Collecting personally identifiable information (PII) increases your lab’s cybersecurity risk. Even if you don’t deal directly with the public, your business clients may send PII with their orders. You also keep data about your lab’s employees and contract staff. Storing this sensitive information in databases and spreadsheets with limited access control opens your lab to financial, legal, and regulatory repercussions.
This introduction to protecting PII in the laboratory will explain the variety of PII that labs collect, the risks this creates for your lab, and how a laboratory information management system (LIMS) can secure sensitive personal data.
For a more comprehensive look at laboratory data security, download the Guide to Lab Security with a LIMS.
What is personally identifiable information?
PII is any information that directly or indirectly reveals an individual’s identity. Direct identifiers include:
- Social Security number,
- Driver’s license number, and
Indirect identifiers include:
- Transaction history,
- Zip code,
- Date of birth,
- Race, and
Why is collecting PII risky for a laboratory?
Digital marketers combine direct and indirect identifiers to target people with advertising. Criminals combine PII to steal people’s identities, gain access to their accounts, and commit other crimes. This is why 83 percent of security breaches lead to the theft of sensitive PII. Large companies aren’t the only targets. Small and mid-sized organizations face similar risks.
Reputational risks: Stolen PII undermines customer trust. When employee data goes missing, morale and loyalty suffer.
Financial risks: Up-front costs include rebuilding networks, paying ransoms, and the initial business disruption. Over the long term, labs risk losing clients.
Legal risks: Labs can expect civil lawsuits from the individual victims of your security breach and from business clients whose confidential data was compromised.
What regulations cover personal information?
Privacy regulations amplify your lab’s reputational, financial, and legal risks. If you do not secure PII properly, your lab could violate the strict standards many governments place on the public’s right to privacy.
Healthcare privacy regulations
Labs in the healthcare industry must protect patient information under the Health Insurance Portability and Accountability Act (HIPAA). Losing or compromising patient information can result in HIPAA fines of up to $50,000 per violation.
National and state privacy regulations
The General Data Protection Regulation (GDPR) established personal privacy rights for European Union citizens, as well as stiff penalties for violations—up to four percent of annual revenue in some cases.
California passed similar regulations with the California Consumer Privacy Act of 2018 (CCPA). Companies doing business in the state must protect any PII they collect about California residents. Colorado and Virginia have similar laws that take effect in 2023.
Congress is also working on bipartisan national data privacy regulations, in the form of the American Data Privacy and Protection Act (ADPPA). These proposed regulations define PII more broadly than state regulations and, if enacted, would apply to most businesses and non-profits.
How the LabLynx ELab LIMS protects your lab’s PII
A cybersecurity breach’s regulatory, financial, legal, and reputational consequences can be severe. LabLynx ELab LIMS solution offers the data security and access control features laboratories need to protect any personally identifiable information they collect.
All data stored in or passing through the LIMS software are fully encrypted and inaccessible to hackers. Because encrypted data is more secure, many privacy regulations exempt encrypted data from civil penalties and individual lawsuits.
Giving staffers broad access to lab systems undermines lab security since stolen login credentials let hackers breach network defenses. A LabLynx LIMS will let you define granular access rules—based on user roles and locations—that allow people to get their work done while minimizing the impact of stolen login credentials.
Data duplication is common in many organizations. For example, scheduling spreadsheets may hold employee PII copied from human resources databases. Make it more challenging for hackers to discover and steal PII by integrating your LIMS software with enterprise systems. Authorized users can access on-demand information pulled directly from an enterprise database, thus avoiding storing PII on lab systems.
Sometimes, the best way to protect PII is by not collecting it in the first place. LabLynx supports OpenSocial, so visitors to your lab’s web portal can log in with their social media accounts. Your lab does not collect passwords which reduces your security exposure.
In closing …
As labs become more connected, they become more vulnerable to cyberattacks. Personally identifiable information is not the only sensitive data that hackers target. Download the Guide to Lab Security with a LIMS to learn more about protecting sensitive data and the role the LabLynx ELab LIMS can play in your lab’s information security plan.