2009 Eighth International Conference on Mobile Business

Mobile Forensics in Healthcare
Connie Justice, Huanmei Wu
Computer & Information Technology Purdue School of Engineering and Technology Indiana University Purdue University Indianapolis 799 W. Michigan St., ET 301 Indianapolis, IN 46202 {cjustice, hw9}@iupui.edu
Abstract -- Mobile communication has been heavily applied in the current healthcare system for health information exchange. Patient information security has become a major concern, especially with the wide adoption of electronic medical records. Mobile Forensics has been utilized by law enforcement to systematically procure and preserve mobile evidence. However, the adoption of mobile forensics in the healthcare lags behind. The goal of our project is to examine the options and to provide recommendations for adoption and customization of mobile forensics in the healthcare field. An open-ended survey of local healthcare and related facilities around Indianapolis has been explored to examine the current status of Mobile Forensics in the healthcare field. The results have been evaluated using statistical analysis. A methodology is being proposed that would use mobile forensics procedures taking into account the regulatory measures that have to be instituted due to the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Keywords-mobile forensics, healthcare.

Evelyn Walton
Informatics Indiana University Purdue University Indianapolis 799 W. Michigan St., ET 301 Indianapolis, IN 46202 emjohnso@iupui.edu

forensics has been introduced by the law enforcement field to prescribe a thorough structure of policies and procedures to ensure that criminal evidence is properly detected, extracted, and preserved, thus ensuring that all evidence obtained is legally valid and can be used as evidence in a court of law. [2] Applying forensics procedures in the healthcare is more challenging due to the special concerns regarding patient medical information. The Health Insurance Portability and Accountability Act (HIPAA) of 1996[1] establishes rigid and specific standards for the electronic storage, retrieval, and transmission of healthcare patient information. HIPAA not only addresses hardwired computer devices and networks, but also mobile and wireless devices as well. Although HIPAA is aimed at protecting patient information, it is not necessarily aimed at many of the finer points of mobile forensics; namely, detecting, extracting, and preserving any criminal evidence that may be left behind. Our project is to develop a new approach, called Healthcare Forensics Procedures, to adapt mobile forensics in the healthcare arena paying attention to the added requirements and constraints from HIPAA. The project will improve the awareness and effectiveness of healthcare IT personnel securing patient electronic healthcare information through a more diligent and structured methodology. Our major contributions are list below: • Survey on the adoption of Mobile Health Forensics in the healthcare filed: Area IT and health care professionals will be surveyed regarding their knowledge and use of Mobile Forensic experiences, methods, and practices. The survey results have been explored to examine the current application of mobile forensics in healthcare. Investigation of the current mobile forensics for health information security: Hands-on experimentations on Mobile Forensic tools have been performed to validate the principles in compliance of HIPAA regulation. Recommendation for adoption of mobile forensics procedures in the health care field: Based upon the results of the survey, recommendations will be made to these areas regarding changes in current practices that would result in increased security of patient information. Modification of the existing forensics models made to satisfy the strict requirement of HIPAA regarding working with health information.

I.

INTRODUCTION

The wide use of mobile devices, computers, personal mobile assistants (PDA), laptop computers, cell phones, and smart phones, has become our main mode of communicating among business partners, friends, and family members. The healthcare industry has been a major adopter of mobile devices. Mobile connectivity has become one of the major means of communications via text messaging, instant messaging, paging, phone conversation, access to centralized data and emails through cell phone, personal mobile assistants (PDAs), and wireless laptops. The value of mobile technology in health care is staggering. In providing health care to individuals, wireless devices are routinely used to collect, store, retrieve, display, and transmit data. Patient data can be received and delivered instantaneously as the patient is attended to. However the highly portable mobile devices are also susceptible to threats and vulnerabilities. As mobile communication becomes widely used in the healthcare industry, it has become increasing difficult and challenging to secure patient information and preserve patient privacy. In addition to the concerns of threats and vulnerabilities, the consequences when Patient Health Information is compromised are major concerns. Comupter
978-0-7695-3691-0/09 $25.00 © 2009 IEEE DOI 10.1109/ICMB.2009.51 255

•

•

II.

BACKGROUND

A. Forensics. Forensics is the “application of the natural and physical sciences to the resolution of conflicts within a legal setting” [13], and encompasses a broad range of evidentiary expertise, including anthropology (the study of the origin an behavior of man), pathology (the study of diseases and their causes), medicine, chemistry, entomology (the study of insects), toxicology, odontology (the study of the structure, development, and abnormalities of the teeth), DNA analysis, and even arson investigation [13]. Computer forensics is the response to the need by law enforcement to investigate criminal activity involving computers [13]. As computers become more prolific, so does computer crime, also known as cyber crime. Computer Forensics is becoming a broader area of study itself. As the scope of mobile crimes expanded, computer forensics has expanded the scope and is renamed mobile forensics, which encompasses a broader range of information and technology. Mobile forensics has been refined by the law enforcement field to proscribe a thorough structure of policies and procedures to ensure that criminal evidence is properly detected, extracted, and preserved, thus ensuring that all evidence obtained is legally valid and can be used as evidence in a court of law. It has proven very effective in the fight against cybercrime and is widely used by law enforcement, criminal investigators, civil discovery, security incident response, and intelligence gathering. In this paper, we will introduce a new branch of mobile forensics, which takes into consideration HIPAA and its ramification. B. Computer Crimes on Medical Records Computer crime includes, but not limited to, cracking, fraud, virus dissemination, and extortion, which gain unauthorized access to a computer system for the purpose of stealing and/or corrupting data. Unfortunately, as computer networking and security techniques advance, so do the skills of the computer crackers and their tools. Curious youngsters, organized hackers hobbyists, professional crackers, or even disgruntled employees can perpetrate Cybercrime [14]. These crackers may be simply seeking a quick thrill, or they may be looking for corporate trade secrets, financial information, or a person’s medical information [14]. In 2007, an estimate of 250,000 patients had their medical information stolen and misused in recent years. The theft or alteration of medical records can not only affect a patient’s privacy, but medical records are often checked by potential employers and creditors. A stolen medical record can often lead to insurance fraud. On the black market stolen medical record is worth fifty to sixty dollars [10]. C. Mobile Forensics Methods For the IT professional and some organizational managers (rather than the law enforcement professionals), there are four distinct phases regarding forensic evidence in the mobile arena,, namely collection, examination, analysis, and reporting. It is also recommended that each organization develop a

strategy in advance for dealing with mobile crime within their organization, which should include established policies and procedures for both mobile forensics and for the organization’s mobile information in general. The roles and responsibilities of the IT administrative and investigative staff should be clearly defined in these policies and procedures. A forensics structure and capability needs to be established, which should encompass operational inconsistencies, the monitoring of system and event logs, data recovery and acquisition, and regulatory compliance in a timely fashion. The strategy on having the proper tools and education to fulfill those responsibilities for investigative teams should also be planned. D. Mobile Forensics and HIPAA The Health Insurance Portability and Accountability Act (HIPAA)[add reference] sets standards for medical information transactions and mandates the establishment of national standards for electronic health care transactions and national identifiers for providers. HIPAA also deals with security policies and procedures, and details technical measures that address authentication, encryption, data integrity, access control, audit controls, and transmission security. This applies to not only traditional hardwired computer networks, but also to personal information devices, wireless computers, and smart phones. Administrative, technical, and physical safeguards must be utilized to insure the integrity and confidentiality of a patient’s healthcare information, and to protect that integrity and confidentiality against any reasonably anticipated threats or hazards, unauthorized uses, or disclosure. As HIPAA charges healthcare industry with securing patient information, it presents an ever-increasing challenge. The National Institute of Standards and Technology (NIST) recommend that for an organization to be HIPAA compliant a dedicated security official should be specifically assigned responsibility for HIPAA security, and further that those responsibilities should be specifically assigned and documented[1]. However, the protection of patient information involves more than simply securing the information itself; the computer systems and networks that store and transmit the information need also be secure. III. METHODOLOGY

It is reasonable to expect that the current practices, and therefore the current standard procedures, of the healthcare profession follow the guidelines established by HIPAA, but no further. It is also reasonable to expect that the healthcare profession would not voluntarily follow mobile forensic methods, and may even be totally oblivious to their existence. Therefore, a survey has been created as a pilot study to learn the usage of Mobile Forensics in the healthcare field, as well as the current standard procedures. A. Pilot Study on Mobile Forensics in Healthcare A pilot survey has been designed to examine the current practices that relate to not only hardwired networks but also to handheld, wireless, and mobile devices used in local health care institutions. It targeted at healthcare professionals in the Indianapolis metropolitan area, specifically IT managers and

256

professionals, physicians, nurses and other physician assistants, residents and medical students, health related researchers, and other non-IT employee. The qualitative survey consists of questions that will evaluate the respondent’s organizational information and professional position, detailed information about computer crime in the corresponding organization, as well as any mobile forensics training that the organization and/or respondent might have. The survey was put online using the service of the website at www.contantcontact.com. The IT chiefs of major organizations in healthcare around the area were contacted to encourage their participation of the survey. Responsive information was acquired anonymously through the web. The survey was an open-ended survey. Qualitative analysis has been performed on the survey results. This analysis focused on the frequencies, magnitudes, structures, processes, causes, and consequences of computer crimes, and will look for patterns of correlation. B. Hands-on Experimentation Hands-on experimentation of mobile forensic tools has been performed to validate the principles proposed for mobile forensics in healthcare. The two tools examined were AccessData’s Forensic Toolkit (FTK) 2.0 and Paraben’s Device Seizure 2.0 software [9,10]. AccessData’s Forensic Toolkit allows an investigator to create a drive image, view the operating system’s registry, decrypt files, crack and recover passwords, and create reports. Data may be searched using several criteria such as creation date, file size, or data type. The application is GUI based, and intuitive to use. Paraben Forensics’ Device Seizure software is aimed at cell phones, PDA’s, and GPS devices. It can be used to examine email and text messages, including deleted ones, as well as to view the call history. The call history would include received calls, missed calls, dialed numbers, and the dates and durations of all calls. The investigator can also examine the device’s phone book, date book, scheduler, and to-do lists. It is also possible to examine file systems, and in Microsoft Windowsbased devices, the registry. The file system would include all system files, as well as multimedia files such as images, videos, and sounds, plus Sun’s Java files, and ClOWn of Team 42’s Quicknotes memos. Deleted data can also be retrieved and examined. For GPS devices, waypoints, tracks, and routes can be retrieved and examined. For PDA devices, all databases can be examined. Finally, all data contained in the device’s RAM and or ROM is readily accessible. IV. RESULTS

A. Results on Pilot Study Analysis A pilot survey has been designed to check the current status of mobile health forensics in the healthcare arena. There were 27 respondents from the local healthcare facilities around Indianapolis metropolitan area. Every respondent has answered all of the questions. A qualitative analysis on the results was performed. Roles in Mobile Forensics of Responders: Among the 27 responders, 15 were IT professionals, 7 were physicians or physician assistants, and 2 were non-IT managers. Among them, 4 of them (14.8%) can make the final decision in the Electronic Health Records Decision-making process, 15 (55.5%) have strong influence, and one has some influence. The rest 7 has little or no influence in the decision making process. Training in Mobile Evidence: Only 4 of the 27 responders need to routinely (i.e., over 50% of the time) consider the possibility of mobile evidence. Most organizations, 19 out of 27 (i.e., 70.3%) have some security awareness training plans. However, only 1 responder had extensive training in mobile evidence. Another 3 has some training. The rest 23 responders (85.1%) only have limited or no training at all. When asked whether they are interested in obtaining training in mobile evidence, 5 wanted to have training, 12 answered maybe” and 10 said “no”. Mobile Devices in the Healthcare Facilities: 23 of the 27 (85%) response claimed the usage of the laptops in the healthcare facilities. In addition, personal mobile assistant (PDA) and tablet PC are also widely used in the healthcare arena. The detailed information about mobile devices is listed in TABLE I.
TABLE I. MOBILE DEVICES IN HEALTHCARE APPLICATIONS Devices Laptop/notebook computer Personal Mobile Asssitant (PDA) Tablet PC Cell Phones Don’t know Other Responses
Response numbers Ratio

23 7 15 8 2 4

85.2% 25.9% 55.6% 29.6% 7.4% 14.8%

Mobile Connectivity Technology: 17 of the 27(63%) responders used WiFi (a wireless local area networks) in their wireless connection. 5 of them used mobile cellular service and 4 used wireless personal area networks, such as Bluebooth and Infrared. In addition, 8 were not sure about their wireless connectivity. Security Technologies: The survey showed that various security technologies are applied in the healthcare arena, both software and hardware. TABLE II. lists the detailed of the utilization of different security technologies in the responded healthcare facilities.

This section will summarize the results of our pilot study for the current status of mobile forensics in the healthcare organization and give recommendations to improve the mobile forensics based on the survey results. In addition, the newly improved mobile health forensics procedure is also briefly introduced which will be in compliance with the HIPAA regulation.

257

TABLE II. Devices

SECURITY TECHNOLOGIES Responses
Response numbers Ratio

improving this situation of mobile forensics in the healthcare arena. 1) Healthcare organizations need to be aware of the importance of mobile evidence preservation. 2) Each organization should have a dedicated individual person trained in computer and mobile forensics. 3) Each healthcare organization should either have a designated computer and mobile forensics specialist on-staff, or have a designated outside contractor to call upon in the event of a security incident. 4) If there is a designated on-staff specialist, that individual should acquire and become trained in the use of computer and mobile forensics tools such as AccessData’s Forensic Toolkit or Paraben Forensics’ suite and be adequately trained in the acquisition and handling of mobile evidence. 5) All pertinent IT staff should first be made aware of the existence of computer and mobile forensics. 6) Adequate training should follow so that there is a heightened awareness of the proper procedures for the seizure, preservation, and analysis of mobile evidence. 7) All pertinent IT staff should be trained in the proper procedures necessary to execute a mobile forensics examination so that it is in compliance with HIPAA. 8) Each healthcare organization should develop policies and procedures to react to security incidents in a manner that is compliant with HIPAA. C. Mobile Health Forensics Procedure A newly proposed procedure for Mobile Forensics is a further adaptation of the Air Force Model called Mobile Healthcare Forensics Procedures. Mobile Healthcare Forensics takes into consideration HIPAA and its ramifications by grouping the involved parties into four groups. These four groups consist of the Investigator, the Healthcare Organization’s Administration, the Healthcare Organization’s IT Staff, and the patient. In the event of a security breach, each of these groups has a vested interest in the security of the healthcare information, the resolution of any security breaches, and the avoidance of any recurrence. The first step of the proposed Mobile Healthcare Forensics Model is that of Identification, whereby the IT Staff determines what systems were affected, if the affected systems contained personally identifiable healthcare information, and whether or not to pursue a forensics investigation. In the Preparation step, the IT Staff prepares all needed tools, techniques, warrants, and authorizations, and also notifies the Administration of the incident. Also during this step the Administration decides whether a forensic investigation will be done internally or by an outside party. The Approach Strategy step involves formulating a plan of attack to maximize the collection of pristine evidence while at the same time minimizing the disruption to the rest of the facility. In this step the Investigator must determine how to

Access control lists (server based) Antispam software Antispyware software Anitvirus software Biometrics Encrypted files (for storage) Encrypted files (for transfer) Encrypted login Firewalls Intrusion prevention/detection system Limits on which users can install software Password complexity requirements Periodic required password changes Physical security SmartCards (card, PCMCIA, USB, etc) VPNs Website Content Filtering Don’t know

19 22 22 21 5 12 14 8 22 15 21 19 20 17 4 22 16 3

70.4% 81.5% 81.5% 77.8% 18.5% 44.4% 51.9% 29.6% 81.5% 55.6% 77.8% 70.4% 74.1% 63.0% 14.8% 81.5% 59.3% 11.1%

Security Incidents: 9 out of the 27 responders answered that there was no computer security incidents in their organization for the last 12 months. 4 others claimed there were 1 to 4 security incidents. The other 14 responders did not know the statistics of the computer incidences in their organization. Incident Response Plan: Regarding the responses to any security incident, 21 out of the 27 responders claimed that their organization have established policies and procedures in place that identify steps to be taken if there is a physical and/or information security breach. Two organizations don’t have the incident response plan and the other four do not know if there is such a plan in the organization. Mobile Forensics: Only one responder claimed that his organization had a dedicated computer crime or mobile forensics unit, i.e., there are one or more full-time employees working for the task. Ten organizations have a policy concerning who can seize, duplicate, examine or analyze mobile evidence. However, only four of the organization required specific training to seize mobile evidence. B. Summary of the Survey Results Many organizations are security-aware, and some even have action plans in the event of a security incident. Yet almost none have a dedicated Mobile Forensics Unit or even any personnel trained in the acquisition or analysis of mobile evidence. The following are eight recommendations aiming at

258

separate personally identifiable health information from all other information, as well as how to protect it. In the Preservation step, the state of the physical and mobile evidence are isolated, secured, and preserved. As with any Mobile Forensics methods, the Collection step entails recording the physical scene and duplicating (imaging) the mobile evidence. However, under the proposed Mobile Healthcare Forensics model, the Investigator must take additional measures to always keep personally identifiable health information separate from all other data, to the extent of using separate drives for imaging this data, as well as labeling and storing these drives separately to avoid confusion. In the Examination and Analysis steps, the Investigator must again keep personally identifiable health information separate from other seized information, and must insure that this information is labeled as containing personally identifiable health information. In the Presentation step, additional measures must be taken to protect personally identifiable health information. For this step, the Investigator should work in concert with the Administrator’s attorney specializing in HIPAA, who should also review any created reports in the event that they contain personally identifiable health information. The final step of the Mobile Healthcare Forensics model is the Return Evidence step, where all physical and mobile evidence is returned to the Healthcare Organization’s Administration. These steps strive to maintain the utmost security on the collected physical and mobile evidence to protect any personally identifiable health information from further compromise. V. CONCLUSIONS

illegally or information.

accidentally

penetrate

patient

healthcare

To determine the current practices in the healthcare profession, a survey was conducted to ascertain the prevalence of Mobile Forensics usage in the healthcare field, as well as the current standard procedures, and targeted healthcare professionals in the Indianapolis metropolitan area, including IT managers and professionals, physicians, nurses and other physician assistants, residents and medical students, health related researchers, and non-IT management. A pilot study was conducted in December 2007 of 27 area health care professionals regarding their security practices, and revealed that few had any Mobile Forensics training or utilized Mobile Forensics policies and procedures. VI. FUTURE WORK

A second study was conducted in May and June of 2008, with the intent that this be a full and statistically valid study. This study was modified so that respondents who were not IT personnel did not need to answer questions that were strictly IT in nature, and its scope was specifically hospitals, insurance companies, medical offices, and other healthcare professionals in Marion County, Indiana and the eight adjacent counties; Hamilton, Madison, Hancock, Shelby, Johnson, Morgan, Hendricks, and Boone. Although the second study was intended to be more thorough and revealing, there were in fact only eight respondents. To be statistically valid, the study required 300 respondents, with a target of 350 respondents as an added margin. As part of our future work we will modify and conduct another survey with the target of 350 respondents in mind. Experimentation involving uses of some Mobile Forensic hardware and software indicated that this adaptation is needed in the healthcare field. The overall objective is improving not only the reactive, but also the proactive, responses to cybercrime in the healthcare environment through new or modified policies and procedures. We feel that more experiments on the processes and procedures need to be conducted to validate the mobile healthcare forensics procedures and methodology. REFERENCES
[1] [2] [3] [4] [5] The Health Insurance Portability and Accountability Act of 1996 (HIPAA) http://www.hhs.gov/ocr/privacy/index.html Computer Forensics. http://www.us-cert.gov/reading_room/forensics.pdf Computerworld, “Mobile & Wireless. Wireless Leaders & Laggards: Health Care”, http://www.computerworld.com/mobiletopics/mobile/story/0,10801,101 711,00.html J. Myers, T. R. Frieden, K. M. Bherwani, and K. J. Henning, “Ethics in Public Health Research: Privacy and Public Health at Risk: Public Health Confidentiality in the Mobile Age”, Am J Public Health, May 1, 2008; 98(5): 793 - 801. United States Government Accountability Office, Domestic and Offshore Outsourcing of Personal Information in Medicare, Medicaid, and TRICARE”, GAO-06-676, September 6, 2006.

Forensic Science has been a part of the legal system since the days of the Roman Empire. Today it is an invaluable part of our legal system. From Forensic Science grew the need for Computer Forensic Science, followed by Mobile Forensic Science. All of these focus on the meticulous gathering of criminal evidence. Cybercrime has its roots in defrauding the telephone company of long-distance charges, but now encompasses everything from corporate espionage to insurance fraud to identity theft. In 2007, 8.4 million people were affected by identity theft. The importance of this project is that the protection of patient information should involve more than simply securing the information itself; the computer systems and networks that store and transmit the information should also be secure. It is the goal of this project that means be determined and established to improve the security of patient medical information through the adoption and use of Mobile Forensic policies and procedures. Much information exists on Mobile Forensics and the Health Insurance Portability and Accountability Act, but little exists on how to use these two in concert to catch those who

[6]

259

G. G. Richard III, V. Roussev, “Mobile Forensics Tools: The Next Generation”, invited chapter in Mobile Crime and Forensic Science in Cyberspace, IDEA Group Publishing, 2005. [8] Computerworld, “My health records? Let me check my cell”. Heather Havenstein February 01, 2007, http://www.computerworld.com/action/article.do?command=viewArticl eBasic&articleId=9010064&source=rss_news50 [9] Access Data Forensics Toolkit http://accessdata.com/forensictoolkit.html [10] Paraben Forensics Device Seizure http://www.parabenforensics.com/catalog/product_info.php?cPath=25&products_id=405 [11] NIST 800-66 Revision 1: An Instroductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. http://csrc.nist.gov/publications/nistpubs/80066-Rev1/SP-800-66-Revision1.pdf

[7]

[12] Bankrate.com, Medical Identity Theft Can Kill You, http://www.bankrate.com/brm/news/insurance/20070105_medical_ident ity_theft_a1.asp [13] Whitcomb, C. M., An Historical Perspective of Digital Evidence: A Forensic Scientist’s View. International Journal of Digital Evidence, Spring 2002 Volume 1, Issue 1, http://www.utica.edu/academic/institutes/ecii/publications/articles/9C4E 695B-0B78-1059-3432402909E27BB4.pdf [14] The Network Administrator.com, Most Popular Viruses and Hacking Tools, http://www.thenetworkadministrator.com/2003MostPopularHackingToo ls.htm

260