Addressing Information Security in the BioIT Research Community
In 2012, one of my colleagues at St. Louis University (SLU) approached me about a research area with updated security requirements and was pulling together people from across campus to work on them. It turns out this research area—pathogens, biological agents and toxins—was covered by the Federal Select Agent program and there were new information security requirements. The updated program also had a revised Information Systems Security Control Guidance Document detailing the information security controls. After going through the entire scope at SLU, my colleagues and I identified that the security guidance was insufficient and thus used FISMA as the foundation for securing this area. Based on this experience, we wrote a peer-reviewed paper on ways to improve information security for select biological agents.
This program has a history of strong biosecurity, physical security efforts, and researcher engagement because of the high risk nature of the research. The IT security requirements were minimal up to this point and mostly handled by the researchers directly. This field of study was also rapidly expanding its research and usage of IT throughout their work. Most new areas of research or new industries adopting IT need to figure out how to appropriately secure their system after years of not addressing information security. As the researchers start formally incorporating IT security into their scientific processes, they collaboratively identify areas of improvement.
These new security requirements for the Select Agent program only apply to a very small segment of the research, enterprise, and Internet2 communities. The researchers working with select agents are probably very familiar with the security requirements, but not necessarily the scope or the details of the security controls necessary to secure the research. The work is also under additional scrutiny around the dual-use nature of the research where there may be future information security requirements. Other parts of universities are not necessarily aware of these requirements unless they have been specifically reviewing all of the grants, contracts, and other documentation, looking for information security requirements. Many NIH grants, for example, have template language around FISMA requirements, but looking for just FISMA might not be sufficient. The updated Select Agent security requirements didn’t mention FISMA, but they have high security requirements. The security requirements may not even be in an RFP, but may be later included in a contract.
Few enterprises will ever need to address security requirements for select agents, but the general issue of an area with high security requirements is familiar across many sectors. The secret sauce, critical intellectual property or other "crown jewels" likely have similar types of high security requirements. These could be more rigorous than what HIPAA or PCI requires.
Enterprises and research organizations should have flexible information security programs to accommodate incorporating areas with high security requirements on top of the strong foundation of their information security program. Only the specific security controls would need to be setup in the specific area and not on the entire enterprise. The Internet2 community has several campuses or research centers where research on select agents is performed and BioIT has been an area of expanding research. Over the last 3 years, several presentations by Internet2, member campuses (2 from Global Summit 2015 – 1 and 2), and researchers have specifically addressed the rise in BioIT and its impact on campuses. Not all bio-research is high risk, but if the research is about select agents, people, or other potential dual-use research, the security requirements should be carefully evaluated to identify any unique requirements and to determine whether sufficient security is in place. Even providing the computing infrastructure for researchers could help campuses prepare for the future and better meet the needs of their researchers.