More likely than not, you may have heard several stories about serious cyberattacks targeting private companies and government organizations. As biotech and healthcare data management moves online, and more data analysis is performed on remote cloud-based machines, the possibility of being the victim of a cyberattack becomes more real. It is important to note that in general cloud-based data repository and cloud computing, if set up correctly, are a lot more secure than local or on-premises data management solutions. If you’re the project manager or IT administrator for an Electronic Lab Notebook (ELN) or a Laboratory Information Management System (LIMS), and you haven’t thought much about security, now is an excellent time to start! The process of securing your scientific computing operations doesn’t have to be time-consuming, labor intensive or difficult -it’s all about being informed and knowing the steps you can take to keep your users and their research data safe.
Really any piece of software or system that contains laboratory research data should be protected from malicious attackers who might use that information to harm your research or your organization. Your ELN likely houses sensitive personal information and passwords, as well as experiment data, private protocols and intellectual property. A breach in your cloud-based ELN could also lead to attacks on other company assets and severe compromise in the performance of all connected systems. Even if the security breach does not directly lead to the theft of sensitive information, it is very likely the system performance is reduced to levels that it will be impossible to perform any kind of meaningful research data analysis and management. Therefore, it's important to keep your ELN solution secure. Let’s go through some of the steps you can take now!
The first step is to identify any regulations that may apply to your organization that govern how you should handle personal information and research data. Several regulations focus on handling personal information. Among there, a common standard is the General Data Privacy Regulation (GDPR), which is a European Union regulation. If you are located in Europe or have any users who are based in the European Union, then GDPR probably applies to you, and you’ll need to make sure you’re giving your users proper notice along with their consent to use their information. A similar regulation is the California Consumer Privacy Act (CCPA). The CCPA has more narrow scope than GDPR -it only applies if your organization meets certain criteria. If you’re a for profit organization and you have either $25 million in gross revenue per year OR have information about 50,000 California residents, then CCPA applies to you.
Neither of these regulations have specific rules for security, but both require organizations to take “reasonable” steps to protect their users. Both also have requirements for handling information and require you to notify users if their information is compromised in an attack. This might just mean applying security updates in a timely manner, using encryption appropriately, and other simple measures. If the information you have is particularly sensitive, “reasonable” might mean getting your organization certified for meeting security regulations like the ISO 27001 standard.
For the regulated biotech and healthcare industries, national government rules need to be considered. For example, the United States Food And Drug Agency (FDA) has several rules and regulations that directly affect how research data must be managed. One such rule is 21 CFR Part 11 that concerns electronic storage of research data. We have several articles that cover this topic in more detail.
An important part of running a secure ELN should include controlled document management using secure digital signatures. We have discussed the security implications of signatures in ELNs here previously. A properly recorded signature can secure data and documents and prevent unintended alterations. Digital signatures on uploaded files can also provide a mechanism for checking file integrity and data fidelity in the case of large files containing large datasets. You ELN solution may provide a mechanism for you to design a robust signature workflow customized to your laboratory environment. Understanding the legal implications of digital signatures and timestamps can benefit your operations in the long term. Additionally, audit trails and automated version control offered by some ELN solutions can save your team a ton of time when it comes to internal and external audits of chain of custody of the documents managed in the ELN.
Automating security tasks, from applying security patches to predicting incoming threats, is the by far the most powerful tool in your arsenal. Automated tasked like auditing user permissions and adjusting settings when certain permissions are no longer necessary is a good way to take human error out of the equation. Automated tasks can be set up at your organization, with the ELN system and the cloud host that houses the ELN solution. For example, Microsoft Azure provides a dedicated compliance dashboard where your ELN provider or administrator can apply and monitor security policies.
Whatever ELN you use, it likely has a variety of security settings. The default settings may not be suitable for your use case. You can adjust the settings to fit your specific data security policies. Does your ELN give you controls over user roles and permissions? Only allow enough permission for each user to perform their daily laboratory tasks. Can you enforce two-factor authentication? This is the gold standard for protecting user accounts and it should be turned on. If you don’t understand the options available to you, consult with your ELN supplier or vendor and your company's IT/security teams.
It is also advisable that you adhere to the Principle of Least Privilege, and only give laboratory researchers and lab manager the minimum permissions they need to carry out their day to day work. In any security strategy the users who log in and use the system are usually the weakest point of entry of cyberattacks. You can take steps to ensure that your security defense posture takes this into account.
Check if any privacy laws and government agency regulations apply to your organization, be mindful of how and where the research data is stored, and follow security best practices. Work closely with your team for help and ask your ELN provider about what customized security options they can provide. Think about the security of your ELN now, and start protecting your research data today!