Forensics v fraud

Source: NHE March/April 2018

Gareth Ballance, technical lead of the Forensic Computing Unit (FCU), gives a snapshot of a day in the life working for the NHS Counter Fraud Authority (NHSCFA).

The NHSCFA is still in its infancy, having launched in November 2017. As you are probably aware from our high-profile launch, we face a huge problem: in 2016-17 it was estimated that fraud losses in the NHS exceeded £1.25bn every year.

While the NHSCFA may be young, the experience and specialist talents of our staff have been many years in the making. Our capability to investigate serious and complex fraud, bribery and corruption in the NHS also draws on the legacy of our predecessor organisations. And we believe that our FCU can compete with some of the best police forensic computing facilities.

Where there is the crime of healthcare fraud, there is by definition dishonesty, deceit and concealment. Lies, hidden relationships and secret motives surround these deliberate and targeted acts, which send money flowing away from patient care to personal bank accounts. And in this digital age, traces of the crime will be lurking somewhere: on the hard drives of PCs, on laptops, mobile phones, portable drives, other devices and on the web.

Fraud prosecutions are often lengthy, dealing with complex legal issues, and those who defraud the NHS are often defended by excellent legal teams – so the quality and integrity of the evidence produced by our computer forensics unit is vital. There are very few NHSCFA fraud prosecutions that do not involve my team.

Some disturbing recent newspaper headlines remind us that some criminals go to great lengths to cover their digital trail, and may evade detection for months or years. However, it is nigh impossible to leave no trail at all. Humans make mistakes and will inevitably at some point slip up on the constant, tedious “housekeeping” that is needed to stay off the authorities’ radar.

Many who defraud the NHS are arrogant or foolish enough to assume nobody will dream of investigating them, and frankly don’t take many precautions. This may be because they are used to being respected and well-liked, occupying a position of trust and responsibility within the NHS or one of its established contractors. Or they could be operating at what feels like a safely remote distance well outside the NHS, where they think they will never be found.

The NHSCFA has two established forensic computing laboratories in London and Newcastle, so I travel up and down. This geographic split makes covering England easier (and we also support the NHS Counter Fraud Service Wales, and NHS Scotland’s counter fraud service).

Complex crimes

The complex nature of fraud, bribery and corruption can result in some criminal investigations continuing for a considerable period of time. Others may be over in a matter of months. Cases the FCU works on can involve many millions of pounds – particularly if they involve civil litigation or large corporations.

The legal discipline with which we work is as important as what we as IT experts can do technically. As a public body responsible for investigating complex fraud matters, all of our work is in full compliance with criminal justice legislation. It is absolutely key to obtain, secure and retain information in the right way, as defence teams will often look to challenge the process followed to obtain evidence, rather than the evidence itself, in order to discredit a prosecution case. We do have cutting-edge technology on our side. Specific tools and processes are used to create forensic images – exact digital copies of the target data, verified using a digital fingerprint known as a hash value. We also use specialist software that can sift through hundreds of thousands of documents – using filtering systems such as keyword searching, file type and date range filters. Additional artificial intelligence and machine learning solutions are emerging, such as technology assisted review.

You need a sound methodology to get hold of the data in the first place. You need to understand the nature of that particular data. To properly prepare it for scrutiny by lawyers, you can’t just buy fancy tools – you must have the knowledge of how those tool work best. Technology helps with the challenge of dispersed teams. We can spread the workload, collaborate, do a lot more a lot faster. On one job we had 10 people working concurrently in London, alongside five in Coventry.

There are ways criminals can cover their digital tracks, and data encryption can be a big problem. But people tend to become complacent and stop taking extensive precautions, especially after getting away with something for a while. With encryption, if you forget the password you can easily lose your own information. It therefore becomes tempting to keep a password written down somewhere or use the same password for several different things.

Often, people we are dealing with don’t see themselves as criminals. We hear some fairly far-fetched defences, protesting complete IT illiteracy. Or an individual will argue that they are not responsible for something that occurred on their computer. We do quite a bit of work looking at user activity on a machine, to demonstrate the activity is personalised to the individual – which might require us to piece together a very detailed narrative of what happened on a particular day.

Skills training

Keeping our skills honed with formal training is a constant need, both for generic IT knowledge and what is specific to the digital forensics arena. It can be highly technical, about how file systems operate on a drive to organise all the data, or about how a particular piece of software operates and stores data on the disk. It all differs on a case per case basis. Understanding what different artefacts mean and how to prove that an act was deliberate, so the user cannot give the excuse that “it just popped up” automatically, is often key to investigations.

The team will mostly be working on material from machines taken under warrant by the police. We also work on information generated by NHSCFA’s intel team under RIPA (Regulation of Investigatory Powers Act 2000), materials obtained under Health Act powers, and on data given to us voluntarily by health trusts.

We have a wealth of experience in FCU, with colleagues having previously worked at the Serious Fraud Office, Metropolitan Police and North Yorkshire Police. Some have immense experience in NHS fraud cases after working for years in our predecessor NHS counter fraud organisations like NHS CFSMS.

Maintaining a forensic computing capacity requires that the organisation continue to update its technical capability – to keep aligned to general technological advances and stay ahead of the fraudster. We have the ability to collaborate across geographical sites and make data available for review faster than ever before. We are fortunate to have a stable, well-supported and dedicated team.

People ask how I got into this work. I took an unorthodox route, with a degree in biochemistry, then I did a master’s degree in forensics, worked in IT for a couple of years and was then lucky enough to get a job as a digital evidence investigator at Thames Valley Police. This was an excellent place to gain practical experience in digital forensics and involved a range of high-level crimes including murder, indecent images, organised drug gangs, kidnapping and more.

Someone asked if NHS fraud was a bit mundane after all that, but I find it very fulfilling. Helping to recover money which can be put back into frontline NHS services is truly rewarding.




There are no comments. Why not be the first?

Add your comment


national health executive tv

more videos >

latest healthcare news

Highest ever numbers accept GP training posts

19/10/2018Highest ever numbers accept GP training posts

The number of people entering GP training is the highest in NHS history, according to new figures from Health Education England (HEE). A tot... more >
‘No realistic prospect of progress’ for integrated health and social care, PAC warns

19/10/2018‘No realistic prospect of progress’ for integrated health and social care, PAC warns

The government is still “a long way” from achieving an effective strategy for integrated health and social care and has been urged to... more >
One in six trusts could end PFI contracts due to poor performance as NHS heads for £1bn loss

19/10/2018One in six trusts could end PFI contracts due to poor performance as NHS heads for £1bn loss

A new report has revealed that 15% of all NHS trusts using private finance initiatives (PFI) could terminate contracts due to poor performance. ... more >
681 149x260 NHE Subscribe button

the scalpel's daily blog

On your bike!

17/10/2018On your bike!

Sathish Sethuraman, travel and transport plan co-ordinator at Northumbria Healthcare NHS FT, explains how efforts to promote cycling to work at the trust are resulting in more staff travelling on two wheels. At Northumbria Healthcare, we are committed to becoming a greener organisation and reducing the environmental impact of delivering patient care in hospitals and in the community across Northumberland and North Tyneside. From in... more >
read more blog posts from 'the scalpel' >


Duncan Selbie: A step on the journey to population health

24/01/2018Duncan Selbie: A step on the journey to population health

The NHS plays a part in the country’s wellness – but it’s far from being all that matters. Duncan Selbie, chief executive of Pu... more >
Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed focus on reducing stigma around mental health, Paul Farmer, chief exec... more >
Tackling infection prevention locally

04/10/2017Tackling infection prevention locally

Dr Emma Burnett, a lecturer and researcher in infection prevention at the University of Dundee’s School of Nursing and Midwifery and a boar... more >
Scan4Safety: benefits across the whole supply chain

02/10/2017Scan4Safety: benefits across the whole supply chain

NHE interviews Gillian Fox, head of eProcurement (Scan4Safety) programme at NHS Supply Chain. How has the Scan4Safety initiative evolved sin... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now bey... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus

Rules of engagement

01/10/2018Rules of engagement

Using technology to increase patient engagement... more >
Navigate your way to cyber resilience

01/10/2018Navigate your way to cyber resilience

As the NHS celebrates its 70th birthday, Alan... more >