Cyber Threats in Clinical Research: What Sites Need to Know

Show Notes

Cybersecurity threats are becoming more sophisticated, and research sites are not immune. In this episode, Jimmy Bechtel sits down with Anders Lindquist, Senior Manager of Research Site Enablement at LabCorp, to break down the most pressing digital security risks facing clinical research sites today. Anders shares how human behavior is at the core of most cyber breaches, what red flags to watch for in emails and text messages, and the practical steps sites can take right now to strengthen their defenses, even with limited resources. From phishing simulations to multi-factor authentication, this conversation is a must-listen for anyone looking to better protect their site and the patients they serve.

Transcript

Jimmy Bechtel 0:00

Welcome to SCRS talks provided by the Society for Clinical Research Sites. Thank you for joining us as we explore the latest trends, insights, and innovations shaping clinical research today. I'm Jim Bechtel, the Chief Site Success Officer with SCRS, and today I'm joined by Anders Lindquist, the senior manager of research site enablement with LabCorp, to talk a little bit about, some of the challenges and, Future threats in the space of cybersecurity. Anders we know, this is a really hot topic these days, with the current continued implementation of technology and ai, et cetera, et cetera, et cetera. So I'm excited to, again, talk through this topic with you and kinda get that CRO perspective on it. But before we do that, Anders, I'd love to start off, with a introduction from you.

Anders Lindquist 0:49

Thanks so much Jimmy. I appreciate your time and really enjoy being, on the show today. It's a real honor to be invited to your SCRS talks. So a short introduction about me, A long time ago I had a biology degree and. Interested in dentistry. I was working as an orthodontic assistant throughout undergrad and I was really looking to further my career path. And after undergrad, my wife introduced me to a program at Eastern Michigan in clinical research administration. And I started my first position with a certificate program in clinical research at Car Cancer Center in Detroit, Michigan. And then that preceptorship was in the bone marrow transplant data unit with data management. And then after, that position, I started at the University of Michigan Comprehensive Cancer Center as a subjects coordinator, which is similar to a coordinator role, but not seeing patients, just working with the data, just helping take information from medical charts and putting it into the CRFs for drug studies. Then I finished my master's degree in Clinical Research Administration and then we moved to Columbus, Ohio. And I continued working as a coordinator at the cancer center and then in a senior coordinator role, I helped with Subsite clinical trials and developed a foundational playbook there. And at that time we were using Encore at the cancer center and I worked closely with Forte Research and I helped, with various topics including going from paper to electronic case report forms. Then I achieved my A CRP certification as a certified clinical research coordinator. Then my next role was at a mid-size CRO in Cincinnati, and I worked as a feasibility analyst and really learned more about the power of the clinical research site network. I started my own company in clinical research sites and then during the pandemic there was an open position at LabCorp and site partnerships. And I've been at LabCorp since 2021 and recently, LabCorp divested its CRO Business for tria. And we've continued our duties within Lab Corp Research Network, working closely with senior leadership at the research sites on unique challenges. One of my sites had a cyber attack, and that made me really curious about what it is I can do to help. I really took a deep dive into this topic of cybersecurity and became an ambassador for cybersecurity with the OIS, the Office of Information Security at LabCorp. But it's really helped me, meet people throughout the organization that have the same common goal of helping protect users from cyber threats.

Jimmy Bechtel 3:16

Thanks, Anders. Really interesting, and, and diverse background. You know, it's always, it's always great to hear about the, the work that others have done that have led them to where they are today, because no one seems to take a straight path into clinical research. I want to jump into the topic now cybersecurity. We know that the threats are evolving. As technology becomes more perverse in clinical trials, it becomes more of a concern. So share with me some of the more pressing digital security risk that research sites face today, and how they can identify those, how they can be kind of a, assess their vulnerabilities and understand maybe where they stand, with cybersecurity issues or, protections.

Anders Lindquist 3:57

There are always red flags, to look for. There's a lot of risks with generative AI driven extortion, high quality, deep fakes, supply chain attacks. 45% of organizations are expected to be affected. and then phishing and business email compromise, that's 90% of breaches. So the other thing is the, the cloud miss. Configurations, that's, again, 68% of the cloud breaches. So with all of these happening, you know, I've completed my ICS two online training. It's, it's really been excellent. It's helped, open my eyes to the human behavior aspects. So it's very common things that we can do to prevent them and ultimately, cyber attacks not only take down organizations, but. People are impacted by the economics of, and the reality of the, attack. So by being able to think about things that you can do to help minimize that, like the human behavior aspect is, is really key. And again, I'll mention 95% of the breaches involve human error and 35% are due to negligence. And 68 involve manipulation. So there's. A cracking of the human, behavior that happens with cyber attacks. And the way you can also look for email messages. They include a sense of urgency. So click now, act now. So you really have to resist the pressure to act now during a common, text message scam. This past summer in Michigan on the roadways, there was a cyber scam specifically. Targeting travelers, you're told, uh, pay this toll. Now, this recent scam targets people with a pop-up alert text message, and there's signs all across Michigan and the billboards now that say, you know, toll texts are a scam. Not only do you have to be mindful your emails, but you also have. Text alerts. AI spoof is another one I mentioned earlier. Using AI deepfake, someone you know is telling you to send you money to an account. So this is a new type of threat, a new reality in our daily lives. The starting point of the scams are, you know, playing to our human instinct to help people. The second piece is being able to, you know, identify these vulnerabilities that we have. There are ways you can, you know, address these and you have to think, is this something that I really need to respond to immediately? So another thing to be on the lookout for is, let me explain, help me do we need to know this. Now, these are things that really tap into your desire to help people. And so, you know, from a young age, we're taught like, you know, be helpful. Again, it's the cracking of the human instinct to help people, and that's what the cyber, criminals will, will tap into. It also, you know, is important to think about your emotions. Am I emotional in this a moment? Is it, is it pulling on my emotions to get me to act now? So just be on the lookout for those high urgency requests. Even that threatened job loss. I think another example is if you don't act now, this will have a personal consequence. You know, why does this work? Think about things in elementary school. You trust people with authority and you wanna make sure that you respond quickly when someone gives us a request. So this is naturally what happens with cyber threats. It's they appear in that similar manner. The other thing you can do is take some practical steps. Do the cybersecurity aware awareness training. It helps reduce risks from 60% down to 10%. Phishing, simul simulations, being able to practice seeing and identifying these, cyber attacks on your email and text messages, so practice that. And then multi-factor authentication blocks 99.9 of the automated attacks. And then there's these strategies of least privilege access. You can make sure that that's implemented at your site, and then having an incidents response plan.

Jimmy Bechtel 8:02

Those are great solutions, Anders. and thank you for diving into, how a site can really look internally at what they're doing and what they might be able to identify and, and how to protect themselves from those sorts of things. Practical examples and practical tips there. Anders, I know that you also have helped us out with, emphasizing. Understanding human behavior and cybersecurity at some of our summit sessions as well. So can you talk a little bit about how human factors contribute to security breaches at the site and what steps can taken to, can be taken to strengthen, that wink link?

Anders Lindquist 8:40

Yeah. You know, I would say the emergent security trends like match exactly what you're talking about, which is. Like the toll scam we were talking about earlier in Michigan, but also it's the email, attacks that come in. You know, I'd recommend talking to people, your friends and family and your kids, or you know, family that have, access to these types of threats and, you know, making sure that. With older generation that they know that, this is how people take advantage of your email address. Make sure that it's really from the person who you think it is and not just a different name or a different email in the header. So you have to look at, make sure that the person that is you think you're receiving it from is actually the person who is sending it. So just don't, the other thing too is just be aware of not randomly scanning the QR codes that that could lead to something malicious. Always keep your VPN on, especially when you're in public. If you have to connect to public wifi, make sure your software is up to date, request to approve networks. Don't share codes with other people. That's the most common vulnerability that people will share their codes and allow access to the, text that you receive is a code, so don't share your code with even a friend. Another common scam is receiving fake voicemails and faxes. Again, making sure that the fax number that you're receiving it from is expected. And if you get the message that says, act without delaying, that's again, a very big red flag. International conflicts, making sure that you're aware that. Those also initiate cyber attacks when they happen. The goal is just to disrupt your normal way of life. Things that you can implement immediately. Again, two factor authentication, something that you have, and then something that you need to know, like assign a number to a member of your team to make sure that to be on lookout for spam and phishing emails. So keep the word out there. Keep talking to your friends and family if you don't already have a cybersecurity team channel in your organization. It's really good. Just for sharing conversations about the topic and tips and tricks like we're discussing today. We, can talk more about stakeholder buy-in and why cyber securities not a business risk, but a business asset and it's too expensive to go without.

Jimmy Bechtel 11:03

I think that is a good place for us to kind of move into, so from your vantage point then at, at LabCorp, what are some of the industry wide trends around that concept and that are things that are emerging that sites should be preparing for now to stay ahead of some of those future threats?

Anders Lindquist 11:22

Some immediate actions to take, having cybersecurity awareness training. Again, this reduces up to 50% having the phishing simulations phishing up to 4,151%. Since chat, GPT has launched, having the MFA implementation that blocks 99% of the automated attacks, thinking about password hygiene, 81% of breaches involve a weak or stolen password, Having a plan in place, incident response planning, regular vulnerabilities, making sure that you're thinking ahead. Another really good approach is to have a Be Safe button or a report of suspicious emails button with your IT team. Use your spam filters, but then take the time to read the SCRS Non-Technical Guide to Cybersecurity and you'll find the framework to develop your own site plan. It's only 32 pages long, but it can come back. Every so often just to take a deeper dive into the governance. But now we're probably running out of time, so we should probably talk, it, you know, a little bit more, next time. Jimmy.

Jimmy Bechtel 12:28

I know it's one of those, topics that we probably could talk about for days and days and days. As, as we've said, we've had summit sessions related to this that are hour long conversations. But we'll try to condense what we did down into, our podcast timing here. But Thank you, Anders. The final question that I have for you today before we begin to wrap up is, if you wouldn't mind sharing a few tips or tricks for sites looking to implement. Immediate effective improvements when you have limited resources or technical experience.

Anders Lindquist 12:57

Yeah. I'll leave you with this caveat. It's really important to build stronger relationships with outside departments within your organization. It's important to build that bridge so that if and when you have. A cyber threat or a cyber attack, you have that framework in place. People are able to communicate and share information quickly. Make sure that the research department's not forgotten when it comes to cybersecurity. That's another really important aspect.

Jimmy Bechtel 13:23

Great examples as expected Anders. But I want to thank you for being here with us today, sharing a little bit around cybersecurity and peeling back the curtain around that. It's a conversation that should never end. because every day new cybersecurity, as you've so eloquently described, new cybersecurity threats, rise. There's new areas for us to worry about cybersecurity. You gave the example of AI and how we've just seen a rampant uptick in, in issues. The examples and the cunningness of some of these criminals is, astounding. But, we'll leave it at that. Anders, thank you for being here with us today and for sharing some of your insights, with our listenership.

Anders Lindquist 14:02

Thank you so much, Jimmy. I look forward to connecting with you again soon.

Jimmy Bechtel 14:06

And for those that are listening, I hope you check out other great site focused resources made available to our entire community on our website, my scrs.org, including other podcasts, webcasts, and that cybersecurity guide that Anders mentioned, that you can download and dive even further into the topic. But for now, thanks for tuning in for listening, and until next time.