|
|
| (23 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| The previous chapter explored many aspects of informatics in the laboratory, emphasizing that while software and hardware systems bring many benefits to the laboratory, a thoughtful, organization-wide approach to managing the risks that that software and hardware introduces—particularly when related to cloud computing—is required. Given these complications, it's unsurprising to learn some laboratories have turned to MSSPs to help them meet regulatory requirements and maintain the security of their on-premises and cloud-based data solutions. Examples of industries with research and laboratory work served by MSSPs over the years include the gemstone testing and grading<ref name="IntradoVirtualArmour19">{{cite web |url=https://www.globenewswire.com/news-release/2019/04/08/1799042/0/en/VirtualArmour-Expands-Managed-Cybersecurity-Services-with-Global-Gemological-Organization.html |title=VirtualArmour Expands Managed Cybersecurity Services with Global Gemological Organization |author=VirtualArmour International |work=Intrado GlobeNewswire |date=08 April 2019 |accessdate=21 August 2021}}</ref>, energy research and supply<ref name="PreScouterManaged17">{{cite web |url=https://www.publicpower.org/system/files/documents/cybersecurity-service_providers_guide.pdf |format=PDF |title=Managed Cybersecurity Service Providers for Electric Utilities |author=PreScouter |publisher=American Public Power Association |date=October 2017 |accessdate=21 August 2021}}</ref>, clinical and forensic toxicology<ref name="FrontierCaseStudy20">{{cite web |url=https://ftiusa.com/case-studies/case-study-managed-detection-response-for-toxicology-laboratory/ |title=Case Study: Managed Detection Response for Toxicology Laboratory |publisher=Frontier Technologies, Inc |date=2020 |accessdate=21 August 2021}}</ref>, and healthcare industries.<ref name="CyleraHealthcare20">{{cite web |url=https://resources.cylera.com/healthcare-managed-security-services-forum |title=Healthcare Managed Security Services Forum |publisher=Cylera |date=November 2020 |accessdate=21 August 2021}}</ref><ref name="ANXPutting">{{cite web |url=http://anxebiz.anx.com/content/industries/healthcare |title=Putting Information Exchange to Work for Healthcare |publisher=ANXeBusiness Corp |accessdate=21 August 2021}}</ref> In all these examples, the implication is that proprietary trade secrets, critical infrastructure, or sensitive patient data must be protected. The laboratories operating in those industries could have attempted to keep security efforts in-house, but for one reason or another they chose to outsource a significant portion of that protection to a third-party MSSP.
| | {{Saved book |
| | |title=Introduction to Quality and Quality Management Systems |
| | |subtitle= |
| | |cover-image=Time-Quality-Money.png |
| | |cover-color=#fffccc |
| | | setting-papersize = A4 |
| | | setting-showtoc = 1 |
| | | setting-columns = 1 |
| | }} |
|
| |
|
| But why even bother with this level of security? As previous chapters have noted, regulatory requirements are a significant driver to that end; if the lab won't meet its regulatory requirements, it risks major fines at a minimum, or at worst going out of business. In fact, some 60 percent of small businesses end up closing shop within six months of a cyberattack.<ref name="Galvin60_18">{{cite web |url=https://www.inc.com/joe-galvin/60-percent-of-small-businesses-fold-within-6-months-of-a-cyber-attack-heres-how-to-protect-yourself.html |title=60 Percent of Small Businesses Fold Within 6 Months of a Cyber Attack. Here's How to Protect Yourself |author=Galvin, J. |work=Inc.com |date=07 May 2018 |accessdate=21 August 2021}}</ref> This happens for multiple reasons, with costs related to compliance fines, breach notifications, post-breach customer protection, public relations, reputation loss, attorney's fees, litigation, and operational disruption often laying waste to the business.<ref name="SBDCC_BlogCost17">{{cite web |url=https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |archiveurl=https://web.archive.org/web/20201227041535/https://www.virginiasbdc.org/blog-cost-of-cyber-crime-to-small-businesses/ |title=BLOG: Cost of Cyber Crime to Small Businesses |work=Virginia SBDC Blog |publisher=Virginia SBDC |date=30 May 2017 |archivedate=27 December 2020 |accessdate=21 August 2021}}</ref> And it happens to businesses in almost every industry.
| | ==''Introduction to Quality and Quality Management Systems''== |
| | {{ombox |
| | | type = content |
| | | style = width: 500px; |
| | | text = This book should not be considered complete until this message box has been removed. This is a work in progress. |
| | }} |
| | The goal of this short volume is to act as an introduction to the quality management system. It collects several articles related to quality, quality management, and associated systems. |
|
| |
|
| Laboratories are not exempt from these cyberattacks and losses, whether using on-premises systems or turning to the cloud. In 2019, Canadian laboratory testing business LifeLabs suffered a cyberattack on its systems that saw the attackers steal information and request a ransom to have the data returned. While it's not clear exactly what went wrong, talk of "[f]urther strengthening our systems to deter future incidents"<ref name="SecurityCanadian19">{{cite web |url=https://www.securitymagazine.com/articles/91467-canadian-lab-test-firm-lifelabs-pays-ransom-after-data-breach |title=Canadian Lab Test Firm LifeLabs Pays Ransom After Data Breach |work=Security |publisher=BNP Media |date=26 December 2019 |accessdate=21 August 2021}}</ref> indicates something was off about LifeLabs' computer systems, something that likely could have been prevented with properly managed security services. In 2021, clinical at-home laboratory provider Apex Laboratory announced that it had been attacked by ransomware that hit its systems, which allowed hackers to take sensitive patient information and forcefully encrypt system and other data files until a ransom was paid.<ref name="ArghireApex21">{{cite web |url=https://www.securityweek.com/apex-laboratory-says-patient-data-stolen-ransomware-attack |title=Apex Laboratory Says Patient Data Stolen in Ransomware Attack |author=Arghire, I. |work=Security Week |date=04 January 2021 |accessdate=21 August 2021}}</ref> This kind of attack also could have been prevented—or the damage at least mitigated—with active MSS protections. And in May 2021, news broke that benevolent hacking group Sakura Samurai, as part of a "vulnerability disclosure program" through the U.S. Department of Energy's Fermilab, had tracked down multiple vulnerabilities in Fermilab's systems, which have since reportedly been corrected.<ref name="KirkUS21">{{cite web |url=https://www.bankinfosecurity.com/us-physics-laboratory-exposed-documents-credentials-a-16536 |title=US Physics Laboratory Exposed Documents, Credentials |author=Kirk, J. |work=Bank Info Security |date=07 May 2021 |accessdate=21 August 2021}}</ref><ref name="WillisFermilab21">{{cite web |url=https://robertwillishacking.com/fermilab-hack-april-may-2021/ |title=Fermilab Hack, April/May 2021 |author=Willis, R. |work=Robert Willis Hacking |date=06 May 2021 |accessdate=21 August 2021}}</ref> Would have a knowledgeable and experienced MSSP caught these issues before Sakura Samurai?
| | ;1. What is quality? |
| | :''Key terms'' |
| | :[[Quality (business)|Quality]] |
| | :[[Quality assurance]] |
| | :[[Quality control]] |
| | :''The rest'' |
| | :[[Data quality]] |
| | :[[Information quality]] |
| | :[[Nonconformity (quality)|Nonconformity]] |
| | :[[Service quality]] |
| | ;2. Processes and improvement |
| | :[[Business process]] |
| | :[[Process capability]] |
| | :[[Risk management]] |
| | :[[Workflow]] |
| | ;3. Mechanisms for quality |
| | :[[Acceptance testing]] |
| | :[[Conformance testing]] |
| | :[[Clinical quality management system]] |
| | :[[Continual improvement process]] |
| | :[[Corrective and preventive action]] |
| | :[[Good manufacturing practice]] |
| | :[[Malcolm Baldrige National Quality Improvement Act of 1987]] |
| | :[[Quality management]] |
| | :[[Quality management system]] |
| | :[[Total quality management]] |
| | ;4. Quality standards |
| | :[[ISO 9000]] |
| | :[[ISO 13485]] |
| | :[[ISO 14000|ISO 14001]] |
| | :[[ISO 15189]] |
| | :[[ISO/IEC 17025]] |
| | :[[ISO/TS 16949]] |
| | ;5. Quality in software |
| | :[[Software quality]] |
| | :[[Software quality assurance]] |
| | :[[Software quality management]] |
|
| |
|
| However, the use of an MSSP in the laboratory can't prevent all cases of inadvertently compromising sensitive information. Take for example the case of the Wyoming Department of Health, which accidentally exposed sensitive health information about COVID-19, influenza, and controlled substance analyses in late 2020. An April 2021 news report indicated that more than 164,000 Wyoming residents were affected by the accidental uploading of files containing their testing information as part of a batch file upload to a public-facing GitHub server. While GitHub itself did not cause the release, the upload of the files—which were not intended to be in the upload batch of otherwise normal software code files—to the public servers by the Department of Health did. The Wyoming Department of Health notes that "[b]usiness practices have been revised to include prohibiting the use of GitHub or other public repositories and employees have been retrained."<ref name="FlackWyoming21">{{cite web |url=https://www.sweetwaternow.com/wyoming-department-of-health-announces-data-breach-of-thousands-of-wyoming-residents/ |archiveurl=https://web.archive.org/web/20210427221317if_/https://www.sweetwaternow.com/wyoming-department-of-health-announces-data-breach-of-thousands-of-wyoming-residents/ |title=Wyoming Department of Health Announces Data Breach of Thousands of Wyoming Residents |author=Flack, B. |work=SweetwaterNow |date=27 April 2021 |archivedate=27 April 2021 |accessdate=21 August 2021}}</ref>
| | <!--Place all category tags here--> |
| | |
| This statement highlights that, ultimately, internal process and procedure that didn't address the use and corresponding potential risks of public-facing servers within day-to-day operations was to blame. Strictly speaking, any MSS in place could not have prevented the upload to GitHub, unless the MSSP had prior identified this type of risk and brought it to the attention of the laboratory. It's possible an MSSP could have encouraged the lab to turn to group policies or some other access control to limit internet access from laboratory computers<ref name="PaulHowTo19">{{cite web |url=https://thesysadminchannel.com/how-to-restrict-internet-access-using-group-policy-gpo/ |title=How To Restrict Internet Access Using Group Policy (GPO) |author=Paul |work=The Sysadmin Channel |date=03 June 2019 |accessdate=03 June 2019}}</ref>, though a careful balance of managing security risk with ensuring lab tech productivity would still need to be maintained. However, in the end, this is largely a story of internal laboratory policy, not something an MSS could prevent unless previously anticipated. This naturally brings up the discussion about a laboratory's quality assurance officer and their increasingly important role in addressing cybersecurity and choosing CSPs and MSSPs for the lab.
| |
| | |
| ==References==
| |
| {{Reflist|colwidth=30em}}
| |
