, thank you. We, in many ways, we are a data aggregator and this involves a credentialing process for physicians so we pull data from national data sources, we pull data from institutions to verify physicians’ identity as well as their credentials, so the training and process that they have done. Historically, these have been very manual processes, but we’ve implemented technology to add additional data sources and also give us flexibility in how we consume data. Historically, it’s been a very structured we need a file in this format and our technology is still evolving, but we’re working it to give us the flexibility to work with any data source available.
Lee Neubecker: What are the concerns that your members have regarding data breaches and the potential complications resulting from them?
Mike Dugan: Well, I think they worry about that quite a bit and if anyone in technology who deals with identity and has information, if you’re not worried about data breaches then you’re missing the point and perhaps should be in another line of work. So, we are given the trust of the physicians and our member boards that when they give us their data that it will be protected and that it will be safeguarded, and we work very hard to do that, proactively. So I think that in this environment and this day and age, that is an activity and a task that we will do, it will never go away. It will be ongoing and we will have to adapt if there is new ways that are found to hack information, we always will have to improve our data security.
Lee Neubecker: Well thanks a bunch for being on the show. I appreciate you taking time.
Mike Dugan: Okay, thank you, thanks for having us.
Read More About Government Privacy Controls on Artificial Technolgy
Video Discussion on: National Institute Security and Technology
Enigma Forensics CEO & President, Lee Neubecker and Cyber Security Expert Gary Rimar sit down to discuss NIST 800-53 and it is a security controlled catalog. NIST SP 800-53 is shorthand for the National Institute of Standards and Technology Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organization. The NIST is a non-regulatory agency of the U.S. Commerce Department and was established to encourage and assist innovation and science through the promotion and maintenance of a set of industry standards. Lee and Gary disect how this agency works to keep your company’s technolgy systems safe.
Find out the top 3 parts of this framework.
The transcript of the NIST 800-53 Framework video follows:
Lee Neubecker: Hello, I’m here today with Gary Rimar he’s here to talk a little bit about one of the NIST frameworks that can be very helpful in helping you to keep your organization safe. Gary, Gary’s a CISSP, it’s great to have you on the show. Can you tell me a little bit about the framework your going to talk to us about today?
Gary Rimar: Well the framework I’m going to talk to you about today is NIST 800-53 and it is a security controlled catalog. So if there is a security control for whatever you’re going to need in an organization it’s going to be in there. In something, it’s where your government actually did earn there keep because this is your tax dollars hard at work and it’s available publicly. Most people, and this is one of the things that always bothers me Lee, is that most people go for these real exotic threats and they’re real, they’re real, but there’s so many people out there that don’t even do the basics and the reason they don’t do the basics is because the company doesn’t want to invest in security, they tell them that their IT guy, “Oh, you can do security, it’s okay, “you don’t have to worry about it, “you’ll get it good, I’ll except the risk “of you doing security.” when the IT guy barely knows how to do computers. And so what ends up happening is they don’t know anything about security which is very deep and important and technical. And so when it comes to things like how do you do access control? What can you do to do access control? Today at work one of the people, and I work with a security guy, we have something where for what ever reason they can’t do two-factor authentication. Two-factor authentication is definitely a better way to go, but they can’t. So they said, “What mitigating factors “are there that you can use to help us “be able to do a one-factor authentication “and be less in danger?” And so I looked through the catalog IA5 and there’s a bunch of different things you can do just to make it simple and safer. You know they’ve done all the imagination for us.
Lee Neubecker: What would you say are the more important, if you had to pick the top three parts of this? What would you advise companies to focus on first if they’re starting down the road of trying to implement this framework?
Gary Rimar: Well first is planning, because, and that’s the PL family, if you don’t do planning nothing works right because you have to have a basis for security. If the CEO and senior management aren’t on board then when security says, “You need to do X” and operations says, “We don’t feel like doing that. If the CEO doesn’t say, “No, I need “to be secure, you need to do X.” then your hosed. So that would be the planning family. Second would probably be access control, which is actually 20% of all of it. You know, you’ve got several hundred controls and access controls 20% of them.
Lee Neubecker: Do you feel sometimes that companies don’t really care about security and just want to ignore it and pretend it’s going to take care of itself.
Gary Rimar: Well I don’t know that that’s necess… that could be. I think it could be willful ignorance, what I don’t know won’t hurt me, but it’s not true. For example, the Sony hack. The Sony hack they said “You know, I’m not “going to spend $10 million fixing a $1 million problem.” and that in its self makes sense. Cause you don’t want step on a dollar to pick up a dime. However, it was a lot more than a million dollar threat that they were compromised on and had they done it correctly and had they taken security seriously things would have been a lot better for them.
Lee Neubecker: So Gary are there any portions that deal with some of the current vulnerabilities involving hardware and firmware that this could apply to?
Gary Rimar: You know, yeah. Cause hardware and firmware are definitely part of the information system. It would be in the SI family for sure. If I had to guess off the top of my head without looking I think it would probably be SI7, because that, if it’s the control I think it is it deals with hardware it deals with software it deals with firmware because if your firmware’s corrupted your done, your owned. If your hardware’s corrupted your done, your owned. In fact supply-chain management is even a factor in NIST 800-53. I don’t have it remembered exactly which control that one is. But it’s important, you have to have all of your system protected from the beginning to the end and monitored and audited in the middle.
Lee Neubecker: Yeah, but there was a notice last month from the NSA about Cisco routers being compromised in that there aren’t fixes yet out. So if that still accurate it’s a concern and one of the ways using this framework IT professionals might try to assess this would be to open up the routers, get inside and dump the firmware off the microchips and compare that against the manufactured supplied hash values, but the challenge I’m seeing with that is a lot of companies aren’t putting the hash values for their firmware. They might do it for their software, but if you have a home consumer router I’d be challenged to see how many home consumer routers have the manufacturers listing the firmware version with hash and really letting you get there to apply the software, because the ISPs are controlling that for the most part.
Gary Rimar: Yeah, but you also have to recognize that your definitely going down a very valid, but also very deep rabbit hole, just as an example, one time I was talking with this guy it was like 1999, I lived in the Detroit metropolitan area and I was at a coffee house and this guy, who looked like Boss Hog, but tall said, “Everybody’s stupid, they’re “buying windows, they should build “their own operating system, they can use Linux.” And I looked at him and I said, “Your an idiot.” He said, “Well, why would you think that?” I said, “We have people who can hardly “find the on/off switch. Your going to tell them they’re supposed to compile their own OS.” and so when your talking about no, I don’t know. The thing is when your talking about the level of inspection you probably need to have somebody do some appropriate, professional vetting. That’s over the skill level of a significant number of professionals that your going to meet in the market. Your right. Your totally right. But you probably need to get some people who eat and drink and breath this stuff and real experts to do this. I personally don’t choose to stick a thumb drive in a computer anymore. There’s no need to do it. Inside a USB chip, I’m thinking you know this, but not everybody knows this, is that there’s this own little operating system inside the USB. So if you have an 8 gig USB, you know a small one these days, that used to be huge, it’s small now, that there’s actually more chip behind it that’s its own operating system and if that operating system is compromised its firmware and if that firmware’s compromised then whatever you plug that in is potentially owned.
Lee Neubecker: There’s no cryptic graphic process that checks and validates that software’s authentic on many devices. So it’s easy for nation-state malware to get into the chips and you know when WannaCry wreaked havoc on many hospitals. I saw there was one out east that they said that they replaced all the hard drives and all their systems and it’s like well that’s great.
Gary Rimar: Did they replace them with ones that went through appropriate supply-chain risk management?
Lee Neubecker: But even if they did replace all the hard drives if malware injected into the chips of the mouse, the CD-ROM, the printer then that was a waste of time because those computers are going to quickly become compromised.
Gary Rimar: You’re right about that, but again, this goes back to supply-chain risk management. If you don’t know where you’re getting your stuff you don’t know what you’re getting and what I did read is that China has actually started making their own chips for themselves. They don’t market them out of their country. Now one can determine is that their motivation that they don’t want to be infiltrated by another country or do they want to infiltrate their country because of their politics. I don’t know. I can’t know. However, it might be a good thing for countries, at least as big as us, with such a big target on our backs, to start creating our own chips and our own designs in our own country. Where we can control the entire process from picking up the sand off the beach to handing you a laptop.
Lee Neubecker: Yeah.
Gary Rimar: And your right, it’s not just the laptops or the hard drives it’s all the peripherals,
Lee Neubecker: Yeah, you know that’s the struggle because we want cheap, affordable products, but your…
Gary Rimar: Mm-hmm, well you can…
Lee Neubecker: Quality, cheap, fast.
Gary Rimar: You have good, fast, cheap pick which two. Yeah, I understand.
Lee Neubecker: Actually it was interesting to see that they brought Broadcom is coming back into the US and we’re seeing some of these moves of the President trying to get key industries back in to protect from some of these compromises and you know Apple some chips are going to be made outside of China now and other things happening there, but it’s a real concern and it’s one that the frame work identified here can hopefully help companies just have an outline to go through to evaluate where are we? What have we worked on? What do we need to do more work on?
Gary Rimar: Yeah, you know. And back to our original topic of NIST 800-53 it’s in there, that’s it’s in there supply-chain risk management, you know. If you know, when I was first starting in IT in like 2000 I knew enough about security to know I didn’t know enough about security. That I hired it out. And had I been availed of this book I would have probably been able to do a much better job and I would have probably gotten into this career sooner cause this stuff is cool.
Lee Neubecker: Okay.
Gary Rimar: But I didn’t know it then. Know I know it.
Lee Neubecker: That’s interesting stuff.
Gary Rimar: Yeah.
Lee Neubecker: So do you have any other advise you’d like to give to our viewers as it relates to helping to keep themselves secure?
Gary Rimar: Well, I used to joke about always practicing safe hacks, but really, the one thing that I think that people aren’t doing, and this is totally off topic, is even though all the concerns we talked about there are still people who are getting owned because they’re surfing in places that are unsafe. And there are a couple companies out there I don’t know if you want me to say their names on your podcast, but at least one in mind where you can actually go ahead and surf through a virtual browser. Like browsers a service, so you log into their site and then they fire up an ubuntu instance and then put a Firefox browser behind it and the only thing that touches your computer is pixels.
Lee Neubecker: So your not having any risk of Java Script
Gary Rimar: Not having any risk of anything.
Lee Neubecker: Well I think that kind of sandboxing makes a lot of sense and I could almost see a point where the end user desktop is basically just a sandbox that you wipe clean and start fresh every time booting.
Gary Rimar: Yeah, I have a former computer client who does legitimate research, he’s a psychologist, and he does legitimate research into pornography.
Lee Neubecker: Mm-hm.
Gary Rimar: I mean believe it or not, there is such a thing and his computer at home is, is his one computer, he’s computer stupid and so he had his HIPPA data on there and he’s surfing these kinds of websites and it scared the heck out of me. So I set him up a Linux virtual machine on his computer so he could surf there and I could rebuild that and I set it up so nothing could ever touch anything and the only thing he could swap is pixels and when I found out about one of these services I called him. You know he hasn’t been my client for years now cause I moved, but I called them up and says, “Hey Marty, you should use this.”
Lee Neubecker: Yeah.
Gary Rimar: And so now he can continue to do his research and not put his client records at risk.
Lee Neubecker: Well thanks for being on the show today. It’s been a great interview, I appreciate you being on Gary.
Gary Rimar: Thank you very much. I’m happy to have been here.
Enigma Forensics CEO & President Lee Neubecker and Johnson & Bell Attorney Joseph Marconi sit down to discuss Trade Secret Theft Litigation. They identify ways a company can safeguard themselves against trade secret theft. Lee discusses how Enigma Forensics provided a forensic copy of a critical hard drive that won an important case. Joseph emphasizes that when an employee leaves a company the importance to verify what information was there, where it went, and to whom it was sent. If you suspect someone in your organization is stealing trade secrets call Enigma Forensics or Johnson & Bell to help you recover your information and minimize the damage.
The transcript of the Trade Secret Theft video follows:
Lee Neubecker: Today I’m here with Joe Marconi from Johnson and Bell, who’s going to talk a little bit about trade secret litigation cases he’s been involved with, and how computer forensics has played a key role in getting success for him and his clients. Joe, thanks for being on the show.
Joe Marconi: Thank you Lee, it’s good to see you again.
Lee Neubecker: Joe, we started working together a long time ago. The first case that we had was one of my very first forensic expert cases ever. I think it was back in 2002 or 2003. It was the Lebert matter. Can you tell us a little bit more about what the issues were involved there and ultimately what happened in that case.
Joe Marconi: Yeah, that was Lebert versus Maiser. It was a trade secrets case. And we actually tried it in a bench trial and it went to the appellate court twice. And the appellate court actually quoted from your testimony at the trial and in that case, it was a sales distributor who we sued their top salesman. We represented the manufacturer and the local distribution company. And you were able to prove that before their key employee sales representative left the distributor, he downloaded a number of files. Shortly before or a couple of weeks before. And as with other trade secrets cases that I’ve been involved in, and I’ve tried several, computer forensics are very important. And you’ve been helpful, I think in three or four of them, Lee.
Lee Neubecker: I remember we had one case we worked on where your firm was being accused of exploitation of evidence. Can you tell people a little bit about that?
Joe Marconi: In that case, that case involved again, and typically what happens, the trade secrets case, it’s usually an employee leaves the company or a sales distribution company, terminates a contract with the manufacturer. And in the process, they take trade secrets. In this case, again, it was a local distributor. The case involved a company that distributed wines from all over the world. The new employer of the local distributor hired us to defend it and its former, and its now current employee. And we had her computer and we did and you did a forensic hard drive of the computer. You made a forensic copy of the hard drive, and it was blank. And the courts accused not the firm, but this particular distributor of destroying evidence. And that was the key issue in the case. And during trial, we had an unusual moment. In the night before the testimony by your forensic expert, you were able to open it up and show that nothing was really destroyed. And at trial that day, the other side’s forensic expert made a big point about how this hard drive had been wiped, and it had been wiped to destroy evidence of her misappropriation of trade secrets. And we then put on your forensic expert, and he testified. And we displayed it with a screen and everything, and he opened it up and the judge threw her pencil down on the desk, looked at her law clerks who were sitting there and said, “this does not happen every day.”
Lee Neubecker: I recall that was a situation where the hard drive, the other experts said the hard drive was completely wiped clean based on his testing of that drive on a PC, but in fact, I had my expert stay late that night and connect the drive to all different types of computers, and when it was connected to a Macintosh computer, lo and behold, it prompted for a password to decrypt the hard drive, so the hard drive was actually encrypted. And once a password was supplied, voila, it wasn’t a drive empty, but it had all the data. And the judge certainly was animated. I think the transcript on that was a really interesting case.
Joe Marconi: And the opponent’s expert had no clue, that was the, and the lawyer said to me afterwards, “I’m going to sue that guy.” The lawyer for the opponent.
Lee Neubecker: I felt bad for the expert, but that’s one of the problems that happens when you hire a computer forensic expert that hasn’t been doing it for a very long time. Problems can happen and mistakes happen.
Joe Marconi: Right. And for the most part, in the times that we’ve used you, have dealt with trade secrets. And I also remember the case that we recently tried last year in federal court, regarding a Chinese manufacturer. And again, an employee left a manufacturing company, started a competitive distributorship here in Chicago, and employed a Chinese manufacturer to make products for the same market. And the local manufacturer claimed that he had taken the plans and designs of the products and had given them to the Chinese manufacturer. And you helped us disprove that, or also helped us to prove that they couldn’t prove that that happened. So that’s another example of a trade secrets case. So I find computer forensics almost an essential part of any trade secrets case.
Lee Neubecker: So you’ve had experience being on kind of all sides, the firm that lost employee, the firm that hired the employee, and you’ve been able to get good results for your client, whether they’re plaintiff or defense.
Joe Marconi: The issues are the same no matter what side you are, and there’s not really only plaintiffs trade secrets lawyers, and defense lawyers. You either defend them or you prosecute ’em. And I’ve done both over the years. It’s a fascinating area of the law. And it’s something that every company deals with when they lose an employee, when they lose a manufacturer. And you know, as a matter of course, when one of my clients lose a sensitive employee that has confidential information, one of the first things I do is call you to make a forensic hard drive of that person’s computer before anyone opens the file and in any way causes it to change at all. And you can explain why that’s important.
Lee Neubecker: Well, I appreciate you calling me when that happens. Thanks, Joe. Well if you want to know more about computer forensics, please check out our blog. My blog’s at leeneubecker.com. And you can also find Joe and Joe’s contact information there. Thank you, Joe.
Enigma Forensics CEO & President Lee Neubecker attends Legal Tech 2018 in New York. Lee sits down with Attorney David Rownd who is a partner at Thompson Coburn to discuss trade secret misappropriation and the role of Computer Forensics. They share their experiences in litigation concerning trade secrets and the misapporiation of information.
The transcript of the video follows
Lee Neubecker: So I’m at LegalTech New York and I’m here with David Rownd. He’s a partner at Thompson Coburn and David and I had a past working on cases involving trade secret theft and misappropriation and I just asked him to come here today and share a little bit about his experience using computer forensics and what role that’s played in cases and helping him to get good results for his clients.
David Rownd: Well computer forensics can be an amazing tool, particularly in a trade secret misappropriation case where a departing employee takes valuable company information. Often almost all of the information that is relevant to a company’s business is stored on the computer and the most common situation that you see is where the employee mistakenly believes that no one will catch him if he just emails stuff to a personal account and that is, at this point a well-worn trick, but it still happens. And most employees, what they are doing, is a see that they are going to pursue another option and they want to use information that belongs to the company so they do what they can to obtain that information. And they may realize that it’s traceable, but they may not. But what they probably don’t realize is the extent to which it really is traceable. And that every little move can be captured with a forensics expert such as me.
Lee Neubecker: Thank you. So are there any recommendations you’d have to clients that have an employee that leave that might have sensitive client data and trade secrets? What would you advise those clients to do?
David Rownd: You mean before they leave or after they leave?
Lee Neubecker: They find out their Head of Sales and Marketing leaves and goes to a competitor, how would you advise that client if they called you up and said, Dave, what should we do? We’re concerned that this person took stuff.
David Rownd: Well, first of all, any computerized data, if there was a desktop computer that that employee worked at, you should immediately evaluate the desktop computer to see if in fact any data has been moved or transferred in any way. And there are a variety of different ways that it can be done. And you know better than I do all of those different ways to identify the potential use of data. There’s also the issue about what information may be on your iPhone or a handheld device. I mean those are more and more becoming part of the way business gets conducted, especially in terms of sales, these salespeople are on the road, they’re communicating with customers by text, by email, and being able to trace the activity that went on on personal handheld devices is obviously an important thing to do as well. And to try to get a grip on, okay, what exactly did this person do prior to leaving?
Lee Neubecker: Now, have you ever had a company call you up where they hired this person who left and took stuff?
David Rownd: Oh that happens all the time. I mean the typical scenario is, in a lawsuit such as this, is that the departing employee and the new employer are both named as defendants, and the new employer can be potentially aiding and abetting the misappropriation of information, they can be tortuously interfering with agreements that the departing employee had with his prior employer. And you know one of the things we didn’t talk about is what sort of agreements are these employees operating under? Good prevention measures obviously to have an employment agreement with people who are going to have sensitive, proprietary information where they acknowledge that the information is confidential and that it’s proprietary and that it’s valuable.
Lee Neubecker: And just to add Dave, one of the most important things before, if an employee is leaving, you want to make a forensic image as soon as possible, done in an appropriate matter so that the data doesn’t get altered ’cause that can introduce chain of custody attacks
David Rownd: Correct
Lee Neubecker: and other allegations.
David Rownd: Correct. And the quicker that’s done and the more process oriented the way that it’s done, the better because you’re going to want to ultimately demonstrate to a court that this is reliable and that’s the key. And so if you can show that it was done almost contemporaneously and if you can a show a step by step process by which this mirror image was created so that a court can look at that data and say yes, this is in fact what was in existent at that time.
Lee Neubecker: Can you tell us what other type of case matters you work on to help your clients? Just a little bit more to our viewers about your practice?
David Rownd: Well my practice is, I am a business litigator is the generic term, but that can mean a lot of different things. I’ve done a lot of trade secret misappropriation in the past. These cases with a departing employee goes to a new employer, I’ve been on all sides of those cases in the past. A lot of my work is business to business litigation where it’s centered around some sort of business arrangement usually documented by a contract, but there can be other issues which are extraneous and in your typical straight up litigation matter today, the importance of electronically stored information is significant because that’s the way we do business now.
Forensic Imaging Tools Used By Computer Forensic Experts
Leading computer cyber forensics Expert Lee Neubeckers discusses FTK Imager (forensics imaging tool) and Write Block Technology with Alex Gessen renowned forensics expert.
The transcript of the video follows
Lee Neubecker: So, I hear you recently uncovered a problem with forensic write block technology can you tell me about that?
Alex Gessen: Oh, yes. Not only with write block technology, but even more importantly with… Forensic imaging tool, which is used by basically everybody in the industry, called FTK Imager. And what I discovered, I also used that tool for years, and didn’t realize the fault, but what I discovered. Basically, two weeks ago, and I did some tests and analysis and I asked Kevin to help me, that FTK Imager produces a wrong serial number when USB storage devices are imaged and that serial number basically is useless for the purpose of verification if specific device was plugged into a specific computer, which, with USB devices, is almost always. When you analyze these devices, 90% of times, it’s of critical importance, and–
Lee Neubecker: So, how is that information used when you are doing a trade secret misappropriation investigation to assist you?
Alex Gessen: I… Quite often, I have to image a computer. Usually work computer, where the person works, or worked, and then, first of all, I find out, analyzing the computer, that certain devices were plugged in, in this specific instance. There are other ways to steal intellectual property or trade secrets. You can upload them to the Cloud, you can email important attachments to yourself. But, quite often, because it’s the most time effective, is to copy data to external devices. So, first, you find out which devices were plugged into the computer, and then you have to get these devices and analyze them. And when you have these devices, you have to be sure that this is device which was plugged into the computer in question and for that you need serial number, and FTK Imager didn’t provide serial number. And people, whole industry, was using that for years and years.
An electronic medical record (EMR) audit trail is a log file required by HIPAA of all electronic medical record software systems. The EMR audit trail documents all points of access of a patient electronic medical record system including any actions to modify, view, print or amend the record by replacing or adding new data.
Electronic Medical Record (EMR) Audit Trails are key to effective electronic discovery during medical malpractice litigation. Renowned EMR Computer Forensics Expert, Lee Neubecker interviews Insurance Defense Attorney Bill McVisk who usually helps defend hospitals embroiled in medical malpractice litigation. McVisk discusses common areas of confusion during discovery of patient medical records. Neubecker relays some of his past experiences helping plaintiffs uncover important medical records that are often hidden from plaintiffs during discovery. Enigma Forensics has assisted counsel with conducting depositions relating to Electronic Health Records (EHR) and EMR. The two discuss how electronic medical record systems have often made the process of discovery more difficult and confusing to attorneys and litigants.
The transcript of the interview follows:
The transcript of the interview follows:
Lee Neubecker: Hi. I’m here today with Bill McVisk. He’s a patient medical records expert, a litigator. He works with hospitals that are dealing with EMR-related patient medical records and whatnot. I had him on my show today because I want to talk a little bit about electronic medical records. Bill, they said that electronic medical records were going to revolutionize everything and make everything so much better. What’s the reality of what’s happened since we’ve brought about medical records?
Bill McVisk: A lot of EMR has been great. I mean, there’s an ability of doctors to provide records to other people that they couldn’t have done before. There’s the ability, for instance, of a radiologist to look at a film that was taken, and he can be in San Diego, and the patient can be in New York, and it still works. The problems, though, there are some problems. I mean, the biggest problem I see is that anyone who’s ever gone to a doctor’s… the doctors are focused on their computers instead of focusing on the patient. What they’re doing is hitting all sorts of drop-down menus and stuff, and I think we’re losing something from the standpoint of presenting physicians and nurses in malpractice cases. It creates a situation where you don’t really get a sense of exactly what that nurse or doctor is thinking, and so the records just aren’t quite as helpful in medical malpractice cases as they used to be. On the upside, we can read them now, whereas in the past we had to worry about doctors’ handwriting.
Lee Neubecker: Yeah. I know from experience working as a EMR, a patient medical record expert, that discovery can often become challenging. When an attorney is preparing a witness for deposition related to patient medical records, what are some of the things that you look for and care about in that process?
Bill McVisk: Well, the first thing, quite frankly, is to make sure I have the entire record. I can’t tell you how often I’m getting records where I get part of the record, and for some reason, I don’t know if it’s stored on a different server or what, I’m not getting all of the record. I may get all the physician’s part of the record but not the nurse’s part of the record, and obviously, that’s essential. Other problems, like when I’m preparing a witness for a deposition, the big problem is that they’re not used to seeing these records printed out. I mean, in the past, they would look at the chart, it would be exactly the same as the chart they were looking at in the hospital. Now, they are looking at the chart on a computer screen when they’re in the hospital, but when you’re preparing them for a deposition, you’ve got a paper chart, and the paper chart prints out terribly. Every time there’s a slight change of any kind in the record from one minute to the next, the chart prints out the page again and again and again, so there’s all this stuff, and it’s just getting the nurses and the doctors to know where in the chart their entry is going to be makes it a little bit harder.
Lee Neubecker: Yeah. I have experience working with that, and I know that HIPAA requires that every instance of that medical record, pre-editing and post-editing, that that data be preserved and discoverable, but in reality, a lot of the software packages, they only have reports that run the last version, so to get into the true audit trail, you often have to get into the database backend to get access to that information.
Bill McVisk: Well, and I think audit trails are the other aspect of things that makes it a little bit harder in this situation. In the past, we basically, I could give the original medical record to the plaintiff’s attorney to inspect. If somebody had erased something or done something like that, it’d be pretty obvious. I would hopefully know about it before the plaintiff’s attorney would know about it. Then I’d deal with that. But, it may not be obvious now because people can go in, change records, and now, if an audit trail is suddenly showing me, “Oh, my god, somebody was in and did something “to the record,” and it’s two or three weeks after the treatment was over, or, say, two or three hours after a terrible incident occurred, that’s going to make it look concerning. So I think from our standpoint, it’s a matter of making sure healthcare providers are aware of how to do it in a way that isn’t going to look like you’re trying to fake or lie.
Lee Neubecker: And there’s a big difference between accessing a medical record, and editing it.
Bill McVisk: Right.
Lee Neubecker: That’s where sometimes attorneys on both sides become confused about the significance of what’s happening with the patient record.
Bill McVisk: Right. I mean, records get accessed all the time. Maybe it’s to prepare for a deposition. You have to access the record to look at it. Maybe it’s because there’s followup treatment and you need to access the record. That happens all the time, but sometimes, on these audit trails, it’s not always easy. Is this just an access, or is somebody going in and changing something?
Lee Neubecker: And there’s a whole other layer, too. I know from my experience working with many of the packages that the hospitals often use systems that have something known as sticky notes, where they can put comments about a patient. There’s a wide perception that those notes aren’t discoverable. Just because the software doesn’t have a report that will run it, doesn’t mean that if someone like me is coming in, and I get access to the backend database, those comments about the patient and whatnot become apparent. But unfortunately, it’s difficult to get at that data if you don’t know what you’re looking for.
Bill McVisk: And that creates a real problem if you’re defending the hospital, because if I don’t know about these sticky notes in the beginning, first of all, I’m not going to be thinking, “Oh, my goodness.” Then, if you come and discover them, it obviously is going to be, “Oh. I was trying to hide those notes,” or, “The hospital was trying to hide those notes,” which is always the worst thing you can do as a defendant in litigation. And they’re clearly, if there’s something about a patient in those notes, it’s almost never privileged, it is discoverable, and it should be provided immediately.
Lee Neubecker: Also, you know, there’s a tendency I see for the hospitals to try to cover things up. Do you think that there’s some value in bringing in, when you’re defending a hospital, your own forensic expert to dig around and find out what’s really happening?
Bill McVisk: See, I don’t think the hospitals are intentionally trying to cover stuff up. I really don’t think that’s, I’ve almost never seen that happen. There may be, you know, one or two, but in most of these cases, I think the hospitals are trying to find out what the truth is. That being said, the hospital may not be aware that some of these things, because the risk management for the hospital might not be fully aware of all of the situations that are involved in electronic medical records, and yes, at that point, it may be a good idea for me just to have somebody like you go through those records, let me know. Before I produce them to the plaintiff, I would like to know what’s out there.
Lee Neubecker: It would probably be a lot more useful for you to get just a listing of the changes on the record so you’re not looking at the whole document, but maybe here’s a first instance, and then change one, change two, change three, so you can see before text, after text.
Bill McVisk: Sure.
Lee Neubecker: That’s the type of thing that, unfortunately, there’s not canned reports that are in the software that do that. I think that could be by design of the software makers because they don’t want to make it worse for their clients, the hospitals, but it’s certainly possible that it’s just something that was never asked for.
Bill McVisk: That’s quite possible, and I don’t know any of these software makers, but to me, it would be really helpful to know what those are. Of course, that does make it more discoverable, easily discovered by the plaintiff’s attorneys, but on the other hand, I as a defense attorney need to know about it, and if there’s a change that’s improper, I need to know about it right away.
Lee Neubecker: Yeah. What kind of problems can occur when different providers have different EMR systems?
Bill McVisk: Well, that can create problems of a number of ways. Sometimes, the software of one hospital doesn’t communicate with the software of another. There have been situations, for instance, where a physician enters an order for something to happen, and then because of the software problems, it doesn’t get to the provider who’s supposed to do it, and they don’t know that they’re supposed to do it. That creates serious problems for patient care. And similarly, it’s like, if a hospital is discharging a patient to a nursing home, and they want the nursing home to have a certain specific type of care regimen afterward, that can create problems if they don’t communicate well.
Lee Neubecker: Well, thanks a bunch, Bill, for being on the show. I appreciate it.
