The life science space has largely ignored security threats for a long time. As a result, “We're are atrociously ill equipped, and we need to change that,” according to Charles Fracchia, co-founder, Bioeconomy Information Sharing and Analysis Center (BIO-ISAC), an international organization that addresses threats to the bioeconomy. “We’ve been in a really bad situation for a while and have now passed a real inflection point.”
Life science organizations have been attacked by ransomware and malware, and the attacks are increasing. The FBI says internet crime, overall, is up seven percent from 2020. The White House has issued warnings throughout the winter and spring, and the Department of Health and Human Services issued a warning in February. Although the warning focused on HIPAA (Health Insurance Portability and Accountability Act) protection, it noted that cybersecurity affects every aspect of operations and thus advised comprehensive risk management strategies wherever electronic information exists.
“Scholarly research is a target” because of its innovative nature and commercial value, says Daniel Ayala, chief security and trust officer for Dotmatics Group, a scientific informatics company.
Key life science cybersecurity challenges
“For life sciences lab mangers, the biggest security challenge is really just the underlying lack of attention that’s paid to security. People don’t realize that their entire scientific process is actually driven by digital tools, so, therefore, they have to be digital experts,” Fracchia explains. “Biologists aren’t trained in cyber hygiene, but in the next few years, you will not be able to be an effective scientist without knowing some basic cybersecurity.”
Ayala sees lab security as a triangle composed of confidentiality, data integrity, and data availability. “The integrity aspect is becoming more and more important,” he says. Lab managers, therefore, need to ensure that the data not only is accurate when it’s recorded, but that it remains accurate throughout its entire life cycle.
While the greater organization is concerned about continuing operations and recovering from loss of data, “life sciences lab managers’ greatest threat is espionage,” Chris Grove, security strategist, Nozomi Networks, says. Lab managers “need to be more protective of the data, rather than worrying about operations and availability.”
How to protect your lab’s data
Grove advises following best practice guidance and standards like those from NIST. The first step is to determine what challenges you are trying to solve and then which best practices are most applicable for your vertical and your environment.
“The number one thing, though, is to adapt a post-breach mentality,” Grove says. Assume your network has been infiltrated and all your data is in someone else’s hands. Determine what you need in terms of teams, tools, and communications to gather the right people quickly to conduct a forensics analysis that will identify when, where, and how the infiltration began, and what was affected. Determine whether you can recover data from backups or at least continue operating. Review the plans in a tabletop exercise to ensure their information (including contact information) and procedures are up-to-date and that they are helpful. And, because ransomware attacks lock out computers, have a printed copy of the plan available.
Always—even if you aren’t thinking about a breach—if something seems odd, be skeptical. “If data looks weird, atrociously bad, or the instruments start to misbehave in ways you haven’t seen before, follow your gut,” Fracchia says. Investigate the problem. Running an antivirus scan is a good first step to ensuring that the data hasn’t been tampered with.
To reduce the risk of a hacker infiltrating your laboratory, look carefully at remote access. During the pandemic, remoting-in to check on experiments became a normal way for scientists to work while reducing their presence in their labs, Yet, allowing users to access the laboratory network and its instruments and equipment from their personal devices (laptop, tablet, phone) poses a huge risk. Because those devices are connected to the Internet and can receive email, they are vulnerable to phishing attacks and malware that can worm its way onto the device and, from there, to the organization’s networks. Once in, it can steal and corrupt data, or shut down operations. Ultimately, it could cost the organization millions of dollars.
Therefore, sequestering the lab’s computing resources from the organization’s network and making it more difficult for anyone to enter reduces the risks. That involves working with IT to install firewalls, and using local drives and performing analyses on dedicated, air-gapped computers. “It's inconvenient for users because, suddenly, they have to share data in different ways,” Fracchia admits. Nonetheless, “The most important thing they can do is to actually cut the network link between the lab network and individual users’ computers.”
For many labs, completely air-gapping the lab isn’t practical. Using cloud-enabled tools mitigates the inconvenience, allowing ease of access to data while still protecting the integrity of the lab. Cloud computing options, however, should still require robust password systems and two-factor authentication, as should the lab network itself.
Protecting lab instruments and robotics
Laboratory instruments and equipment robotics is another concern. “Lab equipment doesn’t get the same level of protection as other computerized assets,” Ayala says. Therefore, in a ransomware attack, labs could lose their entire corpus of research or be recalibrated to report results erroneously, draw data for analyses from the wrong cells, or be compromised in other ways. With robotics, the question becomes whether they will perform properly—delivering the required quantities of liquid to microtiter plates, for instance. Strong passwords and multifactor authentication are the first line of defense in protecting such equipment as well as the lab’s network.
Beyond that, install the security patches and other software or firmware updates to instruments when they become available. Ideally, software and firmware updates can be installed automatically, so check the instrument’s settings to ensure that capability is enabled. “Instruments—scopes, meters, etc.—are vectors for potential malware that can change readings or infect the system,” Ayala points out. Therefore, take a risk-based approach and check instrument calibrations periodically.
“Keep copies of lab data all the way back to its origin,” Ayala says. He calls this “a path to integrity.” Then, to ensure the path can be followed, he advises backing up data by keeping three copies of the data, using two different storage mediums or systems, and keeping one copy offsite (such as in the cloud). In the case of a cyberattack or other disaster, at least one of those copies is likely to be available. Copies stored off-site can be used to verify the accuracy of the data stored on-site before the research is published or advances to the next stage. Backups also should be automated.
For each project, “Lab managers should allow time for security and maintenance when making commitments regarding the delivery of research,” Ayala says. “Security is part of the upkeep. Stay vigilant.”
Not a passing threat
The need to be keenly attuned isn’t a passing trend. “The threat is going to get a lot worse,” Fracchia predicts. As an example of what’s happening, he cited the May 2021 Colonial Pipeline hack that halted all oil transport to the East Coast via that pipeline for six days. “We’re already having that same problem.” One of the best-known examples occurred in 2017, when the malware known as ‘notPetya’ crippled Merck’s manufacturing operations, shutting down all computer usage for days and slowing manufacturing for months afterward.
Since the beginning of 2020, hackers have infiltrated the European Medicines Agency, Düsseldorf University, and other institutes of higher learning, as well as biopharma companies of all sizes, and many other organizations, according to BIO-ISAC. Most intrusions are never made public because of embarrassment and fear of regulatory repercussions.
Lab managers needn’t bear the full brunt of protecting their labs from such attacks, but neither are they wholly IT’s problem. “IT can’t tell whether your data looks funky or not,” Fracchia points out. Cybersecurity responsibilities, therefore, must be shared.
To do this, Ayala advises forming relationship with your organization’s IT and security professionals now, before intrusions occur. As encouragement, he says that IT’s mindset is changing from “no” to a risk-based approach that supports lab managers’ goals.
Lab managers also need to educate themselves about cybersecurity best practices and emerging threats. BIO-ISAC is launching educational efforts this spring that include meetups, stories from the trenches, and lessons learned to help life sciences professionals understand the threats and what they can do to minimize their exposure. Johns Hopkins Advanced Physics Laboratory (which advises the federal government on cybersecurity) is a key partner.