5
Examples of Existing and Needed Practices for Cyber- and Data Security in the Life Sciences

The fifth workshop, held June 15, 2023, focused on understanding existing security practices and their associated challenges; discussing needed cyber-, data, and information security practices; and examining differences in the risks and practices across institution types and fields.

CYBER RISK MANAGEMENT IN LIFE SCIENCE RESEARCH

Gautham Venugopalan, Gryphon Scientific (United States), set the stage for the workshop with an overview of cyber risk management in life science research. As defined by the U.S. National Institute of Standards and Technology (n.d.), cybersecurity is the “prevention of damage to, protection of, and restoration of computers . . . including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.” Three foundational principles of cybersecurity are data confidentiality, integrity, and availability (Figure 2). According to Venugopalan, confidentiality requires that certain data be kept secret or secure, integrity requires that data be accurate and unadulterated to be useful, and availability requires that data be accessible to enable normal organizational operations. He said that in open science scenarios, confidentiality is not an issue, but the data must retain its integrity and availability to avoid compromised research, untrustworthy results, or loss of access.

Unfortunately, cybersecurity incidents are increasing, Venugopalan said, and the impacts of these incidents can pose a serious threat to the health and safety of individuals as well as business interests (Check Point Research Team, 2022).

High-profile cyberattacks have disrupted pharmaceutical operations and demonstrated the potential to alter vaccine study data or remotely control physical laboratory infrastructure (EMA, 2021; MDL, 2017; Osborne, 2021). Such examples should be alarming to life science researchers, Venugopalan said, as attacks on research assets—from samples to data to internet-connected equipment, including personal smartphones—can result in the loss or delay of scientific advancements, reduced workplace safety, privacy breaches, data misuse, and financial or intellectual property losses. Such attacks can also erode public trust in science and lead to industry-wide disruptions.

To counter these threats and maintain data confidentiality, integrity, and availability, Venugopalan outlined four building blocks of cybersecurity: continuous and iterative cyber hygiene practices, asset identification, scenario building to identify concerns, and control systems for reducing risk (Figure 3). These four practices rely on identifying and protecting assets, detecting and responding to attacks, and creating recovery processes. Together, they can be used to determine an organization’s current safety profile, its target profile, and its decision-making needs; recognize and respond to threats and vulnerabilities; train staff; and conduct risk assessments to determine resource allocation.

Cyber hygiene practices are the fundamental controls every organization, no matter its sector or size, must implement before more sophisticated controls can be added, said Venugopalan. These practices, such as staff training, multifactor authentication, data encryption, zero-trust architecture, endpoint device management, and backup strategies (separated and with restricted access), are the most straightforward to implement and protect against a wide variety of common attacks. Quality off-the-shelf cyber hygiene and risk assessment systems exist, such as the Center for Internet Security Controls, version 8. Venugopalan noted that Dropbox and iCloud are commonly used by academic researchers to facilitate data sharing and come with security features, although researchers should agree on appropriate access controls, use, and sharing practices when using such services.

Determining which data or capabilities require the highest level of protection requires collaboration between researchers and information technology staff, Venugopalan said. Unfortunately, he continued, there is no such thing as a foolproof system, because most successful cyberattacks exploit the human factor somewhere along the line. Human behavior can only be improved through training that prioritizes data confidentiality, integrity, and availability, and that creates channels for recognizing attacks. In addition, Venugopalan said that a system’s usability is important, because if data access and management systems are too complex or difficult to use, people will find ways to work around them to do their work efficiently. There is no single approach or system that is right for every institution or environment. “An institution has a unique culture, has its own resources, has its own norms,” Venugopalan said. “People should work to come up with a system that works for them.”

UNDERSTANDING SOCIAL ENGINEERING

Trisha Tucholski, U.S. National Academies of Sciences, Engineering, and Medicine provided a case study examining one common challenge in data security: the human factor. Noting that many of the workshop’s participants are on the front lines of life science research and cybersecurity needs, Tucholski said that people are an organization’s greatest asset and its weakest security link. This is because attackers can manipulate people into

divulging information through social engineering, which exploits human psychology, not technology (Dinha, 2023).

The most common form of social engineering is phishing, in which a message prompting staff to share confidential information appears to come from a trusted source. Phishing has become increasingly sophisticated, with attackers using publicly available information to impersonate colleagues or peers (Chhay, 2022). These requests are often worded to create a sense of urgency in hopes that the recipient will overlook errors or discrepancies and act upon the request quickly, giving the attacker access to information or systems that are meant to be kept secure.

Tucholski suggested that training is needed to raise awareness of phishing and to equip staff with the skills to recognize suspicious messages. She noted that unexpected messages from unknown email addresses should be approached carefully, especially if they appear urgent. When in doubt, it is best to validate the sender’s identity via another method, such as an independent internet search or trying to reach the alleged sender through other means, such as a phone or video call. In addition, it is critical to avoid sharing log-in information, initiating financial transactions, and clicking on links or downloading attachments from unfamiliar or suspicious email addresses. Even with the best training, however, anyone can be fooled. Attackers are becoming increasingly sophisticated, and increased digit-

ization of everyday life suggests that everyone—but especially staff of laboratories or companies who handle sensitive or proprietary data—be more vigilant in avoiding phishing scams.

DATA AND INFORMATION SECURITY IN CENTRAL ASIA

Kavita Berger, U.S. National Academies, moderated a discussion to examine existing cybersecurity practices and challenges; discuss examples of needed practices for cyber-data, and information security; and investigate differences in risks and practices among institution types and fields. These issues are increasingly relevant for scientists, who could receive phishing attacks disguised as conference registrations, publishing requests, or social media invitations, putting their—and their colleagues’—work at risk. Participants discussed the importance of cybersecurity training, suggested several cybersecurity needs, and discussed the difficulties of balancing data sharing with security and communicating risk to nonscientists. Some participants also commented that the resources mentioned in this workshop can help life science researchers overcome these shared cybersecurity challenges.

The Importance of Cybersecurity Training

Several participants emphasized the importance of continuous training in cyber hygiene practices, risk assessments, and data safeguards to keep everyone involved in life science research—from students to seasoned scientists—vigilant. They noted that data security is still important when working with data that are publicly available. Phishing attacks can be very persistent and penetrate an institution’s strongest protections. Venugopalan cautioned that the best way to deal with suspicious or unexpected emails is to delete them immediately. Even just reading an email, without clicking on a link or replying, can open the door to a cyberattack.

Damira Ashiralieva, National Scientific-Practical Center, Ministry of Health of Kyrgyzstan, stated that scientists in her country are becoming more vigilant to the threat of cyberattacks. In fact, she noted that she was suspicious of the invitation for this workshop series and was only satisfied after receiving more information directly from Tucholski. She also noted that the country’s public health department is governed by an Ethics Committee that oversees all research and data protections, incorporates expert training, and integrates bioethics to keep up with the rapid pace of science.

Yann Joly, McGill University (Canada), stated that in Canadian universities, cybersecurity expertise to examine the bioinformatic, ethical, and legal components of data is only just being added, and this varies by project and institution. While academic ethics committees exist, they were developed in the context of physical risks, and, he said, they have been slow to incorporate data science expertise.

Cybersecurity is also in the initial stages in Tajikistan, stated Mekhriniso Rustamova of the Tajikistan National Academy of Sciences, which will soon host a cybersecurity conference to educate its scientific workforce. However, Tajikistan’s national Bioethics Committee, directly under the Ministry of Public Health, has a well-established, stringent, and successful project approval process.

Cybersecurity Challenges and Opportunities

Wei Zheng, Vanderbilt University Medical Center (United States), suggested that existing systems that ensure verifiable results should be expanded to reduce the risk of data misuse and increase trust in public data repositories. Berger added that public repositories can also lead to data being used in ways that researchers never intended, including ways that may harm people, animals, plants, and the broader environment. Ashiralieva shared this concern, noting that while legislation in Kyrgyzstan and its national Ethics Committee clearly define who can share what information, data used in global collaborations could be accessed by unknown researchers for unknown purposes.

Joly noted that in addition to expanded cybersecurity practices, there is a role for legal contracts in protecting open data and ensuring their integrity. For example, the tools developed by the Global Alliance for Genomics and Health to help scientists share and integrate data safely, legally, and ethically are free and open access but covered by intellectual property licensing to protect them from downstream alteration or abuse.

Finding a Balance

Venugopalan stated that balancing the desire to share and use data openly with the potential for unintended consequences of such sharing and use is less about cybersecurity and more about the values and priorities of laboratories or collaborations and their perception of the risks and benefits. While employing security resources—from cyber hygiene practices to licensing to legal contracts—is important, he noted, that bad actors are unlikely to be deterred. Whether and how to share data is therefore a continuous conversation that can evolve alongside science.

Joly agreed that every research group can make its own choices about how best to protect data at every step, from assembling a dataset to storing and sharing it. He added that circumstances can affect these decisions, noting that the sense of urgency during COVID-19 at times overrode voices suggesting a more cautious examination of potential data inaccuracies and downstream consequences.

Berger said that balancing various risks and benefits of different data types and sharing practices has been discussed in the United States for some time. The term dual-use research of concern, for example, describes research conducted for peaceful purposes that could be used by individuals with malicious intent to cause harm. The World Health Organization (2010, 2022a), among many others, offers guidance to help scientists and governments understand the risks and benefits involved in such work. The real challenge, she said, is conducting responsible innovation that recognizes and addresses risks and maximizes benefits, while continuing to build global collaborations and advance science. This challenge is getting more difficult as national and international policies unexpectedly overlapped or counteracted, creating roadblocks for addressing public health emergencies or advancing science. For example, during the pandemic, General Data Protection Regulation restrictions prevented collection of human samples needed for detecting and monitoring the SARS-CoV-2 virus because human genetic material also may be obtained from sequencing those samples, creating concerns about privacy for individuals. She indicated one commonly cited suggestion, which is that global health entities could encourage researchers to secure digital data as carefully and lawfully as they secure physical samples, and added that countries can enhance measures to support open, transparent research, while preventing harms from unauthorized or unlawful access to data.

Communicating Risk to Nonscientists

Rita Guenther, U.S. National Academies, noted that researchers in the United States have struggled to communicate risks to nonscientists, especially decision-makers, who often have very different priorities. One response to a series of biological attacks involving anthrax in 2001 was the creation of the National Science Advisory Board for Biosecurity (NSABB), a group of scientists and academics who lead discussions with government leaders and other researchers on balancing risks and benefits of certain areas of science, such as biosafety and gain-of-function work. She suggested that leaders in Central Asian countries may find NSABB’s strategy, which focuses on understanding risk, communicating it, and implementing continuous risk assessment processes, applicable. Ashiralieva agreed and noted that Kyrgyzstan convenes multisector collaborations to address crises such as COVID-19 and other epidemiological emergencies.

Another potential communication model, Berger added, is exemplified by the International Genetically Engineered Machine (iGEM), which integrates risk communication into the broader context of scientific responsibility. iGEM hosts an annual competition for students in synthetic biology, which stresses risk assessment, safety, security, and ethics. In addition, the InterAcademy Partnership and the U.S. National Academies help foreign and domestic researchers investigate dual-use research, uncover biosecurity issues, and embed good security practices, she noted.

SUMMARY

The workshop shed light on the importance of strong cybersecurity practices for life science researchers to combat their shared challenges. An organization’s most valuable asset—its people—is also its weakest security link, and participants discussed how students and researchers can be made aware of cybersecurity risks and equipped to employ appropriate practices and protections.