For a practical next step, review our private infrastructure services, browse the medical practice FAQ, and explore the full WhyNotDoc security blog.
On March 22, 2026, a Dallas dermatology practice discovered unauthorized access to their patient database. The breach investigation that followed revealed a critical gap: the practice had no forensic evidence to determine when the intrusion began, what data was accessed, or how the attacker gained entry. Their logs retained only 30 days of history, insufficient to identify the initial compromise that likely occurred months earlier. Without forensic evidence, they faced the worst-case scenario assumptions: all 18,000 patient records potentially compromised, maximum notification requirements, and no ability to demonstrate containment or scope limitation.
Forensic readiness is the practice of preparing to collect, preserve, and analyze digital evidence before an incident occurs. For Texas medical practices, forensic readiness directly impacts breach response capability, regulatory compliance, insurance claims, and legal defensibility. The practices that weather breaches successfully are those that prepared their evidence collection capabilities in advance.
Forensic readiness goes beyond basic logging to create systematic evidence preservation capabilities. A forensically ready practice can reconstruct security incidents with sufficient detail to support investigation, regulatory reporting, and potential legal proceedings. Key components include:
Comprehensive Log Retention: Retain security-relevant logs for periods that support incident investigation. HIPAA requires access logging but does not specify retention periods. Forensic readiness demands longer retention than typical operational requirements. A Houston practice discovered a breach that began 8 months prior; their 90-day log retention left them unable to determine the initial attack vector or full scope of compromise.
Immutable Evidence Storage: Store logs and forensic evidence in write-once, read-many (WORM) storage that prevents tampering or deletion. Attackers routinely attempt to delete logs to cover their tracks. Immutable storage preserves evidence even when systems are compromised. A San Antonio practice's immutable log storage captured attacker activity that would otherwise have been deleted, enabling complete incident reconstruction.
Timestamp Synchronization: Ensure all systems maintain accurate, synchronized time. Forensic analysis depends on correlating events across multiple systems. Time discrepancies create uncertainty that attackers exploit. A Fort Worth practice's investigation was complicated by 17-minute time differences between their EHR and firewall logs, creating uncertainty about attack sequencing.
Evidence Collection Procedures: Document procedures for preserving evidence when incidents are suspected. Know how to capture memory dumps, disk images, and network traffic without contaminating evidence. A Georgetown practice's IT vendor inadvertently destroyed critical evidence by rebooting a compromised server before forensic capture.
Chain of Custody Documentation: Maintain records of evidence handling that support legal admissibility. Document who accessed evidence, when, and for what purpose. Chain of custody is essential if evidence will be used in legal proceedings or regulatory enforcement.
A family medicine practice in Corpus Christi experienced a ransomware attack in February 2026 that demonstrated both the value of forensic readiness and the consequences of its absence. The practice operated with minimal logging and no forensic preparation, creating significant response challenges.
Initial Detection: The attack was discovered when staff arrived to find ransom notes on all workstations. The practice immediately contacted their IT support vendor, who began remediation without forensic preservation. Critical volatile evidence in system memory was lost.
Investigation Challenges: The practice's firewall retained only 30 days of connection logs, insufficient to identify the initial compromise. EHR access logs showed suspicious activity for the previous two weeks, but earlier history was unavailable. Email security logs had been overwritten due to storage limitations. Without comprehensive logs, investigators could not determine how the attacker gained initial access, how long they had been present, or what data had been exfiltrated.
Compliance Consequences: OCR notification requirements mandate breach scope determination. Without forensic evidence, the practice had to assume worst-case scenarios: all 12,400 patient records potentially accessed, all data types potentially compromised. This assumption triggered maximum notification requirements, credit monitoring for all patients, and extensive media notification. The uncertainty also extended their investigation timeline, delaying required notifications beyond Texas's 48-hour mandate.
Insurance Complications: The practice's cyber insurance policy required evidence of security control operation for claims coverage. Limited logging prevented them from demonstrating that required controls were functioning before the incident. Their claim was initially denied based on insufficient evidence of control effectiveness.
Recovery Costs: Total breach costs reached $1.8 million, significantly higher than comparable breaches with adequate forensic evidence. The uncertainty-driven notification scope, extended investigation, and insurance complications all contributed to elevated costs. A forensically ready practice with similar size and breach type would likely have faced costs under $600,000.
Medical practices can implement forensic readiness without enterprise-level resources. Focus on high-value evidence sources and practical preservation capabilities:
Critical Log Sources: Prioritize logging from systems that provide the highest forensic value. Essential sources include firewall connections, authentication events, EHR access logs, privileged user activity, and email security events. A Tyler practice focused their limited resources on these five log sources, achieving adequate forensic coverage for their risk profile.
Retention Period Planning: Determine appropriate retention periods based on threat dwell time statistics and regulatory requirements. Healthcare attacker dwell times average 287 days, suggesting retention periods of at least 12 months for critical logs. A Dallas practice implemented tiered retention: 90 days for operational logs, 18 months for security logs, and 7 years for access logs related to patient data.
Centralized Log Management: Aggregate logs from all systems to a centralized, secure repository. Centralization enables correlation across systems and protects logs from local system compromise. A Houston practice uses a cloud-based SIEM that aggregates logs from all locations, providing unified visibility and long-term retention.
Log Integrity Protection: Implement cryptographic verification of log integrity. Hash chains or digital signatures prevent undetected log modification. An Austin practice's cryptographically signed logs provided irrefutable evidence of attacker activity that supported their regulatory response and insurance claim.
Network Traffic Capture: Consider selective network traffic capture for high-risk segments. Full packet capture provides the most detailed forensic evidence but requires significant storage. NetFlow or metadata capture offers a practical alternative, preserving connection records without full content storage. A Fort Worth practice captures NetFlow from their EHR segment, enabling connection analysis without excessive storage requirements.
When potential incidents are detected, immediate evidence preservation is critical. Practices should have documented procedures for:
Volatile Evidence Capture: System memory contains critical evidence that disappears when systems are rebooted or powered off. Document procedures for capturing memory dumps before any system restart. A San Antonio practice's incident response plan includes immediate memory capture steps that their IT vendor executed correctly during a suspected breach.
Disk Imaging: Create forensic images of compromised systems before remediation. Disk images preserve evidence that file-level backup might miss, including deleted files and unallocated space. A Georgetown practice's forensic disk image revealed attacker tools and exfiltration staging areas that would have been missed by standard backup restoration.
Log Preservation: Immediately secure and preserve all relevant logs when incidents are suspected. Copy logs to immutable storage and document preservation actions. A Corpus Christi practice now includes immediate log preservation in their incident response procedures, learned from their previous experience.
External Communication Documentation: Preserve all communications related to the incident, including emails, text messages, and meeting notes. These documents may become evidence in legal or regulatory proceedings. A Dallas practice's incident response documentation proved valuable during OCR review of their breach response.
Most medical practices lack internal forensic expertise. Establish relationships with qualified forensic resources before incidents occur:
Incident Response Retainers: Consider retainers with incident response firms that include forensic capabilities. Retainers ensure immediate availability and often include proactive readiness assessments. A Houston practice's retainer agreement provided 4-hour response time and included quarterly forensic readiness reviews.
Legal Coordination: Engage legal counsel familiar with healthcare breaches and forensic evidence requirements. Attorney-client privilege can protect forensic investigation findings. An Austin practice coordinates their forensic and legal resources through a single response framework.
Insurance Requirements: Understand your cyber insurance policy's forensic evidence requirements. Some policies require specific evidence types or preservation procedures for claims coverage. A Fort Worth practice aligned their forensic readiness program with their insurer's requirements, ensuring claims eligibility.
Law Enforcement Coordination: Establish relationships with local FBI field offices and Secret Service electronic crimes task forces before incidents occur. These relationships facilitate reporting and potential investigation. A Tyler practice's pre-established FBI relationship enabled rapid engagement when they experienced a sophisticated attack.
We assess your current logging and evidence preservation capabilities and implement forensic readiness programs that prepare you for effective incident response. Our evaluations include log source identification, retention planning, centralized aggregation, and incident response procedure development.
Call 469-252-7016 or schedule online. We help Texas medical practices prepare for breaches before they occur.