Busy labs collect an incredible amount of data every day. From patient and sample data and test results to information about equipment, reagents, and personnel, data is the foundation of the lab business. So safeguarding this valuable data — maintaining its security and ensuring it is always accessible — is critical.
In our last post, we shared four ways to ensure your cloud-based laboratory information management system (LIMS) keeps patient data safe. In this post, we’ll take a closer look at other ways to keep data secure, including data backups, disaster recovery plans, and security audits. We’ll also discuss the importance of using the latest versions of software and plugins. All of these are things you should thoroughly cover with your IT team or potential LIMS vendors.
1. How frequently is your data backed up and how quickly can you restore it?
Most labs maintain their critical data in a database and/or file system. Whether you store your database and file attachments in an on-premise or cloud server, they need to be backed up regularly. For small labs that keep data in spreadsheets, backing up the hard drive where the spreadsheets are located is a must.
If you haven’t already, talk to your IT team or LIMS vendor about your data backup strategy. The higher the frequency of backups, the greater the expense. However, not being able to retrieve missing or corrupt data can also be costly.
We recommend nightly full backups and several incremental backups each day. Full backups contain a copy of the entire database or hard drive, while incremental backups include just the changes since the last full backup. This frequency offers a reasonable cost-benefit tradeoff for most labs. Full and incremental backups are performed often enough that most data is preserved and can be restored quickly, but at a lower cost than a system with point-in-time recovery or 100% redundancy.
Where the data is backed up also matters. Labs often choose to store their backups off-site, in geographically separate locations, to ensure data availability in case of sitewide disasters. Even if they use an on-premise server for day-to-day business, they might choose to store backups in the cloud.
2. Do you have a disaster recovery plan?
If disaster strikes — a server crashes, a file becomes corrupted, someone without the correct permissions accesses or changes the data, or worse, there’s a ransomware attack — your lab needs to be able to recover quickly. A comprehensive disaster recovery plan will guide you through the process.
It will:
- Describe how to revert to the last full backup and incremental changes.
- Have a goal of restoring your systems as quickly as possible with the least amount of data loss.
- Detail the roles and responsibilities of team members involved in the recovery process.
- Include a plan for regular testing of the backups to ensure all the correct data is being backed up as expected.
- Ensure compliance with legal and regulatory requirements related to data protection, privacy, and recovery are met.
Remember that a data disaster recovery plan is not a static document. It should be an evolving strategy with regular reviews, and it should be adapted in the face of new threats and changes in the lab’s technology landscape.
3. Does your LIMS vendor perform regular security audits?
Hackers are finding new software and operating system vulnerabilities every day. In order to lessen the risks of a breach, LIMS providers should conduct regular security audits and threat assessments to be sure that their builds have incorporated the latest patches to any modules, plug-ins, or dependencies they are using.
In some cases, vendors choose to work with an independent security specialist, who brings additional knowledge and deep expertise, to ensure that systems are as secure as possible. These specialists provide highly detailed technical reports as well as an executive summary. If your LIMS vendor works with one of these specialists, they might provide you with the executive summary so your lab can learn about any potential issues and confirm that they have been remediated.
Software teams that follow best practices test every coding change to confirm that they meet software engineering quality standards and don’t introduce bugs that could be exploited. They also use specialized tools to verify that changes don’t introduce any known security vulnerabilities.
We recommend labs work with their IT team or LIMS vendor to assess their security controls and implement any necessary improvements to enhance the overall security posture of the system.
4. Which version of the software is running in your production environment?
Software upgrades can seem onerous when your lab is focused on its daily throughput and meeting customers’ needs. Many labs put off upgrades, not realizing that they are putting their data and business at risk.
LIMS upgrades include innovative new features that could help your lab perform more efficiently, generate results more rapidly, or gain valuable insights. They also include patches for identified vulnerabilities that hackers could otherwise take advantage of. Labs using older versions of their software are leaving themselves open to a breach. Potentially, this could result in losing critical business data or exposing sensitive patient information.
If your LIMS provider has delivered a patch or upgrade, we recommend installing that as soon as possible in your production environment. In some cases, critical security patches are delivered in a separate build. If so, always install these patches immediately, just like you would install security updates to the operating system on your personal computer at home.
5. Who has access to your data and where is the data physically located?
One of the most fundamental types of security that labs and their vendors use is role-based access controls. Every user has unique credentials and is assigned a role. Those roles are clearly defined with limits around the types of data they can access. For example, patient health information, which is protected in the United States by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), should not be accessible to lab staff or software engineers, even though it might be used within the LIMS to track sample data. Access to payment information, such as credit card numbers, should also be restricted to just those staff with an appropriate finance or billing role.
Within LIMS software, role-based access is achieved by maintaining data in distinct encrypted layers and developing an architectural infrastructure that prevents access to the database. Furthermore, LIMS software developers should never have access to your lab’s raw production data. Instead, they should work solely with representative data or test datasets that mimic real data but contain no personally identifying information.
Data residency — where the data is stored geographically — is another key consideration. This will be informed by regional regulatory requirements and the countries where your lab does business. It also affects your lab’s ability to share data with other organizations.
The bottom line
No business wants to deal with a hardware failure or cyber-attack. But for labs working in a regulated environment with personal health information, safeguarding that data is critical — for the lab’s reputation and for business continuity.
Choosing the right LIMS vendor is vital. You need to work with a vendor that prioritizes patient privacy, data security, and regulatory compliance. They should also be willing to help you develop and implement a disaster recovery plan so that, if the worst happens, you can restore the data and get back up and running rapidly. Plus, they should be testing systems and backups regularly so you can be confident that your data is safe and accessible to those with the appropriate roles.
If you’d like to learn more about how Semaphore helps labs safeguard their data, please get in touch.