User:Shawndouglas/sandbox/sublevel1

From LIMSWiki
Jump to navigationJump to search

The previous chapter explored many aspects of informatics in the laboratory, emphasizing that while software and hardware systems bring many benefits to the laboratory, a thoughtful, organization-wide approach to managing the risks that that software and hardware introduces—particularly when related to cloud computing—is required. Given these complications, it's unsurprising to learn some laboratories have turned to MSSPs to help them meet regulatory requirements and maintain the security of their on-premises and cloud-based data solutions. Examples of industries with research and laboratory work served by MSSPs over the years include the gemstone testing and grading[1], energy research and supply[2], clinical and forensic toxicology[3], and healthcare industries.[4][5] In all these examples, the implication is that proprietary trade secrets, critical infrastructure, or sensitive patient data must be protected. The laboratories operating in those industries could have attempted to keep security efforts in-house, but for one reason or another they chose to outsource a significant portion of that protection to a third-party MSSP.

But why even bother with this level of security? As previous chapters have noted, regulatory requirements are a significant driver to that end; if the lab won't meet its regulatory requirements, it risks major fines at a minimum, or at worst going out of business. In fact, some 60 percent of small businesses end up closing shop within six months of a cyberattack.[6] This happens for multiple reasons, with costs related to compliance fines, breach notifications, post-breach customer protection, public relations, reputation loss, attorney's fees, litigation, and operational disruption often laying waste to the business.[7] And it happens to businesses in almost every industry.

Laboratories are not exempt from these cyberattacks and losses, whether using on-premises systems or turning to the cloud. In 2019, Canadian laboratory testing business LifeLabs suffered a cyberattack on its systems that saw the attackers steal information and request a ransom to have the data returned. While it's not clear exactly what went wrong, talk of "[f]urther strengthening our systems to deter future incidents"[8] indicates something was off about LifeLabs' computer systems, something that likely could have been prevented with properly managed security services. In 2021, clinical at-home laboratory provider Apex Laboratory announced that it had been attacked by ransomware that hit its systems, which allowed hackers to take sensitive patient information and forcefully encrypt system and other data files until a ransom was paid.[9] This kind of attack also could have been prevented—or the damage at least mitigated—with active MSS protections. And in May 2021, news broke that benevolent hacking group Sakura Samurai, as part of a "vulnerability disclosure program" through the U.S. Department of Energy's Fermilab, had tracked down multiple vulnerabilities in Fermilab's systems, which have since reportedly been corrected.[10][11] Would have a knowledgeable and experienced MSSP caught these issues before Sakura Samurai?

However, the use of an MSSP in the laboratory can't prevent all cases of inadvertently compromising sensitive information. Take for example the case of the Wyoming Department of Health, which accidentally exposed sensitive health information about COVID-19, influenza, and controlled substance analyses in late 2020. An April 2021 news report indicated that more than 164,000 Wyoming residents were affected by the accidental uploading of files containing their testing information as part of a batch file upload to a public-facing GitHub server. While GitHub itself did not cause the release, the upload of the files—which were not intended to be in the upload batch of otherwise normal software code files—to the public servers by the Department of Health did. The Wyoming Department of Health notes that "[b]usiness practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained."[12]

This statement highlights that, ultimately, internal process and procedure that didn't address the use and corresponding potential risks of public-facing servers within day-to-day operations was to blame. Strictly speaking, any MSS in place could not have prevented the upload to GitHub, unless the MSSP had prior identified this type of risk and brought it to the attention of the laboratory. It's possible an MSSP could have encouraged the lab to turn to group policies or some other access control to limit internet access from laboratory computers[13], though a careful balance of managing security risk with ensuring lab tech productivity would still need to be maintained. However, in the end, this is largely a story of internal laboratory policy, not something an MSS could prevent unless previously anticipated. This naturally brings up the discussion about a laboratory's quality assurance officer and their increasingly important role in addressing cybersecurity and choosing CSPs and MSSPs for the lab.

References

  1. VirtualArmour International (8 April 2019). "VirtualArmour Expands Managed Cybersecurity Services with Global Gemological Organization". Intrado GlobeNewswire. https://www.globenewswire.com/news-release/2019/04/08/1799042/0/en/VirtualArmour-Expands-Managed-Cybersecurity-Services-with-Global-Gemological-Organization.html. Retrieved 21 August 2021. 
  2. PreScouter (October 2017). "Managed Cybersecurity Service Providers for Electric Utilities" (PDF). American Public Power Association. https://www.publicpower.org/system/files/documents/cybersecurity-service_providers_guide.pdf. Retrieved 21 August 2021. 
  3. "Case Study: Managed Detection Response for Toxicology Laboratory". Frontier Technologies, Inc. 2020. https://ftiusa.com/case-studies/case-study-managed-detection-response-for-toxicology-laboratory/. Retrieved 21 August 2021. 
  4. "Healthcare Managed Security Services Forum". Cylera. November 2020. https://resources.cylera.com/healthcare-managed-security-services-forum. Retrieved 21 August 2021. 
  5. "Putting Information Exchange to Work for Healthcare". ANXeBusiness Corp. http://anxebiz.anx.com/content/industries/healthcare. Retrieved 21 August 2021. 
  6. Galvin, J. (7 May 2018). "60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself". Inc.com. https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html. Retrieved 21 August 2021. 
  7. "BLOG: Cost of Cyber Crime to Small Businesses". Virginia SBDC Blog. Virginia SBDC. 30 May 2017. Archived from the original on 27 December 2020. https://web.archive.org/web/20201227041535/https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/. Retrieved 21 August 2021. 
  8. "Canadian Lab Test Firm LifeLabs Pays Ransom After Data Breach". Security. BNP Media. 26 December 2019. https://www.securitymagazine.com/articles/91467-canadian-lab-test-firm-lifelabs-pays-ransom-after-data-breach. Retrieved 21 August 2021. 
  9. Arghire, I. (4 January 2021). "Apex Laboratory Says Patient Data Stolen in Ransomware Attack". Security Week. https://www.securityweek.com/apex-laboratory-says-patient-data-stolen-ransomware-attack. Retrieved 21 August 2021. 
  10. Kirk, J. (7 May 2021). "US Physics Laboratory Exposed Documents, Credentials". Bank Info Security. https://www.bankinfosecurity.com/us-physics-laboratory-exposed-documents-credentials-a-16536. Retrieved 21 August 2021. 
  11. Willis, R. (6 May 2021). "Fermilab Hack, April/May 2021". Robert Willis Hacking. https://robertwillishacking.com/fermilab-hack-april-may-2021/. Retrieved 21 August 2021. 
  12. Flack, B. (27 April 2021). "Wyoming Department of Health Announces Data Breach of Thousands of Wyoming Residents". SweetwaterNow. Archived from the original on 27 April 2021. https://web.archive.org/web/20210427221317if_/https://www.sweetwaternow.com/wyoming-department-of-health-announces-data-breach-of-thousands-of-wyoming-residents/. Retrieved 21 August 2021. 
  13. Paul (3 June 2019). "How To Restrict Internet Access Using Group Policy (GPO)". The Sysadmin Channel. https://thesysadminchannel.com/how-to-restrict-internet-access-using-group-policy-gpo/. Retrieved 03 June 2019.