Your lab is never too small or too hidden to be hacked or broken into. Life science laboratories are potential goldmines of data for what has become the big business of hacking. The point may not even be to steal the data, but to hold it for ransom. Alternatively, your lab could be used as an entry point to your organization’s larger network. Data, and access to it, is valuable and can be exploited.
Even when your data is safe, your lab could be seen as a source of chemicals or biologics that miscreants could use to harm the community. Alternatively, it could be a target of opportunity for anarchists wanting chaos.
As a lab manager, it’s your job to protect the workspace and its data. “Ultimately, you are only as safe as your weakest link,” Michael Schnall-Levin, senior vice president of R&D and founding scientist at 10x Genomics, tells Lab Manager.
There are three primary areas of security concern:
- Software used by connected instruments
- Hardware and software for freestanding lab instruments
- The physical lab and its personnel
A connected environment
“In the lab environment, lab managers often have little control over the software running on lab computers and equipment. Therefore, you must focus on lab user hygiene, cybersecurity training, and network-level protections,” says Schnall-Levin.
For example, “Keep all hardware and software updated so you can benefit from the latest security patches,” says Kristen Bolig, founder of SecurityNerd. “Not performing regular updates makes it easier for hackers to breach important data.”
Last spring, Kaspersky, a web security software provider, noticed that bogus security certificates had become a way to spread malware and to grant backdoor access to computer networks. These certificates appear genuine at first glance, and may even appear on legitimate sites. A closer look, however, reveals the lie. Tip-offs include misspellings of the company name or unusual URL formats, so read carefully before installing anything. Typing in the address of the legitimate site, rather than clicking an embedded link, also minimizes the risk of fraud.
Schnall-Levin advises training users so they’re aware of lab security protocols, such as not using lab resources for personal reasons (like checking personal email or web browsing). By restricting access, you can reduce the risk from phishing attacks, which are the number-one way hackers infiltrate networks. Once inside, they can enter all the connected computers throughout the system, as well as any connected networks. During 2020, the FBI reported that phishing instances more than doubled—to 241,342 complaints.
To reduce risks, “Identify which usernames and passwords could give someone unfettered access to your lab systems,” Schnall-Levin advises. “Reevaluate how these accounts are managed, which users should have access to those accounts, whether passwords are shared, and how passwords are stored. For example, are they written on sticky notes or in electronic documents where they could easily fall into the wrong hands?” Requiring two-step authentication is a good safeguard.
“No single solution can achieve the protection needed given the assaults organizations are experiencing.”
Alternatively, ask IT to set up password-less access to important systems or instruments by using cryptographic log-in credentials that can be unlocked with biometrics or security keys.
Schnall-Levin also recommends inviting your organization’s IT department to review the lab’s data handling practices, focusing on how lab users move data among systems. This helps IT identify what they can help protect with the organization’s broader IT security strategy, and may elicit specific tips for improvements.
“Your IT department should implement network-level protections, such as having multiple separate networks for different parts of the lab and placing network security sensors or firewalls between those networks, so threats like ransomware can be detected earlier and cannot spread as easily,” says Schnall-Levin.
Work with IT to establish a virtual private network (VPN) lab workers can use when accessing data over public networks (such as a hotel WiFi network). A VPN masks your internet protocol (IP) address so the user can remote in without being easily traced, and also creates an encrypted tunnel for data movement between the user’s device and, in this case, your lab instrument or network.
Diana Salazar, product marketing manager, enterprise backup and archive at Quantum, also recommends encrypting all the traffic on your applications as well as encrypting the endpoints. That includes lab instruments as well as users’ phones.
As the lab manager, establish and regularly update written lab security policies and procedures to button up your lab and minimize risks, as well as deal with any breaches.
“No single solution can achieve the protection needed given the assaults organizations are experiencing,” cautions Salazar. “If the network is infiltrated, your only defense is having several security checkpoints or roadblocks to slow the attack, giving you time to shut down systems.”
Protecting non-connected instruments
When adding computerized instruments to the lab, whenever possible, choose those that are “secure by design,” Luka Murn, principal software engineer at SciNote LLC, advises. Developers of “secure by design” software use good development and coding practices throughout development to build more secure products.
“Ensuring that you have a robust backup strategy is paramount.”
Some instruments include built-in security, auditing, and e-signature capabilities to enhance lab security by controlling access and tracking users’ actions on the device. Lab managers still need to ensure that data is encrypted, though. Even on supposedly secure devices, encryption is a vital countermeasure in the event that threat actors gain physical access to the lab or to lost or stolen mobile devices.
Remember physical security
“The most straightforward way for malicious persons to gain access to unauthorized data is to gain physical access to the hardware,” says Murn. This can happen when lab personnel prop open an otherwise locked door, let someone enter with them, or fail to check authorizations for those who claim they need access—such as accreditation or insurance inspectors, or even pest control personnel.
While sensitive labs are assumed to be locked, areas needing higher security should consider two-factor authentication and a key card, as well as door lock codes that change daily.
“A combination of card readers and CCTV to monitor access into the labs also may be considered, as well as an audit by the institute’s physical security team,” adds Schnall-Levin.
Remember that security concerns apply not just to securing data, but to preventing damage or theft of lab instruments and of the chemicals, biologics, and radioactive elements used in the lab. Therefore, maintain an accurate inventory so you’ll know right away if anything is missing.
For labs dealing with sensitive data or substances, make it a routine practice to perform background checks on lab personnel before hiring them. This step ascertains their identities, verifies their legal authorization to work in this country, and identifies any criminal history.
What to do if your lab is breached
Cybersecurity experts maintain that it is no longer a question of whether a computer will be hacked, but when. To minimize the impact of a breach, Schnall-Levin says, “Ensuring that you have a robust backup strategy is paramount. Granted, that can be more of a challenge for the lab, but as much as possible, you should back-up laboratory computers and save important instrument and equipment configurations somewhere safe outside the lab.
“Ask yourself this,” he continues. “‘If all the files and configurations for anything with an Ethernet port got wiped out, which ones can I set up again without too much trouble? More importantly, which ones would I wish I had backed up somewhere else?’” Back-up can be as simple as saving important files and configurations to a USB or cloud drive.
Alternatively, if data tampering is a concern and maintaining chain of custody is an issue, saving data using immutable distributed ledger technology (like blockchain) may offer a solution. IT should be able to help you.
Large life science organizations may consider purchasing a cybersecurity insurance policy, also. “This is a great measure to take, especially for labs that are harboring large quantities of important information,” says Bolig. “They offer protection in case of ransomware and malware attacks, and some offer risk mitigation services.”