18.04.18
Forensics v fraud
Source: NHE March/April 2018
Gareth Ballance, technical lead of the Forensic Computing Unit (FCU), gives a snapshot of a day in the life working for the NHS Counter Fraud Authority (NHSCFA).
The NHSCFA is still in its infancy, having launched in November 2017. As you are probably aware from our high-profile launch, we face a huge problem: in 2016-17 it was estimated that fraud losses in the NHS exceeded £1.25bn every year.
While the NHSCFA may be young, the experience and specialist talents of our staff have been many years in the making. Our capability to investigate serious and complex fraud, bribery and corruption in the NHS also draws on the legacy of our predecessor organisations. And we believe that our FCU can compete with some of the best police forensic computing facilities.
Where there is the crime of healthcare fraud, there is by definition dishonesty, deceit and concealment. Lies, hidden relationships and secret motives surround these deliberate and targeted acts, which send money flowing away from patient care to personal bank accounts. And in this digital age, traces of the crime will be lurking somewhere: on the hard drives of PCs, on laptops, mobile phones, portable drives, other devices and on the web.
Fraud prosecutions are often lengthy, dealing with complex legal issues, and those who defraud the NHS are often defended by excellent legal teams – so the quality and integrity of the evidence produced by our computer forensics unit is vital. There are very few NHSCFA fraud prosecutions that do not involve my team.
Some disturbing recent newspaper headlines remind us that some criminals go to great lengths to cover their digital trail, and may evade detection for months or years. However, it is nigh impossible to leave no trail at all. Humans make mistakes and will inevitably at some point slip up on the constant, tedious “housekeeping” that is needed to stay off the authorities’ radar.
Many who defraud the NHS are arrogant or foolish enough to assume nobody will dream of investigating them, and frankly don’t take many precautions. This may be because they are used to being respected and well-liked, occupying a position of trust and responsibility within the NHS or one of its established contractors. Or they could be operating at what feels like a safely remote distance well outside the NHS, where they think they will never be found.
The NHSCFA has two established forensic computing laboratories in London and Newcastle, so I travel up and down. This geographic split makes covering England easier (and we also support the NHS Counter Fraud Service Wales, and NHS Scotland’s counter fraud service).
Complex crimes
The complex nature of fraud, bribery and corruption can result in some criminal investigations continuing for a considerable period of time. Others may be over in a matter of months. Cases the FCU works on can involve many millions of pounds – particularly if they involve civil litigation or large corporations.
The legal discipline with which we work is as important as what we as IT experts can do technically. As a public body responsible for investigating complex fraud matters, all of our work is in full compliance with criminal justice legislation. It is absolutely key to obtain, secure and retain information in the right way, as defence teams will often look to challenge the process followed to obtain evidence, rather than the evidence itself, in order to discredit a prosecution case. We do have cutting-edge technology on our side. Specific tools and processes are used to create forensic images – exact digital copies of the target data, verified using a digital fingerprint known as a hash value. We also use specialist software that can sift through hundreds of thousands of documents – using filtering systems such as keyword searching, file type and date range filters. Additional artificial intelligence and machine learning solutions are emerging, such as technology assisted review.
You need a sound methodology to get hold of the data in the first place. You need to understand the nature of that particular data. To properly prepare it for scrutiny by lawyers, you can’t just buy fancy tools – you must have the knowledge of how those tool work best. Technology helps with the challenge of dispersed teams. We can spread the workload, collaborate, do a lot more a lot faster. On one job we had 10 people working concurrently in London, alongside five in Coventry.
There are ways criminals can cover their digital tracks, and data encryption can be a big problem. But people tend to become complacent and stop taking extensive precautions, especially after getting away with something for a while. With encryption, if you forget the password you can easily lose your own information. It therefore becomes tempting to keep a password written down somewhere or use the same password for several different things.
Often, people we are dealing with don’t see themselves as criminals. We hear some fairly far-fetched defences, protesting complete IT illiteracy. Or an individual will argue that they are not responsible for something that occurred on their computer. We do quite a bit of work looking at user activity on a machine, to demonstrate the activity is personalised to the individual – which might require us to piece together a very detailed narrative of what happened on a particular day.
Skills training
Keeping our skills honed with formal training is a constant need, both for generic IT knowledge and what is specific to the digital forensics arena. It can be highly technical, about how file systems operate on a drive to organise all the data, or about how a particular piece of software operates and stores data on the disk. It all differs on a case per case basis. Understanding what different artefacts mean and how to prove that an act was deliberate, so the user cannot give the excuse that “it just popped up” automatically, is often key to investigations.
The team will mostly be working on material from machines taken under warrant by the police. We also work on information generated by NHSCFA’s intel team under RIPA (Regulation of Investigatory Powers Act 2000), materials obtained under Health Act powers, and on data given to us voluntarily by health trusts.
We have a wealth of experience in FCU, with colleagues having previously worked at the Serious Fraud Office, Metropolitan Police and North Yorkshire Police. Some have immense experience in NHS fraud cases after working for years in our predecessor NHS counter fraud organisations like NHS CFSMS.
Maintaining a forensic computing capacity requires that the organisation continue to update its technical capability – to keep aligned to general technological advances and stay ahead of the fraudster. We have the ability to collaborate across geographical sites and make data available for review faster than ever before. We are fortunate to have a stable, well-supported and dedicated team.
People ask how I got into this work. I took an unorthodox route, with a degree in biochemistry, then I did a master’s degree in forensics, worked in IT for a couple of years and was then lucky enough to get a job as a digital evidence investigator at Thames Valley Police. This was an excellent place to gain practical experience in digital forensics and involved a range of high-level crimes including murder, indecent images, organised drug gangs, kidnapping and more.
Someone asked if NHS fraud was a bit mundane after all that, but I find it very fulfilling. Helping to recover money which can be put back into frontline NHS services is truly rewarding.
FOR MORE INFORMATION
W: www.cfa.nhs.uk/reportfraud
W: www.cfa.nhs.uk/about-nhscfa/forensic-computing-unit/about-fcu