Forensics v fraud

Source: NHE March/April 2018

Gareth Ballance, technical lead of the Forensic Computing Unit (FCU), gives a snapshot of a day in the life working for the NHS Counter Fraud Authority (NHSCFA).

The NHSCFA is still in its infancy, having launched in November 2017. As you are probably aware from our high-profile launch, we face a huge problem: in 2016-17 it was estimated that fraud losses in the NHS exceeded £1.25bn every year.

While the NHSCFA may be young, the experience and specialist talents of our staff have been many years in the making. Our capability to investigate serious and complex fraud, bribery and corruption in the NHS also draws on the legacy of our predecessor organisations. And we believe that our FCU can compete with some of the best police forensic computing facilities.

Where there is the crime of healthcare fraud, there is by definition dishonesty, deceit and concealment. Lies, hidden relationships and secret motives surround these deliberate and targeted acts, which send money flowing away from patient care to personal bank accounts. And in this digital age, traces of the crime will be lurking somewhere: on the hard drives of PCs, on laptops, mobile phones, portable drives, other devices and on the web.

Fraud prosecutions are often lengthy, dealing with complex legal issues, and those who defraud the NHS are often defended by excellent legal teams – so the quality and integrity of the evidence produced by our computer forensics unit is vital. There are very few NHSCFA fraud prosecutions that do not involve my team.

Some disturbing recent newspaper headlines remind us that some criminals go to great lengths to cover their digital trail, and may evade detection for months or years. However, it is nigh impossible to leave no trail at all. Humans make mistakes and will inevitably at some point slip up on the constant, tedious “housekeeping” that is needed to stay off the authorities’ radar.

Many who defraud the NHS are arrogant or foolish enough to assume nobody will dream of investigating them, and frankly don’t take many precautions. This may be because they are used to being respected and well-liked, occupying a position of trust and responsibility within the NHS or one of its established contractors. Or they could be operating at what feels like a safely remote distance well outside the NHS, where they think they will never be found.

The NHSCFA has two established forensic computing laboratories in London and Newcastle, so I travel up and down. This geographic split makes covering England easier (and we also support the NHS Counter Fraud Service Wales, and NHS Scotland’s counter fraud service).

Complex crimes

The complex nature of fraud, bribery and corruption can result in some criminal investigations continuing for a considerable period of time. Others may be over in a matter of months. Cases the FCU works on can involve many millions of pounds – particularly if they involve civil litigation or large corporations.

The legal discipline with which we work is as important as what we as IT experts can do technically. As a public body responsible for investigating complex fraud matters, all of our work is in full compliance with criminal justice legislation. It is absolutely key to obtain, secure and retain information in the right way, as defence teams will often look to challenge the process followed to obtain evidence, rather than the evidence itself, in order to discredit a prosecution case. We do have cutting-edge technology on our side. Specific tools and processes are used to create forensic images – exact digital copies of the target data, verified using a digital fingerprint known as a hash value. We also use specialist software that can sift through hundreds of thousands of documents – using filtering systems such as keyword searching, file type and date range filters. Additional artificial intelligence and machine learning solutions are emerging, such as technology assisted review.

You need a sound methodology to get hold of the data in the first place. You need to understand the nature of that particular data. To properly prepare it for scrutiny by lawyers, you can’t just buy fancy tools – you must have the knowledge of how those tool work best. Technology helps with the challenge of dispersed teams. We can spread the workload, collaborate, do a lot more a lot faster. On one job we had 10 people working concurrently in London, alongside five in Coventry.

There are ways criminals can cover their digital tracks, and data encryption can be a big problem. But people tend to become complacent and stop taking extensive precautions, especially after getting away with something for a while. With encryption, if you forget the password you can easily lose your own information. It therefore becomes tempting to keep a password written down somewhere or use the same password for several different things.

Often, people we are dealing with don’t see themselves as criminals. We hear some fairly far-fetched defences, protesting complete IT illiteracy. Or an individual will argue that they are not responsible for something that occurred on their computer. We do quite a bit of work looking at user activity on a machine, to demonstrate the activity is personalised to the individual – which might require us to piece together a very detailed narrative of what happened on a particular day.

Skills training

Keeping our skills honed with formal training is a constant need, both for generic IT knowledge and what is specific to the digital forensics arena. It can be highly technical, about how file systems operate on a drive to organise all the data, or about how a particular piece of software operates and stores data on the disk. It all differs on a case per case basis. Understanding what different artefacts mean and how to prove that an act was deliberate, so the user cannot give the excuse that “it just popped up” automatically, is often key to investigations.

The team will mostly be working on material from machines taken under warrant by the police. We also work on information generated by NHSCFA’s intel team under RIPA (Regulation of Investigatory Powers Act 2000), materials obtained under Health Act powers, and on data given to us voluntarily by health trusts.

We have a wealth of experience in FCU, with colleagues having previously worked at the Serious Fraud Office, Metropolitan Police and North Yorkshire Police. Some have immense experience in NHS fraud cases after working for years in our predecessor NHS counter fraud organisations like NHS CFSMS.

Maintaining a forensic computing capacity requires that the organisation continue to update its technical capability – to keep aligned to general technological advances and stay ahead of the fraudster. We have the ability to collaborate across geographical sites and make data available for review faster than ever before. We are fortunate to have a stable, well-supported and dedicated team.

People ask how I got into this work. I took an unorthodox route, with a degree in biochemistry, then I did a master’s degree in forensics, worked in IT for a couple of years and was then lucky enough to get a job as a digital evidence investigator at Thames Valley Police. This was an excellent place to gain practical experience in digital forensics and involved a range of high-level crimes including murder, indecent images, organised drug gangs, kidnapping and more.

Someone asked if NHS fraud was a bit mundane after all that, but I find it very fulfilling. Helping to recover money which can be put back into frontline NHS services is truly rewarding.




There are no comments. Why not be the first?

Add your comment


national health executive tv

more videos >

latest healthcare news

Lancashire County Council to pay £200k in legal costs after Virgin Care legal battle

17/08/2018Lancashire County Council to pay £200k in legal costs after Virgin Care legal battle

Lancashire County Council has agreed to pay £200,000 in legal costs to two NHS Trusts after their decision to hand a £104million cont... more >
Former inadequate West Midlands maternity unit upgraded by CQC

17/08/2018Former inadequate West Midlands maternity unit upgraded by CQC

Walsall Manor Hospital’s maternity services have been given an improved rating from the health inspectorate following assessments made in J... more >
Major hospital stalled by Carillion collapse will go ahead under government funding deal

16/08/2018Major hospital stalled by Carillion collapse will go ahead under government funding deal

The construction of a major Midlands hospital that had its future cast into doubt following the collapse of infrastructure giant Carillion has be... more >
681 149x260 NHE Subscribe button

the scalpel's daily blog

The NICE impact on falls and fragility fractures

10/08/2018The NICE impact on falls and fragility fractures

Falls should not be an inevitable part of ageing – and their snowball effect means the consequence of falls are far from limited to just hospital admissions, says Professor Gillian Leng, deputy chief executive and director of health and social care at NICE Almost a third of over-65s in the UK have a fall at least once a year, with around 500,000 people presenting at hospital with fragility fractures. This is estimated to cost the ... more >
read more blog posts from 'the scalpel' >


Duncan Selbie: A step on the journey to population health

24/01/2018Duncan Selbie: A step on the journey to population health

The NHS plays a part in the country’s wellness – but it’s far from being all that matters. Duncan Selbie, chief executive of Pu... more >
Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed focus on reducing stigma around mental health, Paul Farmer, chief exec... more >
Tackling infection prevention locally

04/10/2017Tackling infection prevention locally

Dr Emma Burnett, a lecturer and researcher in infection prevention at the University of Dundee’s School of Nursing and Midwifery and a boar... more >
Scan4Safety: benefits across the whole supply chain

02/10/2017Scan4Safety: benefits across the whole supply chain

NHE interviews Gillian Fox, head of eProcurement (Scan4Safety) programme at NHS Supply Chain. How has the Scan4Safety initiative evolved sin... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now bey... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus