The Scenario
bits&digits was engaged by a Leading US HealthCare organization in response to a Regulatory Compliance Audit that revealed a number of significant risks within their Pharmacy and Fraud departments. The findings were of such a large scale both FBI and US Secret Service had assigned resources to this issue. While the client initially assigned an in-house investigation team for this problem, the findings indicated they did not possess the technology necessary to filter and process the massive amounts of data to a level that could be feasibly managed nor did they have the IT and Physical security acumen to produce reliable results. Paramount to the operation was “Who Knew What, When and How”.

Based on the very complex nature of the findings and the codependency of IT Forensics and Physical Security acumen the findings presented, in tandem with the sensitive nature of the Personal Health Records that were affected by these findings the Health Company sought out a firm with past performance in HealthCare Compliance Auditing (HIPAA/ HITECH), Employee Investigations and most importantly a unique expertise in Social Engineering and IT/ Physical Security Exploitation.

The Solution
Because the companies profile and the uniquely complex nature of this investigation bits&digits took a “Red Team” approach to the case. After a rigorous planning and evidence collection process to ensure the organizations HR/ Legal and IT Security process maturity was substantial enough to support the operation. The “Cell Member” conducted a complex investigation and security control review to exercise not only the workforce information security awareness but the physical security and access control training levels of the employees and 3rd Party Contractors that augment the Security Guard responsibilities.

The Red Team approach, of which only a select few members of the companies highest level of leadership were privy to prior to execution proved to be successful in determining how the companies sensitive data was compromised. Thorough investigation of access control logs and on the ground observations during the Social Engineering evolution provided valuable intelligence that revealed who was involved internally with the incident. In contrast the Red Team operation illuminated significant physical security issues and sensitive data destruction process vulnerabilities present within the company.

Social Engineering Employees for access to any sensitive data or access to an organization requires a very mature Information Security framework along with HR and Legal considerations. bits&digits maintains very intensive experience developing, training and executing such operations. With 200+ successful operations under our belt in both public and private sectors we assure a comprehensive and legal approach to your needs.

Client Wins 
To accompany the successful nature of the Red Team operation the following discoveries helped the client in many areas. bits&digits also developed the accompanying policies, controls and technical measures to alleviate the below risks. All of the following also served as Articles of Evidence to support the Regulatory Compliance audit findings for the current audit and for audits and reviews to come.

  • Employee Training and Security Awareness program maturity in satellite and remote offices were in need of significant improvement
  • bits&digits Developed a Comprehensive Information Security Awareness Training Platform and provided HR a strategic roadmap to deploy a Information Security Awareness Week campaign.
  • Sensitive Data Destruction Vendor Sourcing. The clients large scale handling of Intellectual Property in hard copy format opened many doors to negotiate with regards to Facility Security and Data Destruction. During the bits&digits Red Team operation we conducted a “dumpster dive” of the companies satellite location to discover vast amounts of incompletely shredded or fully legible sensitive documents. bits&digits developed the Data Classification system which was accompanied by the Data Destruction procedures to ensure appropriate destruction and containment procedures were in place for the organization.
  • Physical Security Access Control. bits&digits observed many instances where either the security guard or office manager did not validate our Cell Member for access to a location and or was distracted by conversation that allowed unauthorized entry into a sensitive and/or restricted area of the companies process facility. Furthermore the roving patrols that were hired to augment security camera visibility inadvertently allowed for various “timing blind spots”. bits&digits provided the 3rd Party Security Guard company with the observations but also at the request of the company developed a more efficient and operational security roving sequence to accommodate the resource challenge.
  • Who, What, Why, When. In conjunction with the clients Information Security team we consolidated email communication chains, system login times, sensitive data access logs, and CCTV captures to reveal the intruders method of obtaining, storing and ultimately selling the companies sensitive intellectual property. The collected artifacts were used in the successful civil and criminal prosecution of the 5 internal employee crime ring.