Safeguarding Data in the Lab: Risk-Based Cyber Security

The views expressed are my own, and do not represent the official policy or position of any of my current or previous employers or clients.

All references in this presentation have been properly cited.

The content in this presentation has been provided to IVT for conference purposes and may be redistributed in accordance with IVT conference guidelines.

Disclaimer

• On March 13, 1895, Nikola Tesla, the inventor who discovered alternating current electricity, awoke to the worst news any laboratory scientists could ever receive – his laboratory was on fire.

• The fire destroyed everything inside the lab including Tesla’s invention models, laboratory notebooks and equipment.

• The financial damage was estimated to be approximately $50,000; however, the loss of the intellectual property within the notebooks may have been far greater.

Background

Protecting Intellectual Property from Fire and Theft

Cyber crime is sweeping the globe at an alarming rate. It is crippling business operations and paralyzing research and development operations.

Companies are striving to protect their intellectual property and implement practical methods to safeguard data in the lab while maintaining compliance with

regulatory agencies.

Background

http://www.nature.com/news/embattled-scientist-in-theft-probe-1.9505

This presentation:• Focuses on what some companies are reporting they are doing to secure

electronic systems that store data in the laboratory environment.• Discusses methods of data security that are found on the internet or related

research and do not represent any proprietary techniques or confidential information of any company. However, some of the methods presented are innovative and take additional effort to develop.

• Addresses known technologies that cyber criminals, law enforcement or the media stated have been used to access or transmit data.

• Requires that participants use critical and creative thinking skills.• Will at time request that participants put themselves in an uncomfortable

position, by considering the mindset of an individual who would attempt to steal, alter or destroy data in the laboratory environment. In other words, the criminal mindset is contrary to your thinking.

– Note: Because the individual may have never thought this way about cyber crime, feelings and concepts can be disturbing.

Overview

Upon completing our discussion, participants will be able to:• Convey the importance of safeguarding data in the laboratory environment• Identify potential vulnerabilities with documentation and systems in the

laboratory environment that needs safeguarding• Describe risk-based approaches to cyber security • See how the laboratory is becoming increasing electronic in its creation and

transmission of data• Become familiar with the increasing importance for cyber security in the

laboratory environment• Discuss the evolution of paper-based (hard copy) documentation to electronic

files and the supporting digital technologies

Objectives

PricewaterhouseCoopers (PwC) recently released the 2016 Global State of Information Security Survey, • One of the key takeaways shows that an astonishing 91 per cent of

organizations have adopted a risk-based framework or frameworks.• 10,000+ business and IT executives told us what they are doing—and plan to

do in the future—to protect digital assets and create business advantages. • Nearly half (46%) of the organizations surveyed said they have employed

advanced authentication, i.e., biometrics• More than half (59)% of survey respondents say they are boosting their

spending on security as a result of digitization. • Cybersecurity is no longer considered an IT task, but rather a responsibility of

the entire organization

Introduction: 2016 Research: Risk-Based Security

Source: https://www.scribd.com/doc/221661906/ISPE-GAMP-5-a-Risk-Based-Approach-to-Compliant-GxP-Computerized-Systems-GAMP5

Discussion Topics: Safeguarding Data in the Lab

I. Risk Management – Uncertainty• Risk management in a laboratory notebooks environment • Referencing the standards: GAMP5 and ISO 90012015• Risk response planning: business continuity planning, contingency planning, disaster recovery planning

II. Data and Information Security• GLP new hire orientation and annual training requirements for laboratory notebooks authors• Notebooks policies and procedures • Good laboratory notebooks practices involving data storage, transfer, archival and destruction, carbon copying,

copying, scanning, photographing, video-taping, audio-taping and tamper proofing

III. Data Integrity• Good documentation practices• Accurate and timely reporting• Ethics

IV. Physical and Environmental Security• Labeling/bar coding and tracking, badge access, locks and cabinets• CCTV/webcam monitoring control, RFID and advanced technologies• Media considerations – paper, CD, DVD, hard drive, flash drive and microfiche

V. Cybersecurity • Digital technology – Smart Electronic Laboratory Notebooks (SELN)• Mixed media Paper-based laboratory notebooks stored electronically (.doc, .xls, .ppt, .pdf)• Intranet (shared folders) vs. Cloud-based solution providers

I. Risk Management - Uncertainty

A risk assessment addresses uncertainty:• What we know that could happen (KNOWNS)

• Cyber security breach: Theft of intellectual property, i.e., SPII from a computer server

• What we do not know that could happen (UNKNOWNS)• Cyber terrorism: the politically motivated use of computers and

information technology to cause severe disruption or widespread fear in society, i.e., false information spread during a clinical trial that impacts a company from bringing a new drug product to market

Risk Management in a Lab Notebooks Environment

Risk response planning involves: 1. Business continuity planning:

• Temporary interruption in service2. Contingency planning:

• PLAN B • PLAN C

3. Disaster recovery planning: • Total outage or service disruption

Risk Management in a Lab Notebooks Environment

Risk Management involves:• Risk identification

• List the risks• Risk categorization

• Strategic• Tactical• Operational

• Risk analysis • Qualitative• Quantitative

• Risk Model Selection• Basic: Probability x Impact (P x I)• FMEA: Severity x Occurrence x Detectability (S x O x D)

• Risk response• Accept: deal with the consequences• Avoid: put measures in place to address the issues• Transfer: enable other support mechanisms, i.e., insurance• Mitigate: lessen the risk in the event it happens

Risk Management

Conducting a risk assessment should:• Be founded upon best practices• Practical based on the needs of the organization• Follow established standards, i.e., ISO 9001:2015, GAMP5, PMBOK® Guide

Conducting a Risk Assessment

ISO 9001: 2015 – Clause 0.3.3 and Appendix A4

According to this standard, risk based thinking:• Improves governance• Establishes a proactive culture of

improvement• Assist with regulatory compliance• Promotes product and service quality• Improves customer satisfaction

Risk based thinking is common sense and should be integrated into the Quality Management System!

Technique for Applied Risk Based Thinking

Source: http://www.wisegateit.com/resources/downloads/wisegate-risk-based-security-report.pdf

GAMP 5 is a: • Technical subcommittee of the International Society for Pharmaceutical

Engineering (ISPE) • Risk-Based Approach to Compliant GxP Computerized Systems• Science based quality risk management methodology• Set of guidelines for manufacturers and users of automated systems in the

pharmaceutical industry.• Guidance document that aims to achieve computerized systems that are fit for

intended use and meet current regulatory requirements, by building upon existing industry good practice in an efficient and effective manner.

• Standard that can be used to help an organization consider the amount and type of information being digitized and how often and where it is being digitized

• Computerized systems are fit for intended use and compliant with applicable regulations and adhere to GMP, GCP, GLP and GDP

GAMP5 Risk-Based Approach to Cybersecurity

GAMP5 Risk-Based Approach to Cybersecurity

Drivers for GAMP 5

The principles in risk managementshould be approached from theperspective of an evaluator: • Outlined for projects• Have direct application to

ongoing operations• Represent a comprehensive

approach to managing risks

PMBOK Guide® Approach to Risk Management

Source: PMBOK® Guide 5th Edition

Factors that go into risk-based decision making:• Risk tolerance of key stakeholders

– Risk Averse– Risk Neutral

• Previous security related issues with the organization• Experience with security related issues at other organizations• Value of assets in the laboratory environment• Current security measures in place• Policies and procedures in place to deal with risk• Knowledge of risk management practices• Practicality of implementing risk management

Factors that go into Risk-Based Decision Making

Risk Management: Interactive Activity

Create a risk register for your laboratory environment: • Utilize the template below as a starting point• Feel free to modify it• Make it specific to a laboratory environment

Risk Event Risk Category Probability Impact Overall

Risk Rating

Risk Response

Strategy

Action Plan

and Accountable

Person

Annual GLP Training

II. Data and Information Security

Trivia Question: Early Laboratory Notebooks

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4730679/

Why did Leonardo da Vinci used mirror writing?

Several possibilities have been suggested:He was trying to make it harder for people to read his notes and steal his ideas. (SECURITY)• He was hiding his scientific ideas from the

powerful Roman Catholic Church, whose teachings sometimes disagreed with what Leonardo observed. (ENCRYPTION)

• It prevented smudging (GOOD DOCUMENTATION PRACTICES)

http://legacy.mos.org/sln/Leonardo/LeonardoRighttoLeft.html

A Team Approach to Protecting Information

Whenever you think about PII/PHI/SPII keep in mind we are part of the…

Trusted Employees And Management

ACCESSinformation only if you

require it to do your job.

24

SHARE information

only with those who

need it to do their jobs.

Controlling Removal of Company Assets: Other

There are a variety of other techniques that could be used to remove data and information from the lab:• USB drives• External hard drives• Bluetooth devices• Video glasses

https://www.reddit.com/r/labrats/comments/3vnusn/why_exactly_cant_we_take_our_lab_notebooks_home/?st=iuylijgi&sh=9f402e46

Controlling Removal of Company Assets: Computers

Conducting a gap analysis on notebook policies and procedures:• The thinking behind paper notebooks and procedures must take into

consideration how it translates to the digital world.• Date and time stamp can be performed automatically• Attachments are performed electronically.• Good documentation practices can be performed in many cases

automatically.• Page numbering and sequencing can be performed semi-automatically

depending on software features.• Traditional notebooks policies and procedures need to be reviewed to ensure

they address cybersecurity.

Notebooks Policies and Procedures

Source: https://www.pwc.com/gsiss

An analysis of laboratory procedures:

• Carbon copying: where does the carbon copy go

• Copying: does the copier scan to hard drive or scan to email

• Scanning: does the document scan to a hard drive or server

• Photographing: are the pictures taken by a mobile phone

• Video taping: where is the video tape stored

• Audio taping: how are the audio files saved

Good Laboratory Notebooks Practices

Data management must consider how paper-based processes are handled electronically:

• Transfer

• Storage

• Archival

• Destruction

Good Laboratory Notebooks Practices

21CFR 211.180…..Requires clear procedures for archiving of documents:

• Defined Retention Periods

• No loss of Information during retention (thermal printers)

• Fire and waterproof archives

• Access and Control of document archives

• Readily Retrievable (in case of compliant, recall, audit)

• Periodic Checks of archive

• Electronic Archives to be Qualified and Validated

• Document destruction

Information Security: Review

During an unscheduled walk though you find the followinggoing on at ABC labs:• Sensitive Personally Identifiable Information (SPII) is left on a

centralized copier that contains health information of people who will be potentially involved in a clinical trial

• A personal video camera and tripod belonging to an employee.• A personal tape recorder belonging to another employee.• A personal Apple IPAD mini belong to another employee.

An email on the desk regarding a professional association desires to feature your company in an upcoming article regarding the pending exploratory research on a new virus. They are searching for whatever information they can find and contact your laboratory.• A laboratory technician accidentally sends unverified and unapproved for

distribution information that provides demographic information on where the virus might potentially spread, but this information has not been confirmed by the CDC.

Data and Information Security: Action Plan

Task/Step Assigned to:

1 Create an outline for an Annual GLP Course

2

3

4

5

6

7

8

9

10

II. Data Integrity

Annual GLP Training

One of the best ways to ensure data integrity is through periodic training.

The purpose of GLP training is to:• Ensure that the new hire orientation process is comprehensive and help new

employees and contractors to do things right from the beginning• Conduct refresher training on an annual and as needed basis for target

populations• Update analytical and formulation scientists on Good Laboratory Notebooks

Practices• Prepare for inspection readiness• Improve technical writing skills specific to CAPAs• Reinforce good documentation practices• Encourage good laboratory practices, i.e., safety and security• Address competency based training for i.e., test methods

https://www.reddit.com/r/labrats/comments/3vnusn/why_exactly_cant_we_take_our_lab_notebooks_home/?st=iuylijgi&sh=9f402e46

Data Integrity: The Case of Louis Pasteur

http://www.sciencealert.com/80-of-the-data-in-chinese-clinical-trial-is-fabricated

Data Integrity: A Global Ethical Dilemma

In 1989, 11 of 13 companies were invested for falsifying safety and efficacy records for new generics.

When using computers to falsify any information, this can be considered a cyber crime.

http://www.nytimes.com/1989/09/12/business/fda-details-problems-at-drug-makers.html

Data Integrity: Acronym used by Regulators

Regulators like the ALCOA acronym.

Data is “fit for use” (e.g., has integrity) if data is:

1. Attributable: It should be clear who created the record and when.

2. Legible: can be read and interpreted without mistakes, deciphered

3. Contemporaneous: data are recorded at the time they are generated or observed

4. Original: data are original observations (or are certified true copies)

5. Accurate: data are correct with no unknown/undocumented errors.

Source: https://tjkuhn.wordpress.com/2008/07/23/alcoa/

Data Integrity: Avoiding Fraud

Lab directors are responsible for lab integrity. Progress of activities in the laboratory can be followed and documented via accurate laboratory notebooks.

Periodic checks of raw data in lab notebooks can help:

• Uncover and correct carelessness

• Uncover and correct outright fraud

• Safeguard against fraud

• Defending patents

Source: https://ori.hhs.gov/education/products/wsu/data_lab.html

Data Integrity: Avoiding Fraud

Source: http://science.sciencemag.org/content/sci/313/5791/1222.full.pdf

Electronic Records and Signatures

Published in 1997 as 21 CFR 11

• Established conditions under which FDA would consider e-records (and signatures) to be the equivalent of paper records and pen/ink signatures

• Applies to all records (and signatures) required under any FDA regulation and kept or used in digital form

“Persons who use…systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records….”-FDA, 21 CFR §11.10 Electronic Records; Electronic Signatures

Good Documentation Practices

In order to adhere to current Good Laboratory Practices we MUST follow the 10 Good Documentation Practices (GDP)!

1. Accurate: Correct, free from defect or error

2. Complete: All required information is included

3. Direct: Recorded directly onto the document, i.e., laboratory notebook

4. Factual: Truthful, honest and free from falsification

5. Legible: can be read and interpreted without mistakes, deciphered

6. Permanent: cannot be changed, removed, or erased i.e., using pencil

7. Retrievable: Accessible electronically and/or hard copy

8. Standardized: Use consistent dates, times, and abbreviations

9. Timely: promptly recorded, immediately after being performed

10.Understandable: Clear to the intended audience

Note: These attributes define the characteristics of GDP

Maintaining Integrity Through Good Documentation

• Original documents should be easily distinguishable from photocopies, and

should have clear and concise information.

• There should be sufficient space for entries, to record variable information and

signature and to attach print-outs etc.

• Data entries are made or completed when action is performed.

• Entries in logbooks must be done in chronological order.

• Document anything that directly impacts a product. Record every procedure

performed, form filled out, and test performed.

• Using a standard format eliminates discrepancies between documents from

different sources.

• Careful design of documents will make them easy to read, easy to understand and easy to complete properly.

• Just creating documents is not enough; must follow specific standards when doing so. Ensure user reads and understand exactly what it means.

• Master documents must be subject to appropriate controls to ensure that only one version is current. Such documents must be approved, signed and dated.

• Modifications to master documents must be managed through change control.

Maintaining Integrity Through Good Documentation

21 CFR 58 GLP:

• All data generated during performing of a study, (except automated data

collection systems), shall be recorded directly, promptly, and legibly in ink.

• All data entries shall be dated on the date of entry and signed or initialed

by the person entering the data.

• Any change in entries shall be made so as not to obscure the original

entry, shall indicate the reason for such change, and shall be dated and

signed or identified at the time of the change.

Bad Documentation Examples: Cited

Use of signature stamp

• US FDA Warning Letter UCM075960 to Scott A. Spiro, MD, 28-Jun-06.[16]

• US FDA Warning Letter UCM066113 to Medtronic, Inc., DEC 2 1997.[17]

Obscured original data

• US FDA Warning Letter UCM076246 to Gynetics Medical Products NV, JAN 16 2007[19]

Use of pencil

Inaccurate records

• US FDA Warning Letter 320-01-02 to SOL Pharmaceuticals Limited, NOV 21, 2000[18]

Hand changes not dated

• Form FDA 483 issued to L. Perrigo Co., NOV 7, 2008.[20]

Bad Documentation Laboratory Examples: Cited

• The periodic calibration of the laboratory instruments was not documented completely in the laboratory records.

• The records did not include the reason for the modification of a test method.

• The laboratory records did not include a statement on the identity of the reference standards used and on the method with which these were produced.

• The laboratory records did not include the initials or signature of a second person showing that the original records had been reviewed for accuracy, completeness, and compliance with established methods.

• Document error correction not signed/dated, and didn’t include a reason for the correction.

• Write-overs, multiple line-through and use of "White-out" or other masking device.

• Sample sequence table and audit trail not

• Out-of-specification (OOS) procedure not detailed enough; flow chart and /or check-list not available.

• Records did not contain complete raw data for all laboratory testing performed.

Data Protection Stewards:• The emerging approach to dealing with cyber security is to establish

individuals with responsibility to protect a company’s knowledge assets.• Governance for Data Education is essential

– Discussion for my other presentation at this conference (see the compendium if not attending the session)

• Individuals responsible for protecting data and information should be found in nearly every part of the organization

• This should not be a sole responsibility of Information Technology or Data Governance

• All employees should receive new hire orientation and annual training on safeguarding data and information

Data and Information Governance Office (DGO) and IT

Data Integrity: Review

During an inspection, you discover the following at XYZ Labs:• Every laboratory analyst records their usage of a laboratory

computerized system in a hard copy equipment logbook next to each computerized system – noting his/her name, date and time, and each lab test performed

• A review of the audit trails of each computerized system reveals multiple test runs that are not recorded in the logbook, nor are the data files for those runs on the computerized system

• Data on the computerized systems can be deleted without any record or trace – but only by authorized users (e.g., the lab analysts and the lab supervisor)

• Paper lab notebooks, kept by each lab analyst, only record one set of printed out test results (these do match the existing results on the computerized systems)

• A couple of analysts have migrated to electronic notebooks, using a free software application that is based in the cloud

• How would you address these issues?

IV. Physical and Environmental Security

The following computerized systems are used in the laboratory environment:• Clinical Trials Data Management• Laboratory Information Management• Automated Laboratory Equipment• Blood Processing Management• Adverse Event Reporting (vigilance)• Document Management• Track and Trace• Electronic Laboratory Notebooks Software• Electronic surveillance systems• Laptops or servers containing PII, SPII, PHI,• Enterprise Resource Planning• CAPA Software

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4730679/

Scope: Common Computerized Systems in Labs

The following are approaches to protect systems in the laboratory environment:• Sign in and badge access• Biometric scanners, i.e., finger print• Video cameras• Password protection• Multiple layers of authentication• Security guards• Specialized door locks• Safes• Log books• Secured cabinets• Trees and bushes• Blinds and shades• Tamper-resistant door jambs• Cables on computerized systems• Increased lighting• Alarms or bells when doors open• Glass-break alarms for windows and doors• Locking cabinets https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4730679/

Typical Physical Security Measures for Labs

Visitor tracking procedures:• Written procedures should be in place for escorting visitors• Visitors should be made aware of the procedure• It is worth investing in a digital capture system• Require every visitor to wear a badge• The badge should contain their name and if

possible their picture• As necessary announce to staff who the visitors

are to avoid surprises and minimize stressassociated with events such as unannouncedinspections

• Ensure that badge is returned as part of theexit process

Escorting Visitors

The four integrated domains to consider when improving security of a facility:• physical or architectural security—doors, walls, fences, locks, barriers,

controlled roof access, and cables and locks on equipment;• electronic security—access control systems, alarm systems, password

protection procedures, and video surveillance systems;• operational security—sign-in sheets or logs, control of keys and access cards,

authorization procedures, background checks, and security guards; and• information security—passwords, backup systems, shredding of sensitive

information.

Physical security systems should help:• Detect intruders• Delay intruders• Respond to alert the proper resources

https://www.ncbi.nlm.nih.gov/books/NBK55881/

What to Secure

Concentric circles of protection, as shown in is useful when considering a

laboratory's physical security

The following are common approaches to protect systems in the laboratory environment from fire and water:• Fire extinguishers• Fire protection systems• Alarms• Humidity control• Fireproof cabinets• Redundant servers with scheduled back-up• Fume hoods• Cable locking systems• Mounted kiosk attachment devices

Additionally an AED should be installed and at least one lab member should be CPR certified (AED, Basic First Aid, CPR and Fire Extinguisher).

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4730679/

Typical Environmental Security Measures

Your company just announced that it will be going out of business• You manage a laboratory environment and 100 products are

in the pipeline• They are at different stages of development, testing, clinical trials• Employees have not received their final employment date,

but know that it will be in the next six months• You are unclear if it is an acquisition, merger or other issue that

is involving the closure because senior management won’t communicate• The company uses paper and electronic notebooks• The company has LabWare LIMS• The company allows USB and external hard drives to connect to lab computers• The company current has minimal badge-in and badge out verification• There are currently no cameras in this facility• Your job is to protect all information in the lab• You have 25 people working in the lab• You have just been transferred from another location to manage these people• You will be responsible for terminating these employees and outplacement• Discuss your strategy for data security

Physical and Environmental Security: Review

Physical and Environmental Security: Action Plan

Task/Step Action

1

2

3

4

5

6

7

8

9

10

V. Cyber Security

What is Cyber Security?

A Cyber Crime:• criminal activity or a crime that involves the Internet, a computer system, or

computer technology:– identity theft, – phishing, and – other kinds of cybercrime.

Definition of Cyber Crime

A Cyber Crime:• May involve falsifying, inappropriate altering (i.e., not adhering to good

documentation practices), unauthorized deleting (lack of data integrity), unauthorized copying, unauthorized transmitting, etc.

A Cyber Crime:• May happen by accident or on purpose.

– For example, confidential clinical trial data is sent to the wrong fax number or email address.

A Cyber Breach:• A data breach is the intentional or unintentional release of secure information

to an untrusted environment– In this instance while there was no harm to the public, the potential

impact could have been mass hysteria and danger to society.

Cyber Security and the Media

Astounding Statistics Regarding Cyber Attacks

Source: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4516335/

According to this article, 94% of health care organizations have been the victim of cyber attack.

Concern pointed out in article:• Implantable medical devices

capable of being reprogrammed wirelessly, such as pacemakers, drug (e.g, insulin) pumps, defibrillators, and neuro-stimulators are used for monitoring and treating patients

Source: https://www.sans.org/reading-room/whitepapers/wireless/bluetooth-inherent-security-issues-945

Despite the limitless possibilities and already-gained market share, the Bluetooth specification does have a flaw in its native security implementation.

This flaw can subject a user to such threat vectors as default configuration, theft and loss, eavesdropping and impersonation, person-in-the-middle attack, piconet/service mapping, and denial-of-service attacks.

These inherent security issues, they can be mitigated via implementation of application layer security, device configuration guidelines, enforcement policies, and methods for protecting identifying data.

Concern with Bluetooth Devices

Corporate Plan – Cyber Security to Safeguard Data

Table of contents: • Cyber security policies and procedures• Data integrity polices and procedures• Good laboratory practices• Good documentation practices• Roles and responsibilities for safeguarding data• Risk management process for safeguarding data• New hire orientation• Refresher training• Communication• Equipment inventory list• Validation plan references for specified systems• Periodic use of certified ethical hackers to test system vulnerability

Data and Information Protection: Cloud Computing

Five things to keep in mind about HIPAA and cloud computing:

1. There are no “HIPAA-certified” (Cloud Service Providers) CSPs.2. Know the definitions for HIPAA compliance.3. Before signing a contract with a CSP, send it to the company’s Contract

Intake procedure. Legal will ensure a Business Associate Agreement (BAA) or language of its equivalent is incorporated in the contract.

4. Perform a comprehensive assessment on any CSP you are currently using or are considering.

5. Encrypt PHI.

62

Source: http://www.peak10.com/five-things-to-know-about-hipaa-compliant-cloud-storage/

Regulations to Strengthen Cloud Computing

For example, reviewing a CSP’s Annual HIPAA audit Report on Compliance will help ensure they have the appropriate technology, processes and policies in place for HIPAA compliance. The audit should:• Be conducted by a reputable third-party auditor and comply with the OCR

HIPAA Audit Protocol, which was adopted in 2012 and serves as a set of guidelines stipulating how HIPAA audits should be performed).

• Cover all 169 requirements of the HIPAA law.

CSPs that undergo other types of audits may also be more likely to meet HIPAA requirements for data security and privacy because of the stringent protocols entailed, such as those required by PCI DSS and SSAE 16.

63

Source: http://www.peak10.com/five-things-to-know-about-hipaa-compliant-cloud-storage/

Electronic Laboratory Notebooks

CloudAdvanced

Authentication

Artificial Intelligence

MachineLearning

AdaptiveControls

EmergingCyber Security

Timeline for Electronic Notebook

1970 1975 1976 1977 1981 1983 1985 1991 1993 1995 1998

Dessy was thinking about the electronic notebook

First conference to discuss ELN

History of the ELN

• Significant discussion concerning the transition from a pen-and-paper laboratory notebook to an electronic format was already in full swing in the early 1990s. During the 206th National Meeting of the American Chemical Society in August, 1993, an entire day of the conference was dedicated to talking about "electronic notebooks" and ELNs.

Source: http://www.limswiki.org/index.php/Electronic_laboratory_notebook#cite_note-EarlyELN-2

• While some credit Dr. Keith Caserta with the concept of an electronic version of the laboratory notebook, it's likely that others had similar early ideas on how to integrate computing into the process of laboratory note taking.

• "A tetherless electronic equivalent of the paper notebook would be welcomed by the working scientist," noted Virginia Polytechnic Institute's Dr. Raymond E. Dessyfor the conference. Dessy had in the mid-1980s begun postulating on the idea of an electronic notebook, and by 1994 he provided one of the first working examples of an ELN.

Source: http://www.sans.edu/research/security-laboratory/article/wireless-security-1

Protected Extensible Authentication Protocol, encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLS

Stronger Authentication for Lab Devices

Your company just announced that it has received a dangerous virus• An email was some how misdirected to an external email

and people believe that the virus is not safely contained• The email reaches the hands of a cyber criminal and they falsely

report that the virus has now escaped the lab and people in thecommunity may be potentially infected

• What steps would you take to deal with the crisis?

Cyber Security: Review

Task/Step Action

1

2

3

4

5

Your team is proposing a new Episode for Hawaii FIVE-0• The most innovative script will win a $1M contract • You are to create a draft concept script for a cyber criminal

breaking into a lab to steal a new pharmaceutical product

Ideas• Vaccine for deadly virus• Fountain of youth type medicine• Cure for cancer

What does the crime team do?• What do they want to break in and steal?• Where do they steal it from, i.e., electronic notebook?• How do they break into a lab?• What steps do they take?• How long does it take?• What are the results of what they steal?

Final: Interactive Activity

Appendix

Laboratory notebooks have been used for centuries by inventors, scientists, and engineers:• Even before the invention of paper, Archimedes (circa 287 BC – 212 BC) made notes and drawings

of his mathematical discoveries and mechanical inventions on parchment made from animal skins. • Leonardo da Vinci (1452–1519) encapsulated perhaps some of the best known early combinations

of experimental documentary concepts. He employed a degree of data encryption in his mirror writing, to provide a measure of privacy.

• Benjamin Franklin (1706–1790) and Thomas Jefferson (1743–1826) not only kept notebooks on their ideas and interests but they utilized a portable version of a memo pad made from thin ivory leaves, fastened together at one end so they could be fanned out for use. These were re-writable; therefore, notes had to be ultimately transcribed to permanent notebooks for archival purposes, but the portability aspect was a key feature.

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4730679/

Early Laboratory Notebooks

• Charles Darwin (1809–1882) used fourteen different notebooks on his extensive field excursions, with a separate notebook dedicated to each major location.

• Thomas Edison (1847–1931) made extensive use of laboratory notebooks to document exploration into a wide variety of fields. This was mainly to organize and document information to serve as a legal instrument for the development and protection of patents, so an audit trail was an important feature.

The America Invents Act (the AIA) fundamentally changed U.S. patent laws. On March 16, 2013, longstanding U.S. laws granting patent rights to “the first-to-invent” were largely replaced by laws granting patent rights to “the first-inventor-to-file” a patent application.

ELNs in the “First to File” Era

It depends – therefore no one here was right or wrong.

Electronic Notebooks: Wave of the Present and Future

Pros – Electronic Notebooks are Simply Superior

Non-Fragmented Data handwritten notes and digital data files are in one place

Indexing; search the entire notebook for a specific procedure, citation, research idea, data piece or anything else that was recorded

Audit Trails: traceability of activities

Adherence to good documentation practices

Protect IP - document invention and innovation for patent filings, defense, and interferences

Collaborate locally or globally within and between departments

Reduce compliance risks and improve data quality

Cut cycle times by 50% - reducing the time spent looking for data

Lower costs by 25% - eliminating repeat experiments

Improve productivity by 25% - removing non-value added manual activities and human errors

Secure: NIST IT Security: password protection, disk encryption, firewall, domain authentication antivirus

Smart: camera, video recording, microphone, stylus pen, communications, web access

Cleanroom compatibility

Automated data collection systems: more support as a result of being computer based