It’s easy to imagine the data in your lab is safe from outside threats like viruses and hackers because it is protected by a layer of enterprise-level security. The top electronic lab notebooks (ELNs) limit that risk by taking a zero-trust approach in which all users are authorized, authenticated, and continuously validated before they can access the applications and data. They also provide user access controls, traceability, and data encryption.
In that way, they provide the security and integrity that is vital for reliable data analysis and data-based conclusions, as well as hosting other experimental and sample data such as observations, formulations, protocols, reagents, etc.
Industry standards and best practices
One of the overarching protections ELNs provide is compliance with industry standards and best practices, as well as with relevant government regulations. In the US, this means the Federal Risk and Authorization Management Program (FedRAMP). This program standardizes a risk-based data security approach for cloud service providers throughout the federal government.
“FedRAMP (unlike a regulation like the General Data Protection Regulation–GDPR–which requires uniform application of data protection principles across the EU) deals with common security and privacy standards. It applies to cloud-based service providers that want to work with the US federal government or companies that work with the government. As such, it has become a gold standard in the US, similar to the adoption of ISO 27001 over the years,” says Jason Wilson, head of privacy and security at SciNote. “It extends into industry, whether or not you’re working within the federal government, because it sets a very high standard. It’s become a default standard.”
Also expect an ELN to comply with the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) standard 27001 for information security management. It advocates a robust, holistic risk management approach to current and future threats applying to people and technologies, as well as data security policies.
Add-on modules enable some ELNs to comply with industry-specific regulations, but the onus is still on the user to meet relevant compliance standards. Life science labs, for example, can benefit from an ELN that helps them become compliant with 21 CFR Part 11 in the US and Annex 11 in the EU.
An ELN should take a compliance-by-design approach in the software development lifecycle, providing features that help users meet industry standards and regulatory commitments. This can include an audit trail, electronic signatures, time stamps, and other security features that ensure any changes to data can be traced back to the individual who made the changes and when they were made. As projects advance, adherence to these regulations ensures regulators that the submitted data is reliable.
Automatic backups protect data
Ideally, ELN backups should occur automatically. “As a general rule, data should be backed up as many times as possible in the shortest period possible,” Miha Mencin, SciNote CTO, says. That means minute-by-minute saves as data is added or changed and nightly backups of the entire ELN to the cloud.
Ideally, ELN data will be backed up to the cloud and cross-replicated to multiple data centers in different geographic locations. “Therefore, for example, if something goes really wrong in one part of the US, the data can be retrieved from another site,” Mencin says. Note that data privacy and storage regulations shift depending on where a data center is located, so users should seek providers that have data centers located in their country. ELN cloud storage providers should host data centers in North America, Europe, Asia, and Oceania to reach as many users as possible.
Lab data also should be encrypted. “Encryption is the most basic data hygiene,” Mencin stresses. Industry best practices call for using Advanced Encryption Standard (AES) 256 for 256-bit encryption. It is outlined in FedRAMP and ISO 27001 and approved in the US for top-secret government information. Atop that, another protocol, Transport Layer Security (TLS), further protects data on the move. The latest version, 1.3, was released in 2018.
This multi-tier encryption thwarts man-in-the-middle attacks, which, as the name implies, surreptitiously reroute or alter data in transit. With AES-256 encryption, even if TLS is breached, the data is still secure. It’s like having a lockbox inside an armored car.
Cloud storage
Large cloud platform providers like Amazon Web Services put comprehensive data security measures in place for their ELN customers. Because providing cloud services is their core business, they have the resources and expertise to ensure it is the best in the world.
Because many ELNs provide their applications as a service (Software-as-a-Service, or SaaS), the threat of security risks caused by unpatched software is reduced. Security doesn’t depend upon whether lab personnel have time to perform software updates themselves. For onsite deployments, software updates should always be installed on the local IT infrastructure.
In a virtual, cloud-based environment, a customer’s instance of the ELN can be independent of those of other clients. Each instance is like a safety deposit box inside a bank vault. Although many boxes share the vault, only specific users can access an individual box. This type of ELN deployment further increases the level of security.
Archiving
Data from an ELN has value to multiple business units outside the laboratory, and that value can persist for years. “Different industries have different rules for data retention,” Matjaz Hren, PhD, SciNote’s VP of product development, points out, so those businesses determine their own retention policies. “Archiving data for at least five years is often the minimum requirement.
Ideally, an ELN will not delete any data for the duration of a client’s account with the service. Therefore, users can see the evolution of the data as it is accessed, analyzed, augmented, and compiled into reports, as well as how, when, and by whom it was changed
Role-based access control
ELNs also help lab managers control users’ access to data. For example, a lab intern may be able to read data but not change it, and scientists and their collaborators may access some projects but not others. Controlling access is important not only from a security aspect but also in terms of managing the risks of errors or modifications that may affect data integrity.
The ability to segment access to data and reports provides the security labs need to allow collaborations with external organizations—including companies with which they sometimes may compete—while protecting proprietary information. Therefore, Hren says, “It is absolutely essential that an ELN have a really good, granulated access management.”
Authentication methods can be both secure and user-friendly. Single sign-on authentication technologies let users access many digital platforms with one log-in credential while providing multi-factor authentication. Typically, a user may sign in with a username and password and authenticate themselves with a biometric identifier (like a face or fingerprint scan), a PIN, a one-time code sent to a smartphone, or a physical token.
With that approach, “Lab users have one strong set of passwords they can remember, rather than many weak ones they may leave lying about on paper,” Hren says.
For added protection, a session timeout feature ensures that files aren’t left open indefinitely, thus limiting the ability of an unauthorized party to access or alter data surreptitiously if the user walks away. Human readable formats also make it easier for users to spot entries that may be amiss.
Mobile security
Mobile apps that function as a companion to browser-based ELNs are still relatively uncommon. By accessing their ELN from their phones or tablets, scientists can easily check protocols and make notes at the bench without having to manually transcribe those notes, thus minimizing potential errors. Because these notations are synchronized with the ELN in real time, data is current and reliable.
The same security features that manage access to the browser version of the ELN—notably, multi-factor authentication—also should be in place for mobile apps. For example, a mobile authentication flow could require users to log into the ELN and generate a single-use, time-sensitive QR code that they then scan with their camera before accessing the ELN and signing into their appropriate sections.
In conclusion
ELNs, whether in the cloud or on-premises, are foundational to the protection of lab data. “ELNs are becoming mission control for the many technologies used in the lab,” Hren says, reducing complexity for lab managers and lab users alike.