5 reasons to use forensics

By Michelle McNickle
12:06 PM

With the prevalence of data breaches rising, the industry is slowly yet surely realizing they're no laughing matter. And with price tags circulating around the billions, more organizations are starting to take the steps necessary to protect themselves against a costly breach of sensitive information.

Yet, breaches remain common, and as best practices continue to develop around how to handle them, one tool is proving to be invaluable: forensics. 

"Oftentimes, organizations want to understand what happened and how did it happen, and the chain of evidence and information has to be preserved," said Mahmood Sher-Jan, vice president of product management at ID Experts. "To bridge that gap, whether it was an outside attack or an internal issue, is to begin the process of analyzing information to see the overall scope of the damage. That causes it to get kicked-off with a forensic analysis."

Sher-Jan and Winston Krone, managing director at investigative and analysis services firm Kivu Consulting, highlight five reasons organization should use forensics if a breach occurs.

1. Essentially, it's required. States simply aren't accepting organizations' stories of what happened when it comes to a breach, said Krone, unless they have forensics to back it up. "I think it's fair to say, it sort of raises an eyebrow about those organizations that aren't using forensic analysis or simply trusting whatever a third party has told them about what happened," he said. Instead, regulators are increasingly requiring hospitals do their own "due diligence," said Krone, and look into the breach. "They can't trust a third-party vendor, which has all the reasons in the world to down play the significance of events," he said. "If you don't do forensics, you're opening yourself up to be destroyed in court. It's a given, and it's expected."

[See also: Breaches epidemic despite efforts at compliance, says Kroll.]

2. It can save you money. Many times, said both Krone and Sher-Jan, an organization overestimates the impact of a breach. ID Experts "brought us into cases, and we said it's a false alarm, there wasn't a breach," said Krone. "So spending money on forensics, or setting your system up so you can conclusively say the data wasn't accessed, can save you an enormous amount of money in terms of notifications, PR, etc." Sher-Jan added that, even if a breach did occur, forensics help tell the full scope of the incident. "If there actually was [a breach], the process can lead to a better understanding of what was accessed and what data elements were compromised," he said. "Then, you can segment the number of records that were compromised and treat them differently; they may fit into an inclusion, according to the law. So all the way around, there are financial benefits to using forensics." 

3. It can help with the impact on an organization's reputation. Krone took to Sher-Jan's last point and said forensics aid in concluding how many records were actually affected if a breach occurred. "You can credibly say 'these are the records that were lost: this is the number and the type,'" he said. Knowing an accurate figure can help with notifications, he continued, while streamlining efforts and, once again, saving money. Additionally, Sher-Jan said, knowing an accurate number of those affected helps with the organization's reputational damage. "In the cases where they underestimate it, week by week and day by day, that number can grow, and it creates a reputational challenge for the organization because they lose credibility," he said. "You want it to be accurate up front and make that time and investment, because reputation is beyond the dollars you spend – once the reputation of the organization is damaged, the cost of that can be much more substantial."

[See also: Data breaches top of mind for IT decision makers.]

4. Organizations have to assume they're a target for litigation. Whether it's class action, vendors or other partners or regulators, healthcare organizations need to assume they have a good chance of being sued if they lose patient information, said Krone. "And given that, you've got to preserve the evidence of the breach," he said. "That's a given; you've got to be able to forensically preserve the data, not just to do the analysis, but also long-term, because if you're going to get sued, you have to prove yourself in court." Not preserving evidence as part of your forensic analysis or response makes it so an organization can be liable for spoliation of evidence, Krone added. "That's a legal idea that you know you're going to be sued, and if you allow evidence to be destroyed, whatever you destroyed [can be seen as] the smoking gun, and you're therefore screwed." He stressed the importance of forensically preserving data to, "give yourself the ability to defend inevitable lawsuits."

5. It's become part of an organization's public response. "Organizations in healthcare have to understand that forensics is a tricky thing," said Krone. "It's difficult to do right. It's not for the faint-hearted, and you have to think about your credibility." Whether you chose to employ outside help, stick to inside employees, or do a blend of both, Krone said forensics have essentially become part of your public response, while saying you take the breach seriously and aren't going to bury the facts. "A forensic response should be part of your positive spin, that this is what's expected, this is of serious importance, and this is an important thing to do," he said. "Forensics is becoming something organizations have to do, in addition to hiring a PR firm, setting up help lines, etc." The key, he said, is to understand how the breach happened, so an organization can say, with confidence, that it won't happen again. "If you don't understand how it happened, it undercuts your response that it won't happen again," Krone said. "It's an integral part of your response – not just your technical response, but your entire response."