What is a cybersecurity plan and why does a laboratory need it?

Cybersecurity plans document how organizations deter cyberattacks and respond to security breaches. Laboratories need effective cybersecurity plans to protect sensitive data and ensure operational resilience.

Cyber threats are everywhere

Pervasive cybersecurity threats pose a constant risk to organizations of any size in any industry. 

A review of cybersecurity in the healthcare sector reported the following:[1]

• Healthcare data breaches doubled between 2018 and 2021.
• The average cost of a healthcare data breach is $10.1 million.
• Half of the industry’s ransomware attacks disrupted healthcare delivery.
• Ransomware attacks exposed the personal health information of nearly 42 million patients between 2016 and 2021.
• Internal actors accounted for more than a third of healthcare data breaches.

Although the reported cost of data breaches was highest in the healthcare sector, the pharmaceutical, industrial, and research sectors ranked third, seventh, and eighth, respectively.

Large organizations are just some of the targets. On average, breaches cost $3.31 million at organizations with fewer than 500 employees.[2]

Note that internal actors pose significant risks. These are not necessarily disgruntled employees but simply people who mistakenly open malicious emails. Phishing attacks are among the most common cyberattack vectors, with one security firm reporting a 29 percent increase in 2022.[3]

Even when part of larger organizations, laboratories face indirect risks. For example, the University of Vermont Medical Center’s laboratories went offline for weeks after a ransomware attack.[4]

Why are laboratories at risk?

Sophisticated threat actors are only sometimes motivated financially. They may directly target laboratories, whether internal or independent, for the data on laboratory systems. The data that may be at risk includes sensitive client information, regulated personally identifiable information, and proprietary research data.

Laboratories increasingly find themselves pressured by their customers to demonstrate adequate cybersecurity plans. A survey of global business leaders found that most will strengthen controls over vendors and other third parties.[5]

What makes cybersecurity plans effective?

The goal of any cybersecurity plan is to prevent the unauthorized access and release of sensitive data. However, a 360-degree attack surface creates challenges for organizations at any scale.

The first step laboratories can take is to craft an effective cybersecurity plan based upon leadership support to drive organizational change, engagement with all laboratory employees and contractors, and appropriate controls defined in a suitable cybersecurity framework.

Most importantly, cybersecurity plans must be living documents that evolve with a laboratory’s operations and threat landscape.

The LabLynx Cybersecurity plan

LabLynx’s security plan is based on NIST 800-53 v4. Security and privacy controls are maintained such that our clients can comply with their many security, privacy, and laboratory standards, frameworks, and regulations.

Organizations must actively monitor management practices and controls and take remedial action when significant deficiencies are encountered or improvements are needed. We keep our server operating systems up to date with scheduled maintenance tasks, weekly reviews for vulnerabilities, and periodic infrastructure reviews.

The hosted applications, such as ELab, are designed to be configurable to comply with your specific security requirements. Clients can make many such configurations, such as, but not limited to, users and profiles, access controls such as password complexity and history, session length, login info banners, and auditing of user account changes.

LabLynx’s information security standard governs the security, protection, and handling of LabLynx information and records. Access to data must be restricted to users or information systems with a legitimate business need and authorized by the data owner or an authorized delegate of the owner. Data at rest will be encrypted for all systems of moderate or higher risk impact and will be considered for systems of low impact. All data in transit will be encrypted with modern algorithms appropriate to the software. 

LabLynx conducts regular security assessments, security audits, and internal risk assessments of the information systems. LabLynx conducts regular vulnerability assessments of the information systems. LabLynx employs vulnerability scanning tools that allow the list of vulnerabilities tested to be automatically updated. The LabLynx ELab LIMS also provides successful and failed login information. 

 LabLynx’s cybersecurity plan is designed to ensure the confidentiality, integrity, and availability of data. By adhering to industry standards and conducting regular security assessments, LabLynx provides a secure and reliable platform for its clients to manage their laboratory operations while meeting their security, privacy, and regulatory requirements. 

 

 

References

[1] “2022 Healthcare Cybersecurity Year in Review, and a 2023 Look-Ahead”. U.S. Department of Health and Human Services Office of the Chief Information Officer, 9 February 2023. Retrieved 24 October 2023.

[2] “IBM: Average Cost of a Healthcare Data Breach Increases to Almost $11 Million”. The HIPAA Journal. 24 July 2023. Retrieved 24 October 2023.

[3] “Worldwide 2022 Email Phishing Statistics and Examples”. Trend Micro. 31 May 2023. Retrieved 24 October 2023.

[4] Paxton, A. “AP lab maps its cyberattack recovery,” CAP Today 35, 8 (2021): 1. August 2021. Retrieved 24 October 2023.

[5] “Global Cybersecurity Outlook 2023”. World Economic Forum. January 2023. Retrieved 24 October 2023.