LCI Learning

Share on Facebook

Share on Twitter

Share on LinkedIn

Share on Email

Share More

Key Takeaways

  • Cyber forensics encompasses all the methods used by experts to accumulate data evidence which is used during judicial proceedings. 
  • This sub-branch requires a team of experts who work on collecting sensitive evidence and combating data breach offences.
  • The medical industry is most vulnerable to cyber-attacks and data breaches as they tend to store sensitive information, including banking details.
  • The data stored in medical organisations has insurance and monetary details of the patients, which hold monetary value on the dark web.
  • Data infringement attacks are more frequent in the medical care industry as they do not invest in the latest technological security measures. 
  • There is a requirement of digital literacy in the medical administration system which may protect the healthcare cyber system from a potential cyber threat. 
  • Image source: Pixels


The rising popularity of internet gadgets has made life a bit easier and more accessible. Considering cyberspace a free platform to express and connect, it is also a hub for criminal predators. Integrating Technology in forensics has been a popular practice since the 1980s. Adhering to the technology while serving various purposes, Cyber Forensics which is also known as Computer Forensics Science, Digital Forensics is a reliable choice to retaliate against cybercrimes and data breach issues.


Digital Forensics is a branch of forensics based on methods of preservation, identification, and extraction of data evidence recognised in a court of law. The accuracy of the data extracted is ensured by using forensics. It is an infusion of technology with forensics to aid the investigators in presenting evidence amid judicial proceedings. Cyber Forensic Experts are responsible for navigating digital platforms and accumulating electronic evidence. The reports have acted as key elements in resolving legal feuds such as civil and criminal disputes, cyber offences and matters associated with national security. 

Role of Cyber Forensics in Healthcare

The inclusion of Cyber technology is a familiar concept in the medical sector. The consumption of cyber equipment has seen a hike during the post-COVID Pandemic. There has been robust usage of telemedicine equipment that enables quick decision making. Healthcare zealously uses electronic health records (EHR) to track the recovery of in-house patients. From maintaining the records of the patients, drug prescriptions, and lab results to other sensitive information, the healthcare industry ensures accuracy and accountability to its customers with encrypted servers and easy accessibility. While every possible step is taken to ensure confidentiality, the threat of likeable security breaches keeps lurking around. Cyber predators often break protected firewalls and get access to healthcare data, selling it to a third party for a hefty amount. This compromises the security of clients, patients, organisations and businesses risking their identities on the dark web. 

This is where cyber forensics gels in with healthcare. When the sensitive data held by the medical organisation is infringed, the investigators replicate and image the affected data which is later presented in the court of law. This is slightly different from the other investigations. The evidence in cyber forensics is collected either by professional IT professionals or e-discovery paralegals. The chances of doubting the reports of forensics soundness are very low due to the precision and transparency in the process. 

A.    Data Breach Detection

Forensics experts examine signs of a data breach or unauthorised access to documents by unfamiliar accounts. They tend to conduct extensive investigations to detect the elements which may have compromised the security. The examination also limits the scope of damage that may continue to persist. This can also aid in minimising the impact of the long-lasting damages due to possible system vulnerabilities preventing the cause of feature breaches. When data theft is committed through Internet networks, there is a thorough analysis of IP (Internet Protocol) addresses. Moreover, this can help in the identification of the geographical location of the offender. 

Traffic analysis is another way used to investigate data theft. The method is useful in determining what kind of data was compromised and when. The source of the breach is detected through this method and can aid in planning preventive measures to safeguard the system. Traffic analysis also helps through the system malware, phishing or other suspicious activities in the data server. Another approach used by the cyber forensics expert is Data Exfiltration. The method helps identify the status and location of the breached file. Data Exfiltration can also be used to impose liability on the individual responsible for the data breach. 

B. Incident Response 

Another way to combat unauthorised data breaches is Incident Responses. This is an organised method that deals with identifying and detecting the cyber attack and initiates remedial strategies to minimise the injury. It works on preventive measures to avoid possible data malware. The core principles of Incident Response are confidentiality, integrity and availability. The trio is referred to as the CIA triad. Incident responses focuses on recovering the documents and the system as soon as the system is attacked. It also acts as a preventive measure against data breach incidents. Combining Incident Responses with cyber forensics can help to avoid dire consequences and maintain operational functionality. 

Intersecting digital forensics and Incident Responses (DFIR) can help in effectively responding to cyber threats while preserving the data evidence. It is the fusion of traditional incident response activities with cyber forensics. It helps the experts to investigate the incident of the breach along with protecting potential data breaches further. During the breach, the emphasis is placed on identifying and rectifiying the malware gaps which has caused the breach. It helps in preventing the agents from causing further damage.  Historically, digital forensics and incident responses involved the usage of unlike tools with the same methodology. The forensic images of the user’s computer and servers were collected along with the log data separately and then analysed for extracting results. With the advancement, both methods are infused together, making it simpler for the experts to examine the records and maintain the same

C. Digital Evidence Collection

The rise of cybercrime has given cognizance to digital evidence in the court of law all around the world. The forensics soundness of the data collected is subjected to minimal scrutiny during the judicial proceedings. This is due to the transparency in the methods of collecting the evidence which is done by a team of cyber forensics experts. There is accuracy and precision in the reports collected during the analysis of the system when it goes under cyber threat. Understanding the evidential value, the investigation is done by the highly qualified techno-experts. The methodology must be strictly adhered to while collecting digital evidence. There are a few methods in which digital evidence is collected. These methods include, 

1.    Dead box data collection 

This method involves mirroring or creating duplicate copies of the entire system to have a thorough analysis while it is disconnected from the internet network. The method is known as a dead box because the system is entirely disconnected from the network connections. 

2.    Live Forensics.

Volatile information is collected from the system while it is connected to the networks. The data collected is lost to the investigation when the system is stripped from the connectivity. 

3.    Mobile collection 

The gadgets which are mobile ( movable) are easier to hack and wipe off the data from it. Such gadgets include smartphones, smart watches, tablets and laptops. When such types of equipment are associated with the system of the medical organisation, they are mandated to be confiscated to avoid any static discharge.

4.    Network Connections

The network connections include working spaces of the organisation where the sensitive data is handled. The investigation emphasises organisational networks, VPN (virtual private networks), internet routers, and employee computers including cloud data servers. These include famous platforms such as Google Drive and Box where the hospital may store various data. 

D. Forensic Analysis:

Digital forensic analysis can provide robust evidence regarding the data breach. It can also help in detecting the malware in the system. Through this, it can easily be predicted whether the offender can still access the system or not. The goal of forensic analysis is to identify the offender and his intentions behind lurking in the data system. Experts can also recover the lost and affected files, saving the organisation from other dysfunctional episodes. Forensics analysis helps in collecting numerous electronic evidence on the basis of which reports are produced, enabling the organisation to take further steps. The process of forensic analysis generally involves 5 steps.

 Step 1- Identification 

The investigation team collects the evidence in the system that is responsible for malfunctioning. The experts are focused on investigating tablets, smartphones, cloud services, and IoT devices out of others to confirm their suspension. The collected evidence is usually data extracted from email messages and web history including data from wearable technology such as smartwatches. This has to be analysed and collected with a specific methodology. The team of experts take these devices into custody and further conducts their investigation.

Step 2 - Preservation

The evidence is collected, copied, isolated and treated in a presentable way which is admissible in the court as the evidence. This process is also called Preservation. Considered as the most important step of the analysis, preservation helps to form a narrative establishing the grounds argued in the court of law. The evidence is collected through “Forensic Imaging” and then translated to the non-investigators in simpler language. 

Step 3 - Analysis

The step involves reconstructing the fragmented data to form an understanding of the data breach. Analysis forms an understanding of what really happened when the security of the system was tampered with. To concentrate on relevant data, the experts rely on technological toolkits to initiate the investigation. Email analysis, file analysis, decryption, and password crackers are some of the toolkits on which the experts rely. 

Step 4 - Documentation 

Preparation of the records based on the data which is later presented during judicial proceedings. Steps 4 and 5 rather focus on the conclusion based on the records accumulated by the experts during the investigation.  

Step 5 - Presentation 

This is the last stage of the forensics analysis, which focuses on wrapping up the investigation and reaching a conclusion. 

3. Legal and Regulatory Framework

A. Information Technology Act, 2000

The Indian Parliament passed The Information Technology Act, 2000. The legislation gives cognizance to data breaches and cyber-associated crime tagging the offender violating the cyber laws. The laws provide evidential value to the electronic records when duly authenticated. The statutes of Information technology also prescribe punishment to the offender found guilty of the charges imposed against them. The cyber crimes associated with the data breach which is punishable in India are - Tampering with computer documents, Hacking the system with malicious intentions, breach of confidentiality and privacy,  and publishing the documents to commit fraud. 

The sections that focus on punishing the crime are 

Section 43- the destruction, alteration, stealing of computer system network or erasing the data without authorisation and with malicious intent. If found guilty, the offender holds liability to compensate the owner for the damages/ injury caused. 

Section 43 A- The compensation has to be borne by the organisation that was found negligent in taking precautions to safeguard the data of the affected party or the individual. 

Section 66- prescribes a punishment of imprisonment for 3 years or a fine of Rs 5,00,000/- or both if the person is found guilty of hacking a computer system with malicious intentions. 

B. Personal Data Protection Bill, 2019

The bill focuses on the rights of data principal holders whose private information is processed by the data fiduciaries. Data fiduciaries include hospitals and healthcare organisations which provide services to their stakeholders. Data can only be collected and processed upon receiving consent from the principal holders of the data. The data collected by the healthcare organisations can be transferred abroad also has to be maintained in India as well. The bill establishes and empowers the National level data protection authority (DPA) to maintain supervision and have control over the organisations. The Fiduciaries hold the duty to inform the DPA about the data breach which may leave an impact on the data principle. 

The bill defines the sensitive data curbing all the details relating to financial, health, biometric, caste, and personal beliefs out of other categories. The data can be accessed without consent if the matter is of national security, health emergencies or ongoing legal proceedings. There are certain obligations also imposed on the data fiduciaries about the quantity of information which can be stored by them. The obligations are also held on the data fiduciary for taking steps to maintain the secrecy of the data received by them. 

C. Health Data Management Policy under the National Digital Health Mission (NDHM)

With intentions to digitise the records maintained at hospitals and medical organisations, the Indian Government is placing its emphasis on the National Digital Health Mission. This policy is under the mandate of Ayushman Bharat Digital Mission. This was a proposal made by the Ministry of Health and Family Welfare in order to motivate the medical authorities to maintain the records and registries of the healthcare providers to rely on computerised networks. The National Digital Health Blueprint (2019)  for independent access and technological flexibility across the nation which will provide benefits to the citizens availing medical services in an emergency. 

There are multiple healthcare organisations which maintain their own records and numbering for their patients. The policy aims to maintain uniformity and integrity in the records of the patients. The policy holds the objective of bringing easy accessibility of the health care records across the country of the individual while preserving the confidentiality of the personal records. It also targets maintaining the data privacy of the person in the healthcare industry while working to raise awareness for it. If the records are digitised with uniformity, the portability of such records will be easier, giving details of the health conditions and past track records of the patients. The records aim to be maintained voluntarily while protecting them. Emphasis on transparency and accountability is posed on the data fiduciary organisations as well, preventing their involvement in malpractices.


Source: National Cyber Forensic Lab (website).

 Future for Cyber Forensics.  

There are a total of seven Central Cyber Forensics Science Laboratories, there are 33 cyber forensics cum laboratories commissioned in India for fulfilling the purpose of conducting forensic examination of technological and electronic evidence. Understanding the need of the hour, the Indian government is pouring emphasis on schemes focusing on the modernisation of forensics capabilities with modern machinery and equipment. The investment is made by the Central Government with the hopes to retaliate against the cyber crimes which will strengthen the coping mechanism in a comprehensive and coordinated manner. 

4. Challenges in Cyber Forensics for Indian Healthcare

Healthcare in India is constantly evolving to cater for the consumer and their needs. This development has curbed the cyber-tech equipment to store the data associated with their patients. The data servers consist of contact details, account details, Personal Health Information (PHI), and Electronic Medical Records (EMR) which tempts the cyber offenders to creep into the system. Medicinal organisations have been vulnerable to prevalent attacks all around the world. There are numerous motives behind the data breach wherein the sensitive data is sold in the black market. The unauthorised data is also used to commit insurance fraud as well. 

A. Complexity of Healthcare Systems

Cyber technology used in the healthcare infrastructure infuses various interconnected systems which hold the deficiencies. This could be due to inadequate resources, lack of funds, and not investing in high-tech security measures. Staff may also unknowingly introduce vulnerabilities by improper use of passwords or lacking the basic knowledge of the do’s and don’ts of the cyber system. They often use insecure storage systems which may lead to insecurity. Another core reason is the lack of multiple layers of authorisation checks before providing access to the data. 

B. Balancing Privacy and Security

The laws associated with the technology fail to cope with technological development. Moreover, there are instances when the data is extracted from the informant without any valid consent. Despite laws and regulations being strict about handling sensitive data, the medical organisations themselves are involved in using it for commercial purposes. When transacting the data intra-borders, an ample amount of security measures are not taken into consideration. While maintaining the administrating relations between the two medical organisations during data transactions, proper storage practices are sometimes avoided. 

This may harm the rights of the rights of the data owners. Personal details can be used against the individual fake impersonation. Considering the irreparable harm caused by discrepancies in handling the information, his right to privacy  (Justice KS Puttaswamy (Retd.) & Anr. vs Union of India) would also infringed when his data is compromised. Hence, there is a need for medical organisations to strike a balance between privacy and security while handling the data of their stakeholders. This can only be achieved with adaptation of the evolving technological advancement. This will be an investment bringing down the administrative burden of the department. 

5. Prevention Strategies

Offences associated with medical data breaches have seen a hike since the year 2021 in the world with no effective actions or remedies. Rather than waiting to aid the injury, preventive measures can help to avoid dire consequences after the data breach. Initially, the medical system and staff given operational duties to maintain the database shall be given precautionary training. Interacting with suspicious emails and calls shall be avoided to secure it from unauthorised access. The other alternative is to install advanced cybersecurity solutions. Considering this as an investment rather than an additional cost, Medical healthcare can build a stronger barrier by involving intruder detention systems and threat intelligence platforms. 

  1. Some of the other effective measures which can be opted by the medical organisations are:-
  2. Regular security audits - the practice enables the detection of a vulnerability in the system. 
  3. Data Encryption - helps to maintain secrecy by scrambling the codes of data.
  4. Digital signing-in - limits the scope of intrusion and interference of unauthorised users.
  5. Employing experts - the technology experts who keep up with the regular checks and updates and take immediate actions in case of emergencies. 
  6. Adapting the evolving technological advancement - this will limit the chance of corrupting the system. 

6. Conclusion 

The healthcare industry is highly dependent on cyber equipment to maintain and track the records of their consumers. The digitisation of records serves the advantage of providing accessibility and constant tracking with few clicks. Although healthcare centres now include cyber networks and apps in their management system, they often fail to incorporate in with the latest technologies, which avoids keeping their systems updated. This entices the cyber offenders to breach the security system to infringe on the data.  The cyber offenders who deal in selling sensitive information on the dark web, get away with their crime. This persists because of the less stringent legislation

The breach of data is not a threat to the individual or an organisation but hampers the nation’s interest as well. Moreover, the incompetent actions taken against the offender impose a precedent and are bad in law. There is no doubt about the competence of policies introduced by governments all around the world but they collapse due to improper implementation. There is a need for the judicial authorities and legislative authorities to indulge in providing the proper framework. Moreover, the medical fraternity also holds the responsibility to protect the interests of their stakeholders. Employing technical experts to maintain regular checks on the servers could be one way where a potential cyber attack can be avoided.

Moreover, regular investments in the new technology may keep up with the security checks as well.Perhaps, these measures could help in battling against the lurking threat of cyber attacks. 

7. FAQs

What is cyber security in Health care?

In simple terms, cyber security protects the unauthorised access of third parties into the data servers of healthcare organisations. It helps in concealing and maintaining the confidentiality of their customers which includes their patients, This includes using advanced firewalls, and well-designed web networks. A robust security system helps to maintain the continuity of the services provided in the medco industry. It ensures the privacy of their consumers and stakeholders is maintained. 

What are the most dangerous cyber security threats?

The most common cyber security threats are

  1. Email Phishing - receiving links through emails which gives a gateway to the intruders into the system. 
  2. Data breaches - the healthcare industry loses data due to improper precautions and a lack of implementing regular security checks. 
  3. Ransomware- data corrupted by the attack of computer viruses which can be introduced to the system through suspicious links. 
  4. IoT-  Internet of Things which is an inter-connected data exchanging system which could also make the system vulnerable. 

What is the most common cause of cybersecurity breaches?

The Most common causes of data breaches are

1.    Weak passwords

Third-party access becomes easier if the passwords aren’t complex making the data more vulnerable to cyber-attacks.

2.    Deficiency in designing

The improper design leaves loopholes for offenders to steal the data.

3.    Social engineering 

Unauthorised access by the intruder by scamming through calls, SMS, emails, or corrupt files and links. 

What is the biggest issue in healthcare which affects the organisation?

Data breach issues are the biggest concerns of the healthcare industry. Sensitive data leaks can lead to legal liabilities for the hospitals. They can also face financial losses in the health care organisation. Moreover, such breaches tag a bad reputation for the organisation leading to less sales and services. The legislation which penalises cybercrime is not strong and effective which in turn limits the judicial authorities to assist the victims of the cybercrime. Data infringement especially in the healthcare organisation affects the rights of the stakeholders with a potential threat of crime which would be committed against them. 

What kind of Data is protected by the India Digital Personal Data Protection Act 2023?

The legislation came into force on 1st September 2023 to infuse the digital age offences. It is applicable to all the organisations which are responsible for processing personal data. Any data which is provided by the informant which is either directly or indirectly associated with him will be considered as data. This includes his identification details, contact number, residential address, banking account details, insurance policy numbers, geographical location, and property information out of others. The data of the Indian citizen is brought into scrutiny even if the data is processed outside India. 

"Loved reading this piece by Esha Goyal?
Join LAWyersClubIndia's network for daily News Updates, Judgment Summaries, Articles, Forum Threads, Online Law Courses, and MUCH MORE!!"

Tags :

Category Others, Other Articles by - Esha Goyal