Forensics v fraud

Source: NHE March/April 2018

Gareth Ballance, technical lead of the Forensic Computing Unit (FCU), gives a snapshot of a day in the life working for the NHS Counter Fraud Authority (NHSCFA).

The NHSCFA is still in its infancy, having launched in November 2017. As you are probably aware from our high-profile launch, we face a huge problem: in 2016-17 it was estimated that fraud losses in the NHS exceeded £1.25bn every year.

While the NHSCFA may be young, the experience and specialist talents of our staff have been many years in the making. Our capability to investigate serious and complex fraud, bribery and corruption in the NHS also draws on the legacy of our predecessor organisations. And we believe that our FCU can compete with some of the best police forensic computing facilities.

Where there is the crime of healthcare fraud, there is by definition dishonesty, deceit and concealment. Lies, hidden relationships and secret motives surround these deliberate and targeted acts, which send money flowing away from patient care to personal bank accounts. And in this digital age, traces of the crime will be lurking somewhere: on the hard drives of PCs, on laptops, mobile phones, portable drives, other devices and on the web.

Fraud prosecutions are often lengthy, dealing with complex legal issues, and those who defraud the NHS are often defended by excellent legal teams – so the quality and integrity of the evidence produced by our computer forensics unit is vital. There are very few NHSCFA fraud prosecutions that do not involve my team.

Some disturbing recent newspaper headlines remind us that some criminals go to great lengths to cover their digital trail, and may evade detection for months or years. However, it is nigh impossible to leave no trail at all. Humans make mistakes and will inevitably at some point slip up on the constant, tedious “housekeeping” that is needed to stay off the authorities’ radar.

Many who defraud the NHS are arrogant or foolish enough to assume nobody will dream of investigating them, and frankly don’t take many precautions. This may be because they are used to being respected and well-liked, occupying a position of trust and responsibility within the NHS or one of its established contractors. Or they could be operating at what feels like a safely remote distance well outside the NHS, where they think they will never be found.

The NHSCFA has two established forensic computing laboratories in London and Newcastle, so I travel up and down. This geographic split makes covering England easier (and we also support the NHS Counter Fraud Service Wales, and NHS Scotland’s counter fraud service).

Complex crimes

The complex nature of fraud, bribery and corruption can result in some criminal investigations continuing for a considerable period of time. Others may be over in a matter of months. Cases the FCU works on can involve many millions of pounds – particularly if they involve civil litigation or large corporations.

The legal discipline with which we work is as important as what we as IT experts can do technically. As a public body responsible for investigating complex fraud matters, all of our work is in full compliance with criminal justice legislation. It is absolutely key to obtain, secure and retain information in the right way, as defence teams will often look to challenge the process followed to obtain evidence, rather than the evidence itself, in order to discredit a prosecution case. We do have cutting-edge technology on our side. Specific tools and processes are used to create forensic images – exact digital copies of the target data, verified using a digital fingerprint known as a hash value. We also use specialist software that can sift through hundreds of thousands of documents – using filtering systems such as keyword searching, file type and date range filters. Additional artificial intelligence and machine learning solutions are emerging, such as technology assisted review.

You need a sound methodology to get hold of the data in the first place. You need to understand the nature of that particular data. To properly prepare it for scrutiny by lawyers, you can’t just buy fancy tools – you must have the knowledge of how those tool work best. Technology helps with the challenge of dispersed teams. We can spread the workload, collaborate, do a lot more a lot faster. On one job we had 10 people working concurrently in London, alongside five in Coventry.

There are ways criminals can cover their digital tracks, and data encryption can be a big problem. But people tend to become complacent and stop taking extensive precautions, especially after getting away with something for a while. With encryption, if you forget the password you can easily lose your own information. It therefore becomes tempting to keep a password written down somewhere or use the same password for several different things.

Often, people we are dealing with don’t see themselves as criminals. We hear some fairly far-fetched defences, protesting complete IT illiteracy. Or an individual will argue that they are not responsible for something that occurred on their computer. We do quite a bit of work looking at user activity on a machine, to demonstrate the activity is personalised to the individual – which might require us to piece together a very detailed narrative of what happened on a particular day.

Skills training

Keeping our skills honed with formal training is a constant need, both for generic IT knowledge and what is specific to the digital forensics arena. It can be highly technical, about how file systems operate on a drive to organise all the data, or about how a particular piece of software operates and stores data on the disk. It all differs on a case per case basis. Understanding what different artefacts mean and how to prove that an act was deliberate, so the user cannot give the excuse that “it just popped up” automatically, is often key to investigations.

The team will mostly be working on material from machines taken under warrant by the police. We also work on information generated by NHSCFA’s intel team under RIPA (Regulation of Investigatory Powers Act 2000), materials obtained under Health Act powers, and on data given to us voluntarily by health trusts.

We have a wealth of experience in FCU, with colleagues having previously worked at the Serious Fraud Office, Metropolitan Police and North Yorkshire Police. Some have immense experience in NHS fraud cases after working for years in our predecessor NHS counter fraud organisations like NHS CFSMS.

Maintaining a forensic computing capacity requires that the organisation continue to update its technical capability – to keep aligned to general technological advances and stay ahead of the fraudster. We have the ability to collaborate across geographical sites and make data available for review faster than ever before. We are fortunate to have a stable, well-supported and dedicated team.

People ask how I got into this work. I took an unorthodox route, with a degree in biochemistry, then I did a master’s degree in forensics, worked in IT for a couple of years and was then lucky enough to get a job as a digital evidence investigator at Thames Valley Police. This was an excellent place to gain practical experience in digital forensics and involved a range of high-level crimes including murder, indecent images, organised drug gangs, kidnapping and more.

Someone asked if NHS fraud was a bit mundane after all that, but I find it very fulfilling. Helping to recover money which can be put back into frontline NHS services is truly rewarding.




There are no comments. Why not be the first?

Add your comment


national health executive tv

more videos >

latest healthcare news

Struggling Cornwall trust appoints permanent chief executive to lead it out of special measures

18/01/2019Struggling Cornwall trust appoints permanent chief executive to lead it out of special measures

The Royal Cornwall Hospitals Trust (RCHT) has announced that Kate Shields, the current interim chief executive, has been appointed to lead the tr... more >
Bradford hospitals trust fined by CQC after breaching its duty of candour

18/01/2019Bradford hospitals trust fined by CQC after breaching its duty of candour

Bradford Teaching Hospitals NHS FT (BTH) has been fined by the CQC after failing to apologise to a family in time after a safety incident, breaki... more >
Substantial deficits across NHS ‘do not paint a picture of sustainability’ and threaten long-term plan, warns spending watchdog

18/01/2019Substantial deficits across NHS ‘do not paint a picture of sustainability’ and threaten long-term plan, warns spending watchdog

The NHS is not financially sustainable and substantial deficits at NHS bodies, year-on-year increases in waiting lists and waiting times, and sta... more >
681 149x260 NHE Subscribe button

the scalpel's daily blog

Gentleness: an underrated quality in effective leadership

14/01/2019Gentleness: an underrated quality in effective leadership

Dean Royles, strategic workforce advisor at Skills for Health and co-author of ‘An Introduction to Human Resource Management,’ returns to write for NHE for his blog series on effective leadership. “It is not in your top three, Dean…” The difficulty in asking for feedback is that sometimes, occasionally, people will be honest with you. It can be humbling and troubling in equal measure. It’s somet... more >
read more blog posts from 'the scalpel' >


How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

24/10/2018How can winter pressures be dealt with? Introduce a National Social Care Service, RCP president suggests

A dedicated national social care service could be a potential solution to surging demand burdening acute health providers over the winter months,... more >
RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

24/10/2018RCP president on new Liverpool college building: ‘This will be a hub for clinicians in the north’

The president of the Royal College of Physicians (RCP) has told NHE that the college’s new headquarters based in Liverpool will become a hu... more >
Duncan Selbie: A step on the journey to population health

24/01/2018Duncan Selbie: A step on the journey to population health

The NHS plays a part in the country’s wellness – but it’s far from being all that matters. Duncan Selbie, chief executive of Pu... more >
Cutting through the fake news

22/11/2017Cutting through the fake news

In an era of so-called ‘fake news’ growing alongside a renewed focus on reducing stigma around mental health, Paul Farmer, chief exec... more >

last word

Hard to be optimistic

Hard to be optimistic

Rachel Power, chief executive of the Patients Association, warns that we must be realistic about the very real effects of continued underfunding across the health service. It’s now bey... more > more last word articles >

editor's comment

25/09/2017A hotbed of innovation

This edition of NHE comes hot on the heels of this year’s NHS Expo which, once again, proved to be a huge success at Manchester Central. A number of announcements were made during the event, with the health secretary naming the second wave of NHS digital pioneers, or ‘fast followers’, which follow the initial global digital e... read more >

health service focus

Innovative mobile solution meeting NHS demand

07/01/2019Innovative mobile solution meeting NHS demand

EMS Healthcare report on the first fleet of m... more >
National Health Executive fuels the Northern Powerhouse with official partnership

21/11/2018National Health Executive fuels the Northern Powerhouse with official partnership

Cognitive Publishing, the home of leading hea... more >