|
|
| Line 1: |
Line 1: |
| [[File:Quality assurance laboratory 140305-N-OE749-012.jpg|left|400px]]Imagine a medical device manufacturer (which happens to incorporate laboratories, but that's not the main point here). A medical device manufacturer works in a highly regulated industry that not just asks but demands quality from the manufactured medical devices. As many such devices are increasingly electronic—and even network-enabled—it's imperative that cybersecurity is considered in their design and use.<ref name="NayyarTheUnique20">{{cite web |url=https://www.forbes.com/sites/forbestechcouncil/2020/12/22/the-unique-threats-posed-by-medical-iot-devices-and-what-to-do-about-them/ |title=The Unique Threats Posed By Medical IoT Devices And What To Do About Them |author=Nayyar, S. |work=Forbes |date=22 December 2020 |accessdate=21 August 2021}}</ref> As David Jensen of MasterControl noted in 2017: "The technologies that elevate the quality of life for patients can be used by cyber actors to undermine both the manufacturing organization and the products themselves. This means cybersecurity is as much a quality issue as it is a security issue."<ref name="JensenHow17">{{cite web |url=https://www.mastercontrol.com/gxp-lifeline/how-an-electronic-quality-management-system-helps-with-cybersecurity/ |title=How an Electronic Quality Management System Helps With Cybersecurity |author=Jensen, D. |publisher=MasterControl |date=03 June 2017 |accessdate=21 August 2021}}</ref>
| | Before we move on to choosing an MMSP, we need to briefly mention the shared responsibility model and how it relates to both the MSSP's (and CSP’s) services and assuring quality within the laboratory. Back in Chapter 2, we discussed the shared responsibility model, occasionally referred to as the "shared security model." We said the shared responsibility model is useful because it clarifies elements of responsibility for information security between the laboratory and the CSP in regards to provided cloud services. A trusted CSP should be able to make both levels of responsibility clear at every step of the way, from early contract discussions to late-stage changes to customer services. The CSP remains responsible for certain levels of the IT infrastructure and software, while the laboratory remains responsible for the security of the guest OS, account security, firewall settings, and more. This delineation of responsibility varies from provider to provider, but optimally the information is related clearly to the lab by each. |
|
| |
|
| Note that Jensen related "cybersecurity" and "quality" together, which naturally leads to a discussion of the [[quality management system]] (QMS). A QMS is "a set of related and interacting elements that organizations use to direct and control how quality policies are implemented and quality objectives are achieved."<ref name="ShoemakerCyber14">{{cite book |url=https://books.google.com/books?id=b1s8AwAAQBAJ&pg=PA62 |title=Cybersecurity: Engineering a Secure Information Technology Organization |author=Shoemaker, D.; Sigler, K. |publisher=Cengage Learning |pages=62–63 |year=2014 |isbn=9781285169903}}</ref> Those elements include, but are not limited to, documented processes, management models, business strategies, human capital, and information technology. Not only does the QMS help guide the implementation and achievement of organizational policy and objectives for resource management and personnel, but also it prompts an organization to focus on the core elements of quality management within its products and services: planning, control, assurance, and improvement. And just as the development and use of a QMS is often driven by standards (e.g., [[ISO/IEC 17025|ISO/IEC 17025:2017]] and [[ISO 13485|ISO 13485:2016]]), the QMS often drives the organization to adopt other standards as part of bringing quality to the organization. Using our medical device manufacturer as an example, their QMS may direct them to use the ANSI/CAN/UL 2900-1 standard for ensuring medical device cybersecurity protection.<ref name="WirthMedical20">{{cite book |url=https://books.google.com/books?id=oawCEAAAQBAJ&pg=PA23 |title=Medical Device Cybersecurity for Engineers and Manufacturers |author=Wirth, A.; Gates, C.; Smith, J. |publisher=Artech House |pages=23–24 |year=2020 |isbn=9781630818159}}</ref>
| | When it comes to MSSPs and the cloud, they are capable of further reducing the burden of responsibility the laboratory has in regards to not only their cloud services but also any networked on-premises systems. An MSSP can take on the responsibility of the guest OS, network configuration, firewall settings, and server-side encryption, as well as a select portion of client-side data encryption, data integrity authentication, application hardening, and network traffic monitoring and protection.<ref name="WangShared20">{{cite web |url=https://blog.cloudticity.com/shared-responsibility-cloud-managed-service-provider-security |title=Shared Responsibility in the Cloud: Reduce Your Security Burden With a Managed Security Service Provider (MSSP) |author=Wang, K. |work=Cloudticity Blog |publisher=Cloudticity |date=14 October 2020 |accessdate=21 August 2021}}</ref><ref name="SavirHowAMan">{{cite web |url=https://allcloud.io/blog/how-a-managed-service-provider-can-harden-security-across-your-business-and-save-on-costs/ |title=How a Managed Service Provider Can Harden Security Across Your Business and Save on Costs |author=Savir, L. |work=AllCloud Blog |date=n.d. |accessdate=21 August 2021}}</ref> This frees the laboratory from even more security detail, providing monetary, quality, and time investment benefits. As noted earlier, however, the laboratory is not completely free from worrying about security. A company culture of cybersecurity and quality must continue to be driven by strong management buy-in, well-documented business and quality policies, well-considered and -enforced operational policies, and regular quality training. |
|
| |
|
| Not only is the QMS vital to medical device manufacturers<ref name="JensenHow17" /><ref name="AGMedical21">{{cite web |url=https://www.tga.gov.au/sites/default/files/medical-device-cyber-security-guidance-industry.pdf |format=PDF |title=Medical device cyber security guidance for industry |author=Therapeutic Goods Administration |publisher=Commonwealth of Australia |date=March 2021 |accessdate=21 August 2021}}</ref><ref name="AssurXRisk17">{{cite web |url=https://www.assurx.com/risk-management-cybersecurity-compliance/ |title=Risk Management Best Practices for Cybersecurity Compliance |work=AssurX Blog |publisher=AssurX, Inc |date=30 January 2017 |accessdate=21 August 2021}}</ref><ref name="ApracitiCyber">{{cite web |url=https://apraciti.com/cybersecurity-quality-management-system-integration/ |title=Cybersecurity & Quality Management System Integration |publisher=Apraciti |accessdate=21 August 2021}}</ref>, but also the QMS plays an important role in most any laboratory's operations.<ref name="WHOLab11">{{cite book |url=https://www.who.int/ihr/publications/lqms/en/ |title=Laboratory Quality Management System Handbook |author=World Health Organization |publisher=World Health Organization |year=2011 |isbn=9789241548274}}</ref><ref name="USGSQuality">{{cite web |url=https://www.usgs.gov/about/organization/science-support/office-science-quality-and-integrity/quality-management-system |title=Quality Management System for USGS Laboratories |author=United States Geological Survey |publisher=United States Geological Survey |accessdate=21 August 2021}}</ref> And in the laboratory, a quality assurance officer or manager is responsible for helping develop and maintain the laboratory's QMS, which optimally will address the importance of cybersecurity in meeting the laboratory’s goals. But the connection between a laboratory's quality assurance officer and cybersecurity is sadly not well represented in the cloud computing era. Look through the job descriptions on online job boards for quality assurance officers and you will rarely find the word "security" mentioned. Sure, the relationship between "quality" and "security" gets discussed in the context of modern software development<ref name="WorrallWhy20">{{cite web |url=https://www.darkreading.com/vulnerabilities---threats/why-quality-and-security-both-matter-in-software/a/d-id/1338649 |title=Why Quality & Security Both Matter in Software |author=Worrall, J. |work=DarkReading |date=18 August 2020 |accessdate=21 August 2021}}</ref>, but what about within the context of a laboratory's operational quality and the people who drive it forward?
| | That said, how does the shared responsibility model affect the work of the QAO and laboratory's overall efforts to ensure security in the cloud, particularly with an MSSP? Primarily, shared responsibility says that the laboratory can't take a "set it and forget it" approach to security, even with a CSP and MSSP taking a significant portion of the responsibility off the laboratory's hands. Going back to the Wyoming Department of Health and its accidental upload of patient data to a public server, neither a cloud provider nor an MSSP could do much in this situation. We don't know the circumstances and technology surrounding their incident, but let's imagine that the public health lab was using a CSP and an MSSP. Certainly, the CSP would have no real say in how the lab uploaded content to a server outside its domain. The MSSP largely would have no blame either, as they likely wouldn't even be aware of the public server being uploaded to. No, that would be an internal policy issue, a solid example of how the laboratory would still have a shared stake in the responsibility of security at the lab. |
|
| |
|
| In a 2019 journal article for ''Lab Manager'' magazine, Sandia National Laboratories' chief information officer Carol Jones stated that "[c]ybersecurity is not just a technology problem; it is a people, process, and knowledge problem."<ref name="TulsiGreater19">{{cite web |url=https://www.labmanager.com/business-management/greater-awareness-and-vigilance-in-laboratory-data-security-776 |title=Greater Awareness and Vigilance in Laboratory Data Security |author=Tulsi, B.B. |work=Lab Manager |date=04 September 2019 |accessdate=21 August 2021}}</ref> While this is an accurate statement, shouldn't cybersecurity also be a quality problem for a laboratory? Yes, well-trained people, vetted processes, and relevant and timely knowledge is required to ensure secure operations, but quality management and assurance—which incorporates that training, SOPs, and knowledge—should also be part of that equation. One could argue that the responsibilities of a quality assurance officer or manager are already numerous and weighty. But shouldn't that person at least have a modicum of understanding about how well-implemented IT and software security in the lab correlates to improved quality assurance outcomes?<ref name="">{{cite journal |title=Fundamental Concepts of IT Security Assurance |journal=ISACA Journal |author=Hamidovic, H. |volume=2 |pages=45–9 |year=2012 |url=https://www.isacajournal-digital.org/isacajournal/2012vol2?article_id=1078418&pg=45}}</ref>
| | From that example, we'd have to turn to the work of laboratory staff and management, including the QAO. Again, imagining a scenario where the lab was using both a CSP and an MSSP, a number of questions would arise, primary among them being "were they fully aware of and committed to the security responsibility they shared with their service providers?" That level of responsibility would include engaging in cybersecurity discussions among management and key IT personnel, having frank discussions about risk, and bringing in outside help where expertise was lacking. It would also include having a thorough understanding of how lab workers do their job, including learning about any public servers they were using. And it would also, ideally, involve discussion about that laboratory workflow with the MSSP. With all these elements, the likelihood of foreseeing the risk associated with uploading data to public servers from laboratory computers would be optimistically high. Finally, if we add the element of either a laboratory QAO or "cybersecurity quality and compliance officer," one could imagine the scenario turning out differently for the Department of Health. In the end, however, it would have still required knowledgeable personnel, a strong laboratory-wide focus on cybersecurity, and a committed QAO familiar with the importance of the shared responsibility model—and at least the basics of information security—to help ensure the quality of laboratory operations and the information security required of them. |
| | |
| At this juncture, several questions must be asked about the quality assurance officer or manager in a laboratory operating in the 2020s:
| |
| | |
| * What is the importance of the quality assurance officer (QAO), and do they understand cybersecurity?
| |
| * How does the QAO help ensure quality of operations with security as a managed service?
| |
| * How do standard operating procedures (SOPs), security audits, and other elements of a QMS positively affect quality assurance by addressing cybersecurity and cloud hosting processes?
| |
| | |
| '''The importance of a QAO and their security knowledge'''
| |
| | |
| First, the definition of what a QAO does will largely vary from company to company. However, turning to Bartram and Ballance's 1996 guide ''Water Quality Monitoring,'' the author's describe a quality assurance officer as someone "to liaise with management, to manage data archives, to conduct regular audits and reviews of the QA system, and to report on any QA issues to the program or institution manager."<ref name="BartramWater20">{{cite book |url=https://books.google.com/books?id=5PQCEAAAQBAJ&pg=PA218 |title=Water Quality Monitoring: A practical guide to the design and implementation of freshwater quality studies and monitoring programmes |editor=Bartram, J.; Ballance, R. |publisher=CRC Press |page=218 |year=2020 |isbn=9780419223207}}</ref> They add that the QAO is also "responsible for regularly inspecting all aspects of the [record keeping] system to ensure staff compliance, for reporting on such inspections and audits to management, and for recommending improvements."<ref name="BartramWater20" /> But what of a more modern definition? Turning to ISO 9000, we get a bland and non-informative definition of quality assurance itself: "part of quality management focused on providing confidence that quality requirements will be fulfilled."<ref name="ISO9000">{{cite web |url=https://www.iso.org/obp/ui/#iso:std:iso:9000:en |title=ISO 9000:2015(en) Quality management systems — Fundamentals and vocabulary |publisher=ISO |date=2015 |accessdate=21 August 2021}}</ref> By extension, we then get "a person responsible for providing confidence that requirements for organizational quality are fulfilled." This is a broad description, sadly. However, pulling from Bartram and Ballance, the ISO, and other sources<ref name="SeekCyber21">{{cite web |url=https://www.seek.com.au/job/52226409?type=standard |archiveurl=https://web.archive.org/web/20210524220443/https://www.seek.com.au/job/52226409?type=standard |title=Cybersecurity Quality and Compliance Officer - 6 Month Contract |author=Genesis IT&T |work=Seek |date=10 May 2021 |archivedate=21 August 2021 |accessdate=21 August 2021}}</ref><ref name="ZippiaQuality">{{cite web |url=https://www.zippia.com/quality-control-officer-jobs/what-does-a-quality-control-officer-do/ |title=Quality Control Officer - What They Do |publisher=Zippia |accessdate=21 August 2021}}</ref>, we could go with something like:
| |
| | |
| <blockquote>A quality assurance officer (QAO) is an individual responsible for ensuring organizational quality through the regular management, monitoring, review, and auditing of documentation, record systems, data, and processes as they relate to organizational quality and compliance frameworks and initiatives, while also reporting timely results, making recommendations based on those results, and assisting with training staff on approved recommendations.</blockquote>
| |
| | |
| Given that definition, does the average QAO need to understand at least the basics of cybersecurity? That's arguable, to be sure. After all, there are job positions such as the "cybersecurity quality and compliance officer" and the like<ref name="SeekCyber21" />, with an individual who works directly with an IT department and its cybersecurity team to ensure all mandatory laws and regulatory requirements are being adhered to, much in the same way a QAO does but on a broader organizational basis. But what about the laboratory realm? Major laboratories with significant resources may have these sorts of positions, but smaller, independent labs may not. In that case, laboratory personnel will often wear many hats, including "the tech person" or "laboratory systems engineer." (See Joe Liscouski's discussion of the "laboratory systems engineer" in his 2020 guide ''[[LII:Laboratory Technology Planning and Management: The Practice of Laboratory Systems Engineering|Laboratory Technology Planning and Management: The Practice of Laboratory Systems Engineering]]'' for more on this topic.<ref name="LiskouskiLab20">{{cite web |title=[[LII:Laboratory Technology Planning and Management: The Practice of Laboratory Systems Engineering|Laboratory Technology Planning and Management: The Practice of Laboratory Systems Engineering]] |author=Liscouski, J. |date=December 2020}}</ref>) However, given that the security surrounding an organization's electronic efforts is vital to maintaining quality operations, and also given that—hopefully—cybersecurity efforts are documented and trained upon, it's not that far a leap to suggest that the laboratory QAO should have a rudimentary understanding of IT systems and how they are secured. If cybersecurity is interwoven into the laboratory culture, including quality management, the tech-savvy QAO will be a boon to the overall quality assurance process.
| |
| | |
| '''The QAO and managed security services'''
| |
| | |
| Where does a QAO and an MSS intersect in the lab? Judging by the previous statement that the QAO may need to review organizational documentation and training material regarding cybersecurity—and even audit or assess personnel on their use of that documentation and training—we can see deduce that a QAO may be required to audit the effectiveness of any implemented MSS, or at least the documentation and processes related to the MSS. Again, it's likely in mid- to large size organizations this responsibility will fall upon the shoulders of an IT lead or IT quality officer. However, these resources may not be readily available in some laboratory settings. If those resources aren't available, the QAO may be required to know more than they expected about what managed security services entail. They won't need to be MSS experts, but as the nature of computing in the laboratory continues to evolve, having laboratory staff with relevant knowledge of automation, data management systems, and even the cloud is increasingly vital.<ref name="LiskouskiLab20" />
| |
| | |
| '''The QMS and cybersecurity'''
| |
| | |
| In 2019, scientific and business consultancy Brevitas brought up the challenges of addressing cybersecurity in laboratories and other settings, noting evolving guidance that strives to address the business policies, security controls, informatics systems, and security monitoring required to better ensure the integrity and security of electronic records and data. They are one of a handful of consultancies that have publicly tied these types of standard-driven cybersecurity measures directly to the QMS<ref name="BrevitasCyber19">{{cite web |url=https://brevitas.us/cybersecurity-response/ |title=Cybersecurity Response |publisher=Brevitas |date=2019 |accessdate=21 August 2021}}</ref>:
| |
| | |
| <blockquote>The challenge is in ensuring that these measures are effectively integrated into the existing processes outlined in the organization’s quality management system (QMS). Consideration needs to be given to first integrating cybersecurity into risk and/or criticality assessments, then downstream into system security testing during qualification and/or validation activities. As the technological landscape evolves, organizations must be more effective in their implementation of cybersecurity measures to ensure the safety of their electronic records and data. These measures must be considered as part of the QMS for all activities involved in the lifecycle of a computerized system.</blockquote>
| |
| | |
| As has been previously mentioned, this type of philosophy is already woven into the fabric of medical device regulation and standardization, with 21 CFR 820 on quality system regulation, ISO 13485:2016 on quality management systems, and ANSI/CAN/UL 2900 on ensuring medical device security driving how medical device cybersecurity is addressed in the manufacturer's quality management system.<ref name="ApracitiCyber" /><ref name="LincolnCyber17">{{cite web |url=https://www.ivtnetwork.com/article/cybersecurity-buzzword-or-serious-safety-concern |title=Cybersecurity - Buzzword or Serious Safety Concern? |author=Lincoln, J.E. |work=IVT Network |date=17 April 2017 |accessdate=21 August 2021}}</ref><ref name="HeylOverview17">{{cite web |url=https://www.cybersecuritysummit.org/wp-content/uploads/2017/10/4.00-Justin-Heyl.pdf |format=PDF |title=Overview of UL 2900 - Medical Device Cybersecurity Workshop |author=Heyl, J. |publisher=UL |date=October 2017 |accessdate=21 August 2021}}</ref><ref name="UL2900ACyber19">{{cite web |url=https://www.fda.gov/media/123068/download |format=PDF |title=UL 2900: A Cybersecurity aid for industry and regulators |publisher=UL |date=2019 |accessdate=21 August 2021}}</ref><ref name="ISO13485">{{cite web |url=https://www.iso.org/standard/59752.html |title=ISO 13485:2016 Medical devices — Quality management systems — Requirements for regulatory purposes |publisher=ISO |date=March 2016 |accessdate=21 August 2021}}</ref> And it may be even easier for medical device manufacturers—as well as other laboratory types—to compile, organize, disseminate, and train upon cybersecurity risk analysis data and procedural documentation with the help of an electronic QMS.<ref name="JensenHow17" /> However, we can turn to some other businesses who have included security standards in their quality management system. Technology consultancy Konsolute has discussed why it chose to integrate ISO 27001 on information security management (and the information security management system or ISMS) into its business processes and the development of its electronic QMS, noting benefits of improved compliance, lower security risk, improved financial savings, improved reputation, and more new business.<ref name="KonsoluteCyber21">{{cite web |url=https://www.konsolute.com/blog/iso-27001-cybersecurity-quality-management/ |title=Cybersecurity of the future: Why we include ISO 27001 as standard in our Quality Management System |publisher=Konsolute |date=30 April 2021 |accessdate=21 August 2021}}</ref>
| |
| | |
| As it turns out, the ISMS and ISO 27001 have a bit in common with the QMS and ISO 9001, primarily with the goal of improving quality within the organization. Here again we see the link between a focus on cybersecurity and ensuring quality within an organization.<ref name="CVGInform20">{{cite web |url=https://cvgstrategy.com/information-security-management-system/ |title=Information Security Management System (ISMS) |publisher=CVG Strategy |date=2020 |accessdate=21 August 2021}}</ref><ref name="PatelISO17">{{cite web |url=https://www.schellman.com/blog/iso-9001-and-27001-the-relationship |title=ISO 9001 and 27001 – The Relationship |author=Patel, N. |work=Schellman Blog |publisher=Schellman & Company |date=16 October 2017 |accessdate=21 August 2021}}</ref> Senior associate Nikita Patel of Schellman & Company highlighted this association in 2017, saying that an organization "achieving this dual certification of an ISO 9001 and ISO 27001 can prove incredibly useful—in doing so, an organization can simultaneously demonstrate an organization’s ability and commitment to information security risk management, while also validating their dedication to the optimal delivery of their quality products and services."<ref name="PatelISO17" /> From addressing anything from scoping, leadership, human resources support, and document management to internal auditing, measurement and monitoring, management review, and [[Continual improvement process|continual improvement]], both the ISMS, focused on information security, and QMS, focused on organizational quality, improve the overall quality of an organization and its efforts.
| |
| | |
| '''The QAO in the context of these three points'''
| |
| | |
| Where does this all place the quality assurance officer in the scope of laboratory quality and information security? Whether it's managed security services, private or public cloud services, in-house networking, or a mix of all these, the modern laboratory is a technology-driven business requiring modern approaches to addressing the risks that technology carries with it. An on-site IT staff may handle many of the details associated with those efforts, but the QAO of the 2020s needs to also be familiar with how that technology works and how it impacts organizational quality initiatives. The QAO will interact with the lab's QMS, and perhaps even the ISMS if one separately exists. Ideally cybersecurity policy and procedure is already woven into the various elements of the QMS, or, worst case, the lab doesn't have much of a cybersecurity policy. This is where the QAO of today's lab must shine, "ensuring organizational quality through the regular management, monitoring, review, and auditing of documentation, record systems, data, and processes as they relate to organizational quality and compliance frameworks and initiatives." That means also understanding how managed security services and cloud services operate. It's perhaps a tall ask, but in today's competitive laboratory environment, the tech-savvy QAO is more important than ever.
| |
|
| |
|
| ==References== | | ==References== |
| {{Reflist|colwidth=30em}} | | {{Reflist|colwidth=30em}} |
Before we move on to choosing an MMSP, we need to briefly mention the shared responsibility model and how it relates to both the MSSP's (and CSP’s) services and assuring quality within the laboratory. Back in Chapter 2, we discussed the shared responsibility model, occasionally referred to as the "shared security model." We said the shared responsibility model is useful because it clarifies elements of responsibility for information security between the laboratory and the CSP in regards to provided cloud services. A trusted CSP should be able to make both levels of responsibility clear at every step of the way, from early contract discussions to late-stage changes to customer services. The CSP remains responsible for certain levels of the IT infrastructure and software, while the laboratory remains responsible for the security of the guest OS, account security, firewall settings, and more. This delineation of responsibility varies from provider to provider, but optimally the information is related clearly to the lab by each.
When it comes to MSSPs and the cloud, they are capable of further reducing the burden of responsibility the laboratory has in regards to not only their cloud services but also any networked on-premises systems. An MSSP can take on the responsibility of the guest OS, network configuration, firewall settings, and server-side encryption, as well as a select portion of client-side data encryption, data integrity authentication, application hardening, and network traffic monitoring and protection.[1][2] This frees the laboratory from even more security detail, providing monetary, quality, and time investment benefits. As noted earlier, however, the laboratory is not completely free from worrying about security. A company culture of cybersecurity and quality must continue to be driven by strong management buy-in, well-documented business and quality policies, well-considered and -enforced operational policies, and regular quality training.
That said, how does the shared responsibility model affect the work of the QAO and laboratory's overall efforts to ensure security in the cloud, particularly with an MSSP? Primarily, shared responsibility says that the laboratory can't take a "set it and forget it" approach to security, even with a CSP and MSSP taking a significant portion of the responsibility off the laboratory's hands. Going back to the Wyoming Department of Health and its accidental upload of patient data to a public server, neither a cloud provider nor an MSSP could do much in this situation. We don't know the circumstances and technology surrounding their incident, but let's imagine that the public health lab was using a CSP and an MSSP. Certainly, the CSP would have no real say in how the lab uploaded content to a server outside its domain. The MSSP largely would have no blame either, as they likely wouldn't even be aware of the public server being uploaded to. No, that would be an internal policy issue, a solid example of how the laboratory would still have a shared stake in the responsibility of security at the lab.
From that example, we'd have to turn to the work of laboratory staff and management, including the QAO. Again, imagining a scenario where the lab was using both a CSP and an MSSP, a number of questions would arise, primary among them being "were they fully aware of and committed to the security responsibility they shared with their service providers?" That level of responsibility would include engaging in cybersecurity discussions among management and key IT personnel, having frank discussions about risk, and bringing in outside help where expertise was lacking. It would also include having a thorough understanding of how lab workers do their job, including learning about any public servers they were using. And it would also, ideally, involve discussion about that laboratory workflow with the MSSP. With all these elements, the likelihood of foreseeing the risk associated with uploading data to public servers from laboratory computers would be optimistically high. Finally, if we add the element of either a laboratory QAO or "cybersecurity quality and compliance officer," one could imagine the scenario turning out differently for the Department of Health. In the end, however, it would have still required knowledgeable personnel, a strong laboratory-wide focus on cybersecurity, and a committed QAO familiar with the importance of the shared responsibility model—and at least the basics of information security—to help ensure the quality of laboratory operations and the information security required of them.
References
