A Transition from Healthcare Compliance to Digital Forensics

I spent a few years in investigations and healthcare compliance before considering a career in digital forensics. In 2014, I dismissed digital forensics since I didn’t have a computer science background. I had enough understanding to do well in Governance, Risk and Compliance, so that’s what I did. It wasn’t until I was inspired by the journey of others I pursued a career change in 2018. I feel I’ve made considerable progress since.

I’ve been fortunate to ground myself in the journey of others.  It adds perspective and appreciation for my own background.  With hope someone will find value in it, below is a brief summary of my path from healthcare compliance to digital forensics.

My role in healthcare compliance included privacy and security.  One of my primary responsibilities was conducting investigations alleging inappropriate access to electronic protected health information.  I queried structured databases and used access logs from medical record databases to baseline access among workforce peers based on workflows I witnessed and validated.  Facts about a users’ role facilitating the treatment, payment or operations on behalf of the covered entity were compared to the access recorded in the access log.  The information in the log was then evaluated to determine if the access was attributable to a workforce member based on other information collected from the investigation – including interviews.  Working alongside Human Resources, Legal and the Special Investigations Unit, every case was thoroughly documented, including the logs used to base our observations on should our findings be challenged.   

I recognized there were other opportunities to increase confidence in attribution by using browser history or other digital information that might be available.   Can we verify a workforce member was collecting data from a medical record to record on a spreadsheet for a job-related task?  Did a workforce member have knowledge about a patient from an internet search before accessing the medical record?  For those types of questions, we did reach out to our internal digital forensic experts when a case required it. 

As my interest in digital forensics grew, I relied on archived discussions on Reddit and Forensic Focus for perspective in that field.  I also read Brett Shavers’ Placing the Suspect Behind the Keyboard and Shavers and John Bair’s Hiding Behind the Keyboard.  After watching a handful of videos on YouTube, including 13Cubed’s video series, I approached my employer, at the time, to secure partial funding through the tuition reimbursement program to take FOR500 from the SANS Institute.  This was also an opportunity to self-demonstrate my interest in digital forensics. 

Within 6 weeks, I successfully completed the coursework and earned the GCFE certification shortly after. While my newfound knowledge of Windows OS artifacts didn’t apply to most of my daily work, the timelining principles learned from FOR500 improved my work-product. I know a little bit about Windows OS artifacts – what’s next? One does not simply “forensicate.” Was I ready to transition to a new role? Could I do that internally?

I reached out to some internal contacts with the hope of gaining some part-time experience and apply what I learned.  While I did not gain that experience, I was able to establish connections with digital forensic investigators who were able to provide valuable insight into the profession.

With the new year, I was able to re-apply for tuition reimbursement.  I spent the next few months learning about EnCase via the OnDemand Passport.  After completing the EnCase OnDemand courses, I feel I was well acquainted with a few file system structures and data carving.

As an active participant/attendee of local chapter meetings for InfraGard, ACFE and other local organizations, I was also able to network with local professionals.  I believe my connection with local professionals is what presented an unexpected opportunity to progress in my transition to digital forensics.

I was considered for a cyber security investigations role supporting privacy and information security working closely with the digital forensics team – roles I previously applied to.  After some reflection, and a successful interview, I left one organization for another with the intent on gaining much-needed experience in digital forensics.  Fortunately, my healthcare experience was well-suited for this new role. 

Despite the COVID outbreak, I have since been afforded every opportunity to pursue digital forensics and feel fortunate that my individual efforts were recognized.  These opportunities included certifications, time to attend conferences and summits, and actively apply digital forensic principles to my cases.  Over time, my investigative function was combined with the digital forensics team.  Can I call myself a digital forensic investigator now?  I’d like to think so.

Highlights:

  1. I had an interest in digital forensics, pursued it with purposeful intent. Maria Markstedter wrote an extremely helpful three-part series on becoming an efficient learner and mastering a field. My relationships with my managers have been significantly impactful.
  2. I mapped my experience in healthcare compliance to digital forensic investigation principles. Reading Shavers’ Placing the Suspect Behind the Keyboard especially helped me become a better investigator and understand how my experience in healthcare investigations can be applied to digital forensics.
  3. A SANS course was not necessary to pursue digital forensics, but it was way more efficient for me than learning on my own. I took advantage of my employer’s reimbursement program. I sold the promotional SANS iPad. Free resources appear to be more available than ever. I’ve benefited from resources like the Digital Forensics Discord or DFIR Diva’s blog.
  4. Networking helps.
  5. I was presented an intermediate step to get digital forensic experience. I was prepared and I graciously accepted that opportunity. Digital forensic investigations is my primary role now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.