Why, When, and How to Involve IT in Your Lab’s Security Strategy

Get to know your IT team before you need them

Gail Dutton

The first time you meet your institution’s information technology (IT) professionals shouldn’t be just after your lab was hacked or when you have an IT problem.

“By building rapport and making relationships first, solving problems is much easier,” explains Dima Suponau, CEO and founder of the online customer service database numberforliveperson.com. Building a working relationship helps lab managers deal with IT issues before they become bigger problems, and helps IT personnel hit the ground running when problems do occur.

Scott Shindledecker, chief product security officer for the medical technology developer BD, agrees. “Lab managers and information security professionals need to work hand-in-hand. New cybersecurity threats emerge daily [and lab managers and IT need] to coordinate downtime for periodic cybersecurity maintenance, such as patch management.”

Be aware of cyber threats

Building a relationship with IT is about more than coordination, though. It’s about communications, too. Schindledecker advises lab managers to get to know IT and to stay informed about new security issues and ways they can be mitigated to limit potential risks in your own lab.

External threats to science laboratories may seem minimal, but they are real. The University of California-San Francisco, Michigan

State University, and Columbia College of Chicago all reported cyberattacks in 2020 aimed at stealing their virology research. The governments of the US and UK warned of cyberattacks targeting universities, research institutes, and pharmaceutical companies in an attempt to steal COVID-19 related research. As another example, Hammersmith Medicines Research in the UK was hit by a ransomware attack that leaked data from 2,300 patients.

Ultimately, the responsibility to ensure the integrity of data and other communications belongs to the lab manager, Schindledecker points out. Therefore, “taking a hands-on approach and working closely with the information security team allows lab managers to be confident their facility is in compliance and that all data that is transmitted and stored is secure.”

This is particularly true in the current work from home and virtual lab environment. As Brook Colangelo, vice president and chief information officer, Waters Corporation, says, “With so many employees currently working remotely, we are constantly testing, targeting, and training our employees to ensure our cybersecurity.” 

At Waters, Colangelo continues, “we utilize a ‘two-in-the-box’ system where scientists are paired with IT to drive solutions.” This strategy, which began more than three years ago, breaks down barriers between IT and the lab, and thus helps cybersecurity efforts to be more impactful. “We believe the two must continuously work together to maintain strong relationships to proactively identify potential risks and ultimately sustain the level of cybersecurity needed to protect our organization and customers,” he says.

How often should lab managers meet with IT?

Shindledecker recommends meeting with information security “at least once a month to evaluate current security measures, and anytime the US Department of Homeland Security Cybersecurity and Infrastructure Security Agency issues alerts that concern threats to critical infrastructure networks.”

These meetings are a good time to review cybersecurity protocols and threats that could affect the technologies in the lab. Lab managers should understand the security protocols that are in place and why those particular processes are used, as well as certain network activities (abnormal access patterns, for example) that should cause suspicion.

Host some of these meetings in the lab, Suponau advises. “Spending time in the lab allows the IT manager to get a better idea of what you do, how you do it, and how the IT department can help,” as well as your priorities and pain points. 

Monthly meetings also are an opportunity to enlist IT’s help for larger security-related projects. “The information security team should proactively perform a risk assessment of the enterprise, including your lab’s security. This can be annual—such as a SOC2-Type 2 assessment—or periodic, such as ISO27001 (every three years), or HITrust (every two years),” Shindledecker says.

IT also can help with:

  • Setting up an intrusion detection system (IDS) to monitor wireless networks for possible malicious activity
  • Protecting critical services by putting them on a secured network behind separate firewalls
  • Performing in-depth security risk assessments on all new vendors. Periodically reassess all vendors and use third-party assessments to ensure they (and your lab) are compliant with SOC2-Type 2 security guidelines
  • Conducting penetration tests with an independent red team (attacker) or an external firm

Stay updated on new requirements

For labs in healthcare settings, such as COVID-19 testing labs, the information security team also can provide advice regarding patient safety and privacy. 

“The US Coronavirus Aid, Relief, and Economic Security (CARES) Act requires COVID-19 testing facilities—including labs, hospitals, and nursing homes—to report testing data to local and federal health authorities daily,” Shindledecker explains. Once the samples reach COVID-19 testing labs, patients’ test results are transmitted from the testing instrument to the lab automation system. 

Despite the differences in tests (such as RNA and antigen detection systems), the data can be aggregated into a single informatics platform to simplify compliance and minimize the need for manual reporting. For example, BD Synapsys™ (which has been granted Emergency Use Authorization by the US Food and Drug Administration to perform SARS-CoV-2 diagnostic testing) automatically encrypts testing data for storage and transmission. 

Because informatics platforms have multiple contact points, such as electronic medical records (EMS) and lab information systems (LIS), as well as the local and federal public health authorities that are tracking COVID-19, security risks increase.

At the most basic protection level, lab managers should ensure access passwords and codes are changed regularly, maintain firewalls, and recognize the signs of a data breach.

When considering lab security, remember physical security, too, Nick Santora, CEO and security expert for the security awareness training company Curricula, advises. This includes limiting access to your laptop and not propping open doors—even temporarily—to labs that contain sensitive data.

And, as Jack Zmudzinski, a senior associate at future-processing.com, adds, “lab managers should always follow protocols for backing up work, shredding any sensitive hard copy documents, and making sure passwords are changed regularly.”

For lab managers, Santora says, "the goal is to get every single employee to understand their role in security. Without that recognition, you’ll never have the support needed."

To do that, replace dry “be secure” messages with content that is valuable and relatable. Santora recommends working with IT to develop engaging cybersecurity materials. Phishing quizzes, videos, and infographics are a few examples of strategies lab managers and IT can develop together to enhance the security culture within your organization.