Computer forensic investigations routinely take place in some form at most large to mid-sized healthcare organizations. As the overwhelming majority of information is now stored electronically, it is difficult to imagine any type of breach or compromise that does not warrant a computer forensic investigation.

Case in point, the HIPAA Omnibus Rule created an objective, four-factor test to determine whether or not protected health information (PHI) had been compromised in an attempt to obtain more consistency in breach reporting and notification. Computer forensics is the most valid way to confirm one of these factors, whether the PHI was actually acquired or viewed.

Although the current trend is to integrate this discipline as an essential component of an overall information security program, there are still many healthcare organizations with limited computer forensic capabilities. There are four primary reasons that explain this lack of capability:

  • Computer forensic investigations and their supporting operations can be very expensive, laborious and technically difficult to accomplish with potential legal implications.
  • New tools and techniques with continual upgrades are often needed to accommodate new forms of technologies and threats.
  • It can be difficult to justify building and maintaining a legitimate forensics lab that supports the entire investigative process end-to-end and can withstand any evidentiary challenge.
  • The maintenance of this capability requires a great deal of staff development and training.

For many organizations, staffing and budget limitations require them to use retainer contracts with consultancies to meet their forensic needs.

If your organization has a sporadic requirement for forensics work or cannot support the required ongoing resources to maintaining this function, then it makes more sense to outsource to a third-party vendor. Even healthcare organizations that have dedicated full-time internal forensics teams can find themselves requiring additional assistance or may outsource large incidents to a third party vendor.

Outsourcing decisions should be based on an analysis of required computer forensic capabilities and, of course, cost. Capabilities run into the hundreds of thousands of dollars range, which only accounts for the cost of the tools, according to a November 2015 Frost and Sullivan report entitled “How Much Forensics Do You Need?” The report illustrates that the cost of dedicated investigative personnel can run into millions of dollars.

Your organization also needs to understand the scope and boundaries of a potential outsourcing arrangement, and determine the internal resources required to achieve the desired level of capability. Here are the primary factors to consider when deciding whether or not to outsource computer forensic capabilities:

Staffing Resources: Is your organization’s staffing properly resourced? Forensics can be manually laborious, difficult to predict how often investigations will take place or how long they will last. If your organization has a shortage of skilled computer forensic practitioners, then you can use an external service provider to offload any or all forensic activities. It also frees up existing resources for other security projects and activities.

Technical Expertise : Does your organization’s staff have the necessary skills to conduct computer forensic investigations? These skills may include technical knowledge of operating systems, file systems and other targets of analysis as well as an understanding of proper evidence and chain of custody handling. If your organization does not have established internal expertise in computer forensics, then your organization can benefit from an outsourcing arrangement. Outsourcing computer forensic capabilities reduces your need to hire, train and retain skills for that function.

Computer Forensic Tools : Does your organization need to acquire or upgrade computer forensic tools? The outsource decision can be a cost savings because the external service provider will typically own or lease their own equipment and software as well maintain its upkeep.

It is important to be clear about your organization's expectations of a computer forensic outsourcing engagement and to then structure an agreement that reflects those expectations. The following are some of the key vendor requirements to expect:

Data Acquisition & Preservation

  • · Acquiring and preserving data from computers, network shares, removable devices and mobile devices
  • · Recording network communications including VoIP
  • · Conducting forensic imaging on all operating systems within your environment such as Windows, Macintosh, Linux and Unix
  • · Detecting and validating data theft, data leakage, fraudulent activity or other malicious behavior

Host & Network Analysis

  • · Performing integrated analysis including the use of removable media, as well as social media and chat applications
  • · Conducting file identification and indexing
  • · Correlating host data with network traffic data
  • · Retracing a suspect’s steps


  • · Providing summary of investigation findings, recommendations and supporting case log and chain of custody documents
  • · Providing search statistics report to include search hits, number of files involved, and relevance of all search hits and disposition of all evidence files

Computer forensics is indispensable in supporting the investigative process. The rising tide of data security breaches, intellectual property theft and associated financial losses mandates that healthcare organizations conduct or oversee proper computer forensic investigations when responding to these issues. The more complex technology becomes, the more difficult forensic investigations can become.

Organizations need to honestly assess their abilities to fulfill investigation tasks. As a result, you may find it’s more efficient and cost effective to contract with third parties rather than maintain this function in-house.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access