February 25, 2019
On June 27th, 2017, a massive ransomware attack infiltrated computer systems and locked up files (via encryption) at companies around the world and government ministries in Ukraine. Merck & Co. was among those affected. Merck employees arrived in their offices in the morning to find a ransomware note on their computers with hackers demanding payment to release critical files.
Upon learning of the attack, the company disabled its email system and 70,000 employees were forbidden from touching their computers and told to go home. All said, the Merck’s global manufacturing, research and sales were impacted for nearly a week, costing the company an estimated $310 million dollars in the third quarter of 2017 due to increases in the cost of goods sold and operating expenses, along with lost sales.
Pharmaceutical companies typically have large quantities of research, clinical trial and patient data, along with critical intellectual property (IP), to protect. As a result, Life Science companies are an enticing target for cybercriminals. But its not just external threats from hackers or malware that pharmaceutical companies face, there are also internal threats due to disgruntled, malicious or noncompliant employees that need to be addressed.
According to a recent report by Gartner, businesses spent over $114 billion worldwide for security services and products in 2018 alone. With expanding connectivity of information systems, laboratory instruments, computer work-stations, and mobile devices to the internet and wireless networks, data protection and security have become critical components of laboratory information technology (IT) infrastructure for the pharmaceutical industry.
As industry-leading pharmaceutical organizations strive to integrate legacy systems and digitize all aspects of the product lifecycle in order to gain a competitive edge, the need to continuously protect all forms of data in all locations and transmissions can become a challenging task. In this blog, we provide some best practice recommendations for maintaining laboratory data security.
Out-of-date operating systems. One of the biggest data vulnerabilities in pharmaceutical companies occurs because laboratories often run proprietary, highly customized software on lab computers. This prevents timely operating system upgrades and security patches, leaving these computers vulnerable to hackers. It is common to see Windows XP or even Windows 95 operating on laboratory computers, making security patches on these machines virtually impossible.
Windows XP was in fact leveraged by the hackers in the Merck data breach described above. If out-of-date operating systems are required to run certain software in your laboratory, best practice is to isolate those machines behind several layers of protection and keep them segregated from your main network.
Malware Protection. Modern anti-virus software can protect computers from computer viruses, trojan horses, computer worms, spyware, ransomware, etc. This software is critical due to the increased number and severity of cyber-attack threats. All laboratory computers should have robust anti-virus software installed and configured for automated, regular virus definition updates and file scanning. Various internet software suites can provide additional security by adding firewalls and application access control or privacy features. Additionally, workforce policies and procedures and employee education are highly recommended to prevent at risk behaviors.
Interfaced instruments. Laboratory instruments these days run widely-used windows operating systems and Transmission Control Protocol and Internet Protocol (TCP/IP) based network protocols for communications. This exposes them to the same security issues as laboratory computers, meaning the instrument’s operating system and hardware protection must be approached similarly to typical computers.
Mobile devices. Increased use of mobile devices (e.g., smartphones, tablets, etc.) and wireless medical devices can create significant data security challenges for pharmaceutical companies. Companies should take steps to develop secure authentication for mobile devices, along with the ability to track and secure mobile devices remotely by locking or wiping out information.
On-premise hosting data security. With internet connectivity, data security involves not only safeguarding computers themselves, but also protecting the network and the information that is stored and transmitted. Until fairly recently, many pharmaceutical laboratories licensed informatics software such as laboratory information management systems (LIMS) from a vendor and installed directly in the lab server/computers in what is known as an on-premise deployment. This hosting option allows strong data security with data protected by the company firewall, although using cloud-based services (e.g., attachments in Gmail, dropbox/box, etc.) behind your firewall is a possible point of failure.
External and cloud-based hosting data security. In recent years, several vendors have begun to offer deployment compatible with external hosting, offering full application functionality accessed through a device’s web browser and hosted at a third-party data center. In addition, there are now fully external cloud-based “Software-as-a-service” offerings. While on-premise hosting behind the company firewall can provide the best data security, data security in the cloud has come a long way in recent years, and single-tenant, private cloud hosting options do exist with enhanced security.
The bottom line is that, when utilizing external or cloud-based hosting for informatics software, it is critical for companies to do a thorough audit of the network vendor to ensure adequate security is in place. What does their network configuration look like? How often do they perform security audits? This vendor audit can either be done by a skilled in-house IT team or outsourced to a qualified external consultant.
HIPAA compliance. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) mandates certain administrative, physical, and technical safeguards to ensure the privacy and protection of patient medical information and health records. For internet transmission of patient data, the minimum security requirements stipulated by HIPAA utilize Secure Socket Layer (SSL) protocols, which encrypt data using a private key, to protect patient confidentiality. Web servers supporting SSL protocols have web addresses starting with “https” instead of “http.” Virtual private network technology provides another option for HIPAA compliance, securing communication over public networks by creating a secure tunnel and encrypting all data.
Passwords. Another important aspect of ensuring data security in pharmaceutical laboratories is making sure that the informatics solutions themselves have best practice data security features. Written policies are required to document the manner in which employees gain access to information systems. All applications will have passwords enabled as the main method of user authentication. Organizations should formulate procedures for creating, changing and safeguarding passwords that allow access to systems with critical data. Regulations also mandate that strong passwords be enforced for logging in to all information systems and medical applications. Applications should have security questions enabled to permit easy recovery of lost password.
Two-factor authentication. Sometimes a strong password simply isn’t enough to prevent hackers from accessing your applications. Best practice is to utilize two-factor authentication (2FA) to make sure accounts don’t get hacked. After entering a password, users are prompted to enter a code generated by an application or sent to your smartphone. Applications utilized by pharmaceutical laboratories should ideally have 2FA capabilities.
Role-based access control. Pharmaceutical laboratory information systems should also have the ability to control which users can use the system, what information they have access to, and what they can do with the data (e.g., read only, or the ability to change or delete data) with role-based permissions. Role-based access control (RBAC) allows access to information in the system based on the specific role of the user.
Computer systems should also have the ability to accommodate special situations and override standard RBAC settings in case of emergency. Finally, organizations should have procedures in place to maintain the RBAC system, adjusting permissions when necessary and terminating access when employees leave the company.
Employee training and compliance. All laboratory personnel should have a basic understanding of data security threats and comply with company policies and procedures designed to prevent them. Security awareness training should be provided for all employees at the time of their hire, and this initial training should be reinforced periodically with follow-up security reminders. Compliance must be enforced in the laboratory and needs to be monitored on a regular basis through an audit and risk analysis process. Training and compliance software is available to get signoff from your lab personnel that they understand data security.
Peripheral devices. Any IT hardware, namely computer terminals, should be viewed as a potential site for rouge employees to extract data via peripheral storage devices (e.g., USB thumb drives, eSATA disk drives). Software/hardware solutions need to be in place to prevent this scenario unless the employee is specifically authorized. Appropriate steps also need to be taken to prevent employees from working with non-company machines.
While there are clear benefits to connected operations in pharmaceutical laboratories in terms of data integrity, innovation and operational efficiency, this connectivity also creates serious security risks that must be addressed. There is no magic bullet when it comes to data security – no single methodology or technology will get the job done. Data security efforts must therefore be comprehensive using multiple layers of protection.
Companies should undertake regular assessments of data security risks and develop a comprehensive data security strategy that uses multiple layers of protection in each of the areas described in this article – hardware security, network security, application security and personnel security. Additionally, data security concerns need to be a big part of the selection process when choosing applications to implement in your laboratory.
Astrix has over 20 years of experience implementing laboratory informatics applications in ways that maximize data security. Our experienced professionals help implement innovative informatics solutions that allow organizations to turn data into knowledge, increase organizational efficiency, improve quality and facilitate regulatory compliance.