By Christine Owen
Over the past decade, scientific research labs have become more digitally connected. Lab equipment is more reliant on computers and web-based devices; international collaborations are now more commonplace; and technology advances have exponentially multiplied the amount of data to be analyzed and shared between labs.
These rapid changes in the way scientists work have left many research labs vulnerable to cybersecurity threats that they are not equipped to manage, particularly in the wake of the COVID-19 pandemic. For example, in 2021 a biochemistry lab at Oxford University was compromised when hackers tried to gain access to confidential data that could impact vaccine development. Additionally, in June 2022, the FDA issued a warning referencing cyberattacks focused on a next-generation sequencing platform that is extensively used in research and clinical laboratories, further highlighting these vulnerabilities.
Cybersecurity threats are influencing how researchers view lab security.
Historically, lab security centered on locking the door. Now, lab security extends beyond the physical security of data and the digital lab environment—but getting buy-in is not easy.
Many research scientists do not realize the value of their data outside of their current research activities. They also tend to be concerned with any constraints that could get in the way of that research and will often find workarounds to keep their research moving forward. Therefore, cybersecurity controls can sometimes be viewed as hindrances to the research process. While this approach worked for many years, with the focus on basic wet lab techniques, it can no longer be the standard as science becomes more computational. Many new scientists, even in the biological sciences, have never set foot in a wet lab. In fact, often scientists do not get experience in wet labs because of the focus on analytical tools.
Changes in data are also leaving scientists more vulnerable to cybersecurity breaches than in the past. Advances in big data, AI, and genomic testing are providing a huge volume of scientific data and a more conceptual form of research. While this is leading to a shortened research lifecycle that allows for quicker innovation, the training on cyberthreats has not kept up, and these breaches will continue unless there are changes in the way research is conducted.
A zero-trust cybersecurity strategy is needed in today’s research labs.
To reduce and restrict lateral movement within a federal system, the Biden administration issued Executive Order 14028, Improving the Nation’s Cybersecurity, which requires federal agencies to migrate to a zero-trust architecture. A zero-trust architecture focuses on a few key features:
Additionally, a zero-trust architecture works to harden environment and application controls to reduce back-door access to the network.
Because zero-trust eliminates unfettered lateral movement throughout a network, it is a significant change in how users operate within their systems. If collaboration is successful, the benefits will far outweigh the risks and will foster greater trust between scientists and cybersecurity professionals. New relationships will be formed between researchers and the IT security teams that have often been left out of the scientific conversation.
To comply with new zero-trust regulations, federal research labs must change their mindset with four key actions.
Zero-trust is not a one-size-fits-all effort.
Zero-trust migration is a massive IT modernization effort that affects people, processes, and technology, and should be treated as such. With established relationships with leading vendors in identity and zero-trust strategies across the public and private sectors, Guidehouse has significant experience implementing zero-trust initiatives across small federal agencies, large departments, and healthcare and life sciences organizations. Learn more.