Digital Forensics Investigations on Metadata in Healthcare Organizations and HIPAA Standards
XXX-X-XXXX-XXXX-X/XX/$XX.00 ©20XX IEEE
Abstract
—Every health organization is required to comply with the privacy and security standards of the Health Insurance Portability and Accountability Act(HIPAA). HIPAA regulates the privacy and security of health information against unauthorized access or disclosure. Under the HIPAA Security Standards it requires organizations to maintain audit trails and logs which contain important information such as access activities or other essential metadata. Metadata allows us to analyze the misuse or unauthorized access of health information and allows us to further investigate any malpractice or any other criminal activity. It is important for health organizations to maintain audit logs and to follow the regulations of HIPAA.
This paper first provides a pragmatic analysis of the use of healthcare metadata and understanding the HIPAA security standards and the importance of audit trail to better log activities. It then includes artifacts that could be potentially useful in digital forensic investigations of healthcare metadata.
Keywords—digital forensics, HIPAA, metadata, electronic medical records, electronic health records, criminal activity, malpractice, IT governance, healthcare,
Introduction
Complying with HIPAA is a vital part to any healthcare organization. HIPAA regulates the privacy and security of health information against unauthorized access or disclosure. HIPAA was developed as a way to govern healthcare organizations. Under the HIPAA standards, two different sets of rules exist. The first is the prviacy rule which is used to protect patients protected health information(PHI) in and ensures the confidentialy of that record in any format such as paper, electronic or oral. The security rule focuses on securing patient data that is stored or transferred electronically. The securtiy rule consits of four tehcnical safeguards which are important to consider for any healthcare organization in order to comply with HIPAA standards. These four technical safeguards include the use of acess control, audit control, Integrity control, and Transmission control. The first safeguard explains that only authorized users can read, write, modify and access electronic protected health information (ePHI). The second safeguard is used to record and examine acitivties related to ePHIs such as when a file was accessed, etc. Integrity control is critical to an organization as it requires organizations to implement policies to ensure that ePHIs are not altered or damaged. The final safeguard is a way to verify the identity of an individual who is trying to access an ePHI that was transmitted over an electronic network [1].
The U.S. Department of Health and Human Services defines the HIPAA security rule as the following,
The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires Covered Entities and Business Associates to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI). The majority of information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity which also includes users and applications activity [1].
This rule explains that an entity must implement the necessary hardware, software and procedural mechanisms to record and examine activities pertaining to ePHIs. It requires organizations to maintain audit reports to therefore further examine activities for litigation purposes.
The National Initiative for Cybersecurity Careers and Studies defines digital forensics as a way to collect, process, preverse, analyze and present computer related evidence in order to support any criminal fraud, counterintelligence, law enforcement investigations or network velunerability mitigation [2]. Digital forensics can play an important role in healthcare organizations. It can help analyze and evaluate metadata, which is data about data. Metadata can be used for investigations related to health related crimes or for litigation purposes. Dimick [3] explains that metadata can reveal the integrity and reliability of a medical record. Even if an item is missing or miss-stamped it can lead you to cause a concern for your healthcare organization. He suggests that metadata can serve as an expert witness as it can show who documented, at what time and it any changes were made to its native format. Therefore, it is important to understand the role of digital forenics in healthcare as well as understand that metadata can be used for forensic investigations.
For an organization to better comply with HIPAA it is important to ensure that the employers and employees are aware of the standards and rules implemented by HIPAA. In order to take the appropriate measures to comply, Demick [3] mentions that discovering and getting access to the appropriate electronic records is complex, it is important to have people in an organization who know how to store, manage, and access that information. He further mentions, that the discovery process often involved the IT professionals and therefore it is important to educate them regarding the different standards.
This paper is structured as follows. The following section includes literary review and discussion of cases where metadata was used part of a forensic investigation in a healthcare setting. It further discusses the measures an organization must take to comply with HIPAA. The next section, section three discusses the proposed framework showing what a metadata evidence can reveal and the results. The final section discusses the conclusion and future work.
Background
With the increase in new technology, it is likely that digital devices will be used for criminal investigations and litigation purposes. Lillis, Becker, O'Sullivan, and Scanlon [4] propose that the number of cases using digital forensic analysis will increase tremendously in the future. And as more and more criminal investigation cases arise, they will require the analysis of an increasing number of devices including computers, smartphones, tablets, cloud-based services, Internet of Things devices, wearables and many more. However, this variety of digital evidence could pose a challenge for the investigators from an identification, acquisition, storage and analysis standpoint. Reich [5] suggests that paper based and electronic record keeping systems records valuable information about a patient’s medical history and medical care. However, electronic systems capture something more that is they record information about the actual record itself. Therefore, this implies the creation of metadata, data about data. Dougherty [6] defines metadata as an inextricable part of electronic health records management which is applied for variation of functions and purposes. Metadata can be used in a legal setting to authenticate the evidentiary value of the electronic information and also help describe contextual processing of a record.
This research focuses on analyzing the importance of metadata in digital forensics of healthcare related crime to explain why it is important to comply with HIPAA at all times. McLean [7] investigates in his research the litigation of robotic surgery in the United States. Following a mishap of a robotic surgery, the litigation that follows involves medical malpractice action against the surgeon and the hospital and against the robotic surgical instrument manufacture. Due to having many suspects it becomes a difficult task to investigate and narrow down the culprit as finger-pointing is common and results in a settlement. McLean suggests that metadata within the robotic instrument can further help narrow down the investigation as it can provide the manufacturer with a strong defense against liability. While metadata can be used to help investigate crimes, it can also be used to protect physicians from claims of malpractice. Vigoda, Dennis and Dougherty [8] suggest that EHRs may contain critical information in the form of a legible patient record which can include information such as standardized documentations, notification of lab results, clinical support reminders and pop-ups. This research further includes statistics showing that a survey from the Medical Records Institute indicated that 20 percent who had an EHR and were involved in malpractice investigation case, more than half viewed EHR helpful to their case and defense and therefore having an EHR reduced their vulnerability to malpractice claims.
A similar investigation led to the misuse of metadata in a death involving a Houston man. Consult and Henry [9] researched the misuse of metadata in criminal investigation. In the trail of this investigation, the role of a pain killer drug, Vioxx, created by Merck was involved in the death of the Houston man. When Merck was asked to provide supporting evidence concluding that his drug has not caused any other deaths related to the drug, Merck had deleted damaging cardiovascular data before submitting the evidence to cover up the deaths caused by his drug. This metadata contained evidence of the deceptive deed performed by Merck. The drug was later pulled from the market and Merck was charged with billions of dollars in compensation.
Cothran and Reilly [10] show discuss a medical case in relating to metadata and EHRs. A sixteen-year-old boy suffered from a hemorrhagic stroke and was undergoing repair of the malformed vein mass. During his procedure of the malformed vein mass, a medical error occurred. For further investigation and litigation purposes, EHRs and other audit logs were requested. After much investigation, the evidence in the EHR audit logs showed that the physician was found guilty of medical malpractice due to failure to calibrate equipment before the procedure.
Further research performed on malpractice in healthcare, demonstrates how metadata can be used to investigate malpractice crime. Dimick [3] research shows how an anesthesiologist back in 2002 was accused of malpractice during a surgery of a brain tumor. After investigating the electronic discovery, flaws were discovered in the surgery’s electronic anesthesia record. The investigation found that ninety minutes of vital signs in the record were undocumented. Also, it showed that the anesthesiologist attended the complete surgery before the surgery was finished. This display of false electronic discovery accused the anesthesiologist of malpractice. However, if metadata was obtained or acquired in this investigation it could have provided with time stamp data about the data. Dr. Michael Vigoda further mentions that in this case metadata could have served as an “expert witness” on when the documented events actually occurred in the surgery. Marilyn Lamar, a health IT attorney further explains that metadata can do much more than just capture a time stamp. It can show when a document was accessed, who looked at it and if it was altered from its original format that could prove relevant in a court case.
For organizations to comply with HIPAA, it needs to take the appropraite measures. Douguthery [6] mentions that a record management system must include a patients identitiy validity, user authentication and authorization, attestation and nonrepeduiation, aleration and correction, auditing, metadata and validation support, EHR reports, record availibility, preservation and rentetion, and a completeion status for records and reports. By having a set of standards to define a record it makes supports the integreity and authenticity of it. In another research, Demick [3] mentions the following measures should be taken to comply with standards in an organization. He mentions that an e-discovery liasion must be designated within your organization such as a software which records and logs the metadata. Also, it is important to be familiar with the federal and state laws to ensure compliance with metadata. He mentions it is important to teach your risk management derpartment what is stored in the record so they understand what should be discovered. Also keep a list of all the systems that contribute to an EHR.
Proposed Framework
Methods
The method proposed in this research to is to evaluate healthcare data sets using digital forensic tools to gain an understanding of the important metadata that can be discovered. This could be critical to any digital forensic investigation in the healthcare industry. The methods in this experimental procedure involve five different steps. First, different types of data sets through online data repositories will be gathered to evaluate and analyse through the use of forensic tools. Next, the forensic tool will be downloaded, installed and set up to be used in this research. Then the digital forensic tool will be used to gather metadata on the data sets which were gathered earlier. Finally, the metadata found will be exported in a CSV file for a way to organize the report for litigation or other purposes.
Metadata of health data can be evaluated using different tools types of forensic tools such as EnCase, Exiftool, The Sleuth Kit(TSK), Foremost, Forensic Toolkit(FTK), etc. This research particularly uses the exiftool to perform forensic investigation and analysis.
Exiftool is a free and open source forensic tool used for reading, writing, and manipulating image, audio, video and PDF metadata. PDF files contain two different types of metadata known as Document Information Directory and more modern PDFs contain Extensible Metadata Platform (XMP). The Document Information Directory contains key/value pairs with authorship information, document title, and creation and modification time stamps. The Extensible Metadata Platform (XMP) method of storing metadata, which is used to store metadata in some graphic file formats [11].
For purposes of this research, a data sets was gathered from the Center of Medicare and Medicaid Services(CMMS) showing average charges and the average medicare payments at the individual hospital level. This data sets was exported in a PDF file format. EHR and EMR are confidential records and therefore are not publically available. Therefore, other type of data related to healthcare was used to give an illustration of the metadata that can be found if an actual EMR or EHR was used in an investigation.
Performing analysis through exiftool is extremely straightforward. First, this tool was downloaded and installed from the owners’ website. To perform analysis, you simply pass a file name to the command and exiftool will read and parse all available metadata.
The terminal was used to perform the following commands on this tool. The data set acquired was saved with filename called Medicare.pdf. The command mentioned below was executed to gain access to the metadata of this files.
· ~ exiftool Medicare.pdf
After the metadata is acquired, this metadata can be exported into a more comprehensible and organized format in order to be used as a report in litigation or for any other purposes. The command used to export this files in a CSV format are executed in Figure 2 and are mentioned below.
· ~ exiftool Medicare.pdf > Medicare.csv
Figures and Tables
Metadata acquired through Payments.pdf file
Commands showing how to export the acquired metadata
Results of the commands executed in the previous figure
CSV file showing the acquired metadata in an organinized format for Medicare..pdf file
The extracted metadata displays useful information such as
· File modification date and time
· File access date and time
· File inode change date and time
· File permissions
· Create date and modify date
All of these extracted fields can be very useful for digital forensic investigations relating to malpractice and other criminal activities in the healthcare industry.
Conclusion and Future Work
In conclusion, the use of digital evidence is becoming more and more prevalent in the healthcare industry for legal purposes. The use of this digital evidence shows how it could be beneficial in solving malpractice and other healthcare related crimes. Understanding that metadata is a digital fingerprint which will be preserved and which cannot be modified or changed which makes it even more valuable and reliable for litigation purposes. In order to prevent a dishonest malpractice case against your health organization or even to investigate a malpractice case or any health related crime it is important to provide evidence and therefore it is important to understand the integrity of maintaining records and audits for any healthcare organization.
The results of this research further emphasize the discussion in the literature review showcasing several different examples of crimes investigated through the use of metadata. Therefore, it is necessary for organizations to take the required measures to comply with HIPAA in maintaining records and audit trails. Also, acquiring the appropriate forensic tools and performing analysis could lead investigators to the correct and proper evidence that is needed for any legal purpose. Metadata is extremely valuable and therefore should not be overlooked or taken casually.
For future work, metadata analysis should be performed on different types of files to show the different types of metadata that can be acquired from different file types. Future research should also focus more on image files and analyzing image files and the use of that metadata could be important for the healthcare industry. Also, future work could propose different ways to minimize and sort through metadata to make it easier for sorting and handling of metadata for criminal investigations.
References
HHS Office of the Secretary,Office for Civil Rights and Ocr, “The SecurityRule,” HHS.gov,https://www.hhs.gov/hipaa/for-professionals/security/index.html, 2017
“Digital Forensics,” National Initiative for Cybersecurity Careers and Studies, https://niccs.us-cert.gov/workforce-development/cyber-security-workforce-framework/digital-forensics.
Dimick, Chris. "E-Discovery: Preparing for the Coming Rise in Electronic Discovery Requests" Journal of AHIMA 78, no.5, pg 24-29, May 2007.
Lillis, David & Becker, Brett & O'Sullivan, Tadhg & Scanlon, Mark, Current Challenges and Future Research Areas for Digital Forensic Investigation, 2016, doi: 10.13140/RG.2.2.34898.76489
Baldwin-Stried Reich, Kim. “Sorting Out Discovery Requests: Are Subpoenas and e-Discovery Requests the Same?” Journal of AHIMA, (October 2010): 60-62.
Dougherty, Michelle. "How Legal Is Your EHR?: Identifying Key Functions That Support a Legal Record" Journal of AHIMA 79, no.2 (February 2008): 24-30.
T. R. Mclean, “Principle of robotic surgery litigation in the United States,” Clinical Risk, vol. 14, no. 5, pp. 179–181, Sep. 2008.
Vigoda, Michael & Dennis, Callahan & Dougthery, Michelle, "e-Record, e-Liability: Addressing Medico-Legal Issues in Electronic Records" Journal of AHIMA 79, no.10 (October 2008): 48-52.
Consult, F., & Henry, O, "The Promise and Peril of Metadata.", Emergency Physicans Monthly, 2011.
Cothran, Carey & Reilly, Emily, “Audit Log Demands During Litigation: Response Conundrums from a Compliance Perspective”, HCAA Conference, 2017.
C. Altheide and H. A. Carvey, Digital forensics with open source tools. Burlington, MA: Syngress, 2011.