Home Navigation

Recent Events Recent Events
Upcoming Courses Upcoming Courses

Contact Information

TELEPHONE:

Sales & Technical Support
(800) 852-0300

EMAIL:

info@forensics-intl.com
Technical Support:
support@forensics-intl.com

Information

Forensic Medical Data Studies

Forensic Computing as applied to the current practice of Medicine

by Zvi Herschman, MD
Office Contact 516-486-7384
E-Mail contactzvi@4forensics.com

This paper is a studied application of computer related theory, legal aspects of handling digital evidence, and investigative theory and tools to situations that arise when the fields of Law and Computer Science are applied to the current practice of Medicine. It was written by Dr. Zvi Herschman, MD who not only practices medicine but he is also a Certified Computer Forensics Specialist.

Case Studies:

Case study 1: An oncologist writes an order for a certain type of chemotherapy to be administered over a specified period of time. Shortly after the treatment, the patient suffers multiple organ failure and goes on to die. In the course of events, it is discovered the dose administered was one order of magnitude larger than appropriate.

Case study 2: A surgeon is consulted to see a patient in the late night with abdominal pain. The surgeon orders a CT scan of the abdomen which is digitally transmitted and read as normal. With this, the surgeon decides to delay surgery and re-evaluate the patient in the morning. In the morning, the patient is in septic shock.

We will discuss these cases later. First, let us address the problems Medicine faces when issues of Law and Computer Science impose upon it.

Medicine, Computers and the Law:

The profession of Medicine in its purest form is a fine blending of Art and Science for the purpose of healing and comforting the ill. The current diluted state of Medicine is subject to many outside influences that are brought to bear on the profession. These include regulations of ever increasing number and complexity on the internal as well as the external parts of a Medical practice. The internal parts of the practice subject to regulation are actual care rendered; the interaction between the doctor, patient, family, pharmacist, consultant, and institutional review boards where research is involved. The external elements of Medical practice that are subject to regulation include interactions with third party payers, and all other fiduciary relationships any business or proprietor has with others while engaged in commerce. This includes contracts, bills, promissory notes, checks, leases, etc. In all, the requirements for maintaining records in this environment have grown beyond manageable limits for most practices.

To help control some of these gargantuan tasks, Medical practices have incorporated computers. These devices are integrated into the practice to varying degrees; some for simple scheduling, others for financial and billing purposes and still others for keeping medical records and statistics. Two parallel settings where computers are incorporated into Medical practice are in the conduct of research, both clinical and basic, and the actual operation of technically advanced diagnostic and therapeutic devices. Given the appropriate circumstances, each one of these uses of computer technology can become part of an investigation into a criminal enterprise, regulatory error or civil action. Examples would include accusations of malpractice or negligence, identity theft, extortion or theft of trade secrets in research. When used appropriately, the information encoded in a computer can justify prosecution, inculpate or exculpate, detect product liability or simplify ongoing investigations. Unlike cancer cells which are trouble wherever they are, information is neutral; it is the context within which the information lies that allows a judgment about its benign or malignant behavior.

The first question to ask is what are we looking for? Are we looking for an actionable offence? And if so, what actionable activity that goes on in a Medical practice could be studied on the storage elements of a computer? Where do we start in our quest? It would be instructive to first breakdown the potential classes of issues that could present themselves for Forensic evaluation within the arena of Medical practice as this would help define why this issue is so important:

Civil:

  1. Issues of malpractice
  2. Issues of monetary disagreement
    1. between the practice and third party payers
    2. between medical associates or business associates
  3. Product liability

Criminal:

  1. Regulatory/statutory
    1. drug related vs. non drug related
    2. documentary insufficiency
  2. Financial impropriety
  3. Intentional harm
  4. Product liability

What is evident from the list is that these are all very important issues for personal accountability, public policy and governance and of immense economic concern. All of the enumerated elements could involve computers and their capacity to store data.

As far as the computer itself is concerned, certain elements are universal regardless of the setting, medical or otherwise. The legal issues center about defined classes wherein the computer becomes central to the issue at hand. While the issues are not mutually exclusive these include:

  1. The devices themselves as evidence
  2. Inappropriate access to the data on the computer
  3. Inappropriate importation of content onto the computer
  4. Hiding of data that could be problematic
  5. Destruction or alteration of data that could be problematic
  6. Practice espionage or insider diversion of information
  7. Malicious interference with the practice

It is these 7 classes I will focus upon. Please keep the case studies in mind as we move through these 7 classes, see how they apply to them.

The Classes

1. The device itself as an item of evidence would come into play if there was an issue of theft from the practice, acquisition of stolen property by the practice or intentional damage to the property. It is also a central piece of evidence when it is part of or directs patient care instruments. This could take the form of employee diversion of practice property, as the result of a common burglary, purchasing of stolen property, damage to the property or in the clinical use of the device. In this sense, the usual issues of preservation of the crime scene physically, obtaining and securing trace evidence as well as maintaining a chain of custody are paramount. This is no different from any other crime scene. This will also be pertinent to all the other classes mentioned as the devices themselves may be subject to the same evaluations for trace evidence or data interrogation. In general it is important to photograph, either with film or digitally depending on the peculiarities of the jurisdiction, the screen as found, the surrounding work area, and the connections to the computer or the device for later reconstruction if needed; labeling the ports and cables is imperative. In the case where seizure is required while the device is being worked on, the suspect should be diverted away inconspicuously and the computer or medical device approached.

In most circumstances, after the screen is photographed, the computer should be unplugged at the back of the device. This is done knowing full well that all current work and some temporary files will be lost. However it does obviate the concern for destructive keystrokes when shutting down which could activate a destructive device in the computer. If there is concern that there is ongoing destructive activity this would also be halted. As for clinical devices, they should be kept off and stored securely.

All ports should be sealed with tape and signed and dated. If transportation is needed, inserting an inert diskette into the drive may help prevent damage to the drive in transit. This should be noted as well. All peripheral devices should be impounded as well and treated as evidence; they may contain significant evidence in their memories as well.

Another very important element in securing the digital evidence is make sure all the evidence and the work environment is devoid of magnetic moments that could wipe out the digital data. This would include metal detectors of the type seen in airports. It is particularly an issue in hospital or radiologic environments where potent magnets form MRI devices reside.

As indicated below, preparation should be made for 2 "wiped" clean backup devices of the same or larger capacity as the device being interrogated. Also the laboratory device should be thoroughly tested to eliminate the possibility of viruses and that all components are functioning properly and the time and date of these tests is made known.

2.Inappropriate access to the computer or medical device can imply several things. It could be inappropriate access to patient information, financial records and equipment that is computer driven.

Those with inappropriate access to patient records would by definition have to be outside the practice as those within the practice would have every expectation to access the patient records in one form or another. There is really no concern for an insider threat in this environment. Here, it is the outsider that has gained access to the records that is of concern. This may come about from intentionally pursuing the medical records, such as would occur in a domestic dispute/divorce situation, extortion or attempt at besmirching the reputation of the patient. The loci for access would be the locally centered hard drives or any server that the practice uses. I will focus on the local hard drive. Here passwords are deceivingly weak depending on the program used for the word processor. The process of obtaining passwords is not difficult.

"Shoulder surfing," or "social engineering," euphemisms for watching what other people do, is very easy in a Medical practice. Most physicians and employees are very lax with security in general and passwords in particular. They often swap with one another as the pace of the practice requires people to often be diverted from their usual post to other parts of the practice. This requires sharing of system access information to be efficient.

A key thing to remember is that Medical practices are grounded in trust, whether this is smart or not is subject to debate. The basis of the trust derives from the original bond of trust between the physician and the patient. The patient confides all manner of personal information to the physician with the expectation of strict discretion. From this flows the notion that all other parts of the Medical practice are just as solemnly dedicated to the sanctity of privately disclosed information. This is misleading at best. The current regulatory environment dictates that all patient information that relates to third party payments must be relinquished upon request. There is also the employer and disability/life insurer's request for health-related information. Cynically, the HIPAA laws actually make it easier for those in regulatory positions to gain access legally to the most personal of medical data. In sum, this environment has lead to paranoia about releasing information about patients through normal channels, but makes breakdown of security to guard this information more likely.

Additionally, breaking passwords can be done in two broad ways. Using "brute force" or a dictionary based approach. The brute force approach requires tedious application of likely alphanumeric combinations of letters and numbers; though time consuming it will get the job done. Dictionary based searches could be much faster as they cone down the field. Programs available commercially do a good job of unlocking passwords based on these two principal approaches. Certainly the longer the password, the more effort there would be needed to decipher it. However, as any Medical practice is subject to the same market forces in recruiting staff, the use of complex and extensive passwords that require good memory are less likely to be successful. Moreover, the need to constantly refresh staff on the long, laborious password does nothing more than grant opportunity to reveal it. So, password protection of patient information in a Medical Practice is a myth.

Access to the system via wireless routers in the absence of a fire wall is also a likely source that is not password dependant. As implied, a firewall would discourage this though not make it impregnable. It, too, has weaknesses.

Higher tech peripheral devices that would store data prior to tasks such as printing, faxing or scanning are an underestimated source of data leakage. Access to the printer, for instance, often requires little security clearance. Interrogating the memory in the printer for ambient or allocated data could produce a significant amount of information.

Inappropriate access to financial records is an issue the practice must consider as a business. Here, it is likely the insider that is causing the breach. It will likely be somebody that feels the need to know or manipulate the traces of business activity. Password protection may be almost useless here as those accessing or manipulating the data may be fully empowered to do so, for instance, the office manager. If the data is password protected, breaking it with the approaches mentioned earlier are easy given enough time, the right technique and the right commercially available program. Access through the network into a segregated computer is as likely, again subject to password protection issues and frailties.

Inappropriate access to computer driven medical technology could be disastrous. This may take the form of inappropriate data input for calculation of drug or radiation doses to altering algorithms of devices that mechanically perform a process such as robotic surgery, radiation therapy or diagnostic tests. Inadvertent errors can occur and retracing the steps of the data input should not be hard as the logon data would be present. The aggregation of logon code, access codes, etc. will herein be referred to as access code. It is the nefarious, malicious insertion or alteration of data that somebody would want to hide. Here the traces would be the same, however, the investigative part would be more likely to involve date and time mapping to see if the access code data comports with the individual assigned that access code, or is this possibly a case of stolen access codes. The same discussion applies here as above regarding the issue of password weakness.

An often overlooked aspect that is not criminal is the incompatibility of data streams that come from one source and are interpreted or visualized at another source. Here, the receiving computer may not be capable of processing the diagnostic data it receives with the same resolution as the device that collected it.

3. Inappropriate importation of information onto the computer usually results from internet downloads or email and can take the form of illegal items such as child pornography, illicit business transactions, harassing letters or legal but offensive items such as adult pornography or insensitive comical fare. Uploading of this type of information, though possible, is much more involved and absent of the "no touch" sensation that internet contact engenders; this makes it less likely to occur. Nonetheless, it is traceable to the time, computer and access codes that may be assigned to the individual. Whatever the source, the likely suspect would have to leave a trail. This could be an actual email address, access code, a salutation, or a link to the internet site. If there is a time element that ties the suspect to the computer it is even more solid. Even if the information is deleted, there are places where the information can reside and from where it can be retrieved in whole or in part. These would include temporary files, swap files, slack space, and unallocated space or nearby diskettes or other media. All are a treasure trove for data that was thought to have been jettisoned into oblivion. There are good software tools to help obtain information from these sources.

A subset of this would be importation of destructive code such as a virus, Trojan horse or worm. These are just as destructive to a Medical practice as they are to any information- based concern. Here again the investigative approach would involve trying to isolate the time and date when the event occurred, researching email, attachments, links and addresses that would be associated with the importation of the destructive code. Following the leads back to the source then would be the purview of law enforcement.

Of course, a practice-wide policy against downloads would be wise and needs to be encouraged to avoid these problems. Unfortunately, many people can not resist the temptation of downloading and the unsolicited pop-up adds with ambiguous markings can lead to unintentional downloads. Commercially available software to limit pop-ads, or use of an unpopular internet portal can limit this exposure.

Importation of information about a patient, research results or device algorithm that is not truthful or relevant will be discussed later under #7, malicious interference with the practice. Importation of data of a business nature would really serve no other purpose other than to replace data already present. This would take the form of alterations of ledger entries in an effort to cover embezzlement or the ongoing nature of a side business being conducted by a staff member on office time. As the data is not being deleted and no effort is being made to eliminate the file, locating the file, mapping the access code, registry, time and date of file access would offer investigative leads. This, coupled with discovery of prior drafts of the ledger in any unallocated space, swap files or slack space would expose the nature of the change and likely point to the responsible parties.

4. Hiding of data is something that would be unusual in the normal course of Medical practice. The situation would more likely occur in an academic, research or pharmaceutical setting where intellectual property would be guarded. Here is an example of where the insider threat is greatest. Trade secrets, accumulated data or patentable ideas could be coded stegnographically in an effort to remove them at a later date and sell them to a competitor or expose them in the media. As likely would be the scenario where intellectual property and work product of the physician are contractually the property of the company, but the physician/researcher does not want to leave evidence that his discovery was done on company time. With that, he can complete his work and leave with his data and present it as work product done off the company time and therefore his own.

The thoughtful perpetrator would likely have portable media that could be removed off site and downloaded onto a personal computer at home to show work done off company time. However, if any of the work was done on the office device, there would be information in the ambient environment that could be associative. This could be found in the unallocated space, swap files and the slack space of the computer. Once the data along with the time and date associated with it are located, the connection can be made and the offender would have to explain the situation. This would also be appropriate for connecting any diskettes or hard drives at home with the information contained on any suspect hard drives at work. Certainly one should not overlook the obvious written notes, manuals, date books, scrap and other forms of non- electronic and electronic data collection devices such as PDA's diskettes, and CD's.

Though not very smart, the hidden data could be on the office computer being stored until the time comes for collection. This could take the form of hiding in mislabeled files, encrypted files, in files logically located in the master boot record or physically in deleted files within the master file table (MFT). Things that come up as "BAD" in the file allocation table (FAT) or "unassigned" in the MFT should be interrogated. Again, sampling the unallocated space, swap files and slack space with commercially available tools could prove very rewarding.

5. Destruction of data could be the result of malicious intent (discussed below) or more likely the result of attempts to eliminate incriminating data of a civil or criminal nature. In the instance of medical records, the destruction or alteration of data would likely relate to the issue of potential malpractice. In a practice where the records are computerized, the temptation on the part of the physician may be to simply retrieve the file and alter it to serve his purpose or simply to check if what he is accused of is true. For example, the physician is accused of failure to diagnose a breast mass that turned out to be malignant. He may go back to the computerized record the practice keeps and either check if it is true or with the intention of altering the record. In truth, these suits often are brought months to years after the event and there is a need to review records in preparation for trial. In this circumstance simply detecting access to the file after the suit has been initiated should not indicate any wrongdoing, what is needed is evidence of alteration of the record. Here, hard copies often submitted to third party payers can be compared to the current file. This requires cooperation from the third party payer, not always a timely endeavor. Alternatively, locating the file or remnants of it in the unallocated space and slack space is a good approach.

In the case of destruction of business records, this may have to do with fiduciary impropriety on the part of a member of the practice, willful destruction of records by a disgruntled employee or associate. Those with access are, of course, the most likely. Seeking access codes and mapping them to contemporaneous computer use would be very helpful. This would help to eliminate the possibility of surreptitiously obtained access codes and usage by the true perpetrator with the effect of throwing suspicion on another. Here, too, the originals may often be recovered from unallocated space, swap files and slack space.

Another element of practice where file destruction could occur is the elimination of research data that would play an important role in product liability. Here the goal would be to eliminate traces of adverse outcome for a certain treatment or technology. The difficulty here is to locate the storage location where the data was stored. The researcher's access various computer's both at work and home; these devices should be investigated and interrogated as should all hard copies of notes. Locating deleted information here should follow the same procedure as discussed earlier. There should also be a careful search for the potential of hidden files that were not deleted but renamed, disguised as BAD files in the FAT or in unassigned files in the boot record or master boot record; orphan clusters are often a very good initial place to look.

6 & 7. Practice espionage and malicious interference with the practice are sister issues that are intertwined in that practice espionage is an extension of malicious inference. Looting of patient demographic data, or research data for the purpose of engaging in competition (against contractual agreement) or for sale to a competitor is a form of economic malicious interference. Another potential issue is the willful destruction of patient or financial data in an effort to cause harm or embarrassment to the practice, its management or its physicians. Most likely the insider has the ability to do this; this would include disgruntled associates, managers or others that potentially have input and access to the records.

The immediate approach to this situation would be to simultaneously retrieve the lost data and engage in an investigation to discover the source of the data destruction. Firstly, the laboratory machine being used for the investigation of the media must be checked for optimum performance, absence of viruses or other potentially corrupting influences. This must be a test beyond the superficial POST of the computer. There are commercially available products that can do this quickly and are recognized by the government and others in the Computer Science community as reliable. There must be a time stamp on the investigators work product as this allows the work media to serve as the ongoing laboratory notes. Additionally, the time stamp on the suspect media must be reconciled to the time which the computer uses, often this is Greenwich Mean Time (known as "UTC"). The media used for the backup copies must be of the same size (byte capacity) or greater. They must also be "wiped clean;" that is to say simply coming out of the box new is not good enough. It is common for new hard drives to have ambient data on them. This may be as the result of recycling returned merchandise or company specific code that could call into to question the security of the drive when offered in evidence. The backup must be done using bit stream backup of the suspect media, e.g. hard drive; this is then copied to a second hard drive so a "clone" of the original is produced. There are reliable, commercially available programs that could do this. In such a way investigative and restorative work can be done without compromising the integrity of the original digital evidence. Once the bit stream back up is made, work can be undertaken on the clone while the original and copy are secured in such a fashion to maintain proper chain of custody. The investigation here would again center on locating the time and date where the change or damage occurred and then mapping it to potential suspects who could have had access. For example, if the changes occurred at 0300 hours and there is corroborating evidence that a suspect was in or around the practice at the time, this would be a substantial lead.

As relates to patient care, interference could take the form of inserting embarrassing information about the patient or the physician's practice or character into the chart for the purpose of discovery by others. This, of course, involves two steps; the first is insertion of the data and second making it available for exposure. An example would be the patient with political aspirations who has information inserted into his record about some social disease which then becomes available to the press for publication. Another would be where information is inserted suggesting inappropriate sexual contact with a patient, overt negligence or malpractice. Again, this would be inserted with the knowledge an outsider will review the text and likely act upon it.

As relates to the business end of the practice, this was alluded to earlier. Here the interference would be undertaken by inside or outside elements in an effort to ruin the economic viability of the practice or to leave the practice open to violations of Law or Regulation in that supportive documentation would be absent. This could be catastrophic for a practice, as infractions here fall under Administrative Law as well as Criminal Law. This means the onus of proof falls on the practice and the practitioner to prove they billed for what they did; only under the Criminal Statute is the Government required to prove its case, under Administrative Law the accused must prove they did not transgress. This can be thought of as Parking Ticket Law raised to the 10th exponent. So any imposed fines for fraud, abuse, etc. must be paid first, then the practice or practitioner must find the resources to prove he was not in violation and hope that when he does the Government will return his money in a timely fashion. He can forget about interest. This situation requires an aggressive and careful search for the lost data; upon retrieval of the data, it must be patently shown that the entries were made contemporaneously with the services rendered so that any doubt of fraud or abuse is dispelled. Of course, if the opposite is found and entries were made to cover for fraudulent activity, this would strengthen any case the Government presents.

The confluence of Science and Law brings us the discipline of Forensic Science. The confluence of Medicine and Law brings us the discipline of Forensic Medicine. The subset of Forensic Science that applies Computer Science to Law is aptly labeled Forensic Computing. What should be the moniker of the discipline that studies the application Law to the regulation of Medicine? I would suggest Forensic Medical Data Studies.

Case Studies:

Case 1

In Case 1 an order for chemotherapy is written and the medicine is prepared in a pharmacy. It then is delivered to the clinical infusion site where the nurse or infusion technician attaches it to the delivery device. The patient has an intravenous access site which is attached to the infusion device. The device is activated and the infusion begins and goes along without difficulty. Shortly thereafter it is discovered the amount administered was an order of magnitude above what should have been given. The patient develops multiple organ failure and dies. In this case, the incident occurs and is recognized (hopefully) as a quality issue and the environment is secured including all computerized data. Here, devices become an integral part of the investigation. This case example is particularly important now as the proposed Medicare regulations on chemotherapy reimbursement would make it economically non-viable for oncologists to perform in-office infusions under their direct supervision. Patients will be given a prescription or a doctors order form and directed to the hospital infusion clinic. These clinics are extensions of the hospital and therefore just as bureaucratic and inefficient as the hospital itself. As any centralized process for personal service, this will likely result in depersonalized service, despite cheerful ambiance.

As enumerated above, there could conceivably be a problem at every step in the process from orders written to delivery; keep in mind most medication errors are of human origin. The various nexus points of clinical need and computer data where trouble could be found include:

  • a. Order intake.If the order is written longhand, this can be checked immediately. If the orders are input by computer, then the data entered must be evaluated. Access codes and time stamping will allow determination if the oncologist entered an inappropriate order or not. Certainly if changes were made post hoc, the time element could be checked as well.

  • b. Pharmacy compounding. Here the medication is diluted and packaged under sterile conditions for the purpose of infusion. The removal of stock, the volumes used, the mixtures compounded, etc are documented and often on computer. Despite documentation, errors can be made that are not documented, this would require investigating the remainder of stock and doing simple volumetric measurements. If there is documentation of an error, retrieval is imperative; alterations of the record should be sought during this time. To delay would pile data onto the pharmacy server making locating specific entries at a later date more difficult, especially if there were erasures. It can be done, but it is more work and expense.

  • c. Delivery of the compounded drug. The logistics of pick up and delivery are routine and may even have a signature requirement. This only assures delivery, not necessarily of the correct drug to the correct patient. As multiple delivery runs become routine, any system will become mundane and clerical errors are only a matter of time. Although names and numbers could be checked, similar names, numbers or distractions could undo the system check.

  • d. The drug is connected to the delivery system. Here the system could be faulty. The infusion device could be faulty or could be the subject of tampering. The device itself could be faulty as could any check valve in the system to prevent free flow. In this scenario, we hope, the hospital has a policy in place to segregate any device thought to be involved in a mishap. This is important for issues of chain of custody to assure the scene and its contents remain untouched prior to investigation. This would include trace evidence such as fingerprints, mechanical breakage or interrogation of the computer in the device. The devices currently used in most institutions have memory capable of recounting several hundred to a thousand or so key strokes or activities such as opening the door to the infusion system. This is a simple operation and reveals all the input to the device that is held in the prior 1000 or so key strokes. Though this sounds good, the practical matter is such that it is difficult to segregate and keep these devices from being used when set aside for investigation. Despite policies to the contrary, many a nurse, medical student or other clinically active person will glom onto any infusion device they see for use by their patient if one is not otherwise around. Simply putting on a sign "don't use, evidence" or even a ruse such as "broken" does not deter these hearty souls in search of a useful device for their patient. Generally hospitals do not have special rooms for "evidence." The question in this case is who is responsible for the error? As indicated, there are several points where forensically obtained computer data will reveal where the source of the problem.

Case 2

In Case 2 the surgeon obtains a CT scan. The reported result does not comport with his examination and he fears proceeding with this data would identify his procedure as unjustified. Towards that end, he downloads the study to a computer in his office, home or doctor's lounge and views it. In his estimation there are no masses or abscesses. In the morning, he discovers the patient is in septic shock, and the examination is compelling; he operates and finds a diverticular abscess. Postoperatively, the patient develops multiorgan failure and dies. The surgeon then reviews the CT scan again in the radiology department and notices an abnormality in the left lower quadrant he is sure was not there when he first viewed the study. Forensically, it is important to identify what the system was that performed the study and what the system it would require to support adequate transmission of the data for correct reading and interpretation. In fact, the system used by the surgeon may not have had the resolution to support the detail obtained by the system performing the study. What the surgeon saw initially was correct; on his system there was no abnormality, but on the system designed to support the visage the abnormality was readily evident. The same problem currently exists with distance radiologic interpretation. In this case a study is done in the US, digitally exported to, say, India, reappears, is read and interpreted and the report returned to the US. Forensically following the digital data trail and recreating it could show the overseas reading to have been ineffectually done by a receiving and transmitting substandard digital images. There are many other Medical malpractice cases that certainly would benefit from forensic computer analysis.