LabLynx Security Brochure – NIST 800-53, HIPAA Compliance & AWS Infrastructure

Enterprise-Grade Security for Laboratory Informatics

LabLynx’s security framework is built on NIST 800-53 v4 standards and designed to meet stringent compliance requirements including HIPAA as a business associate, state privacy programs for jurisdictions like New York and California, and numerous laboratory standards and regulations. This comprehensive security brochure details the policies, procedures, and technical controls that enable laboratories to maintain secure, compliant operations while protecting sensitive research data and personal health information.

Cross-Organizational Security Governance

A dedicated cross-organizational committee meets regularly on cybersecurity issues, ensuring policy training during onboarding, policy issuance, and randomized security testing across all LabLynx organizations, departments, and activities. The brochure outlines how organizations actively monitor management practices and controls, taking remedial action when deficiencies are encountered. Server operating systems are maintained with scheduled tasks, weekly vulnerability reviews, and periodic infrastructure assessments.

Amazon Web Services Infrastructure

LabLynx hosts at Amazon Web Services (AWS) where physical infrastructure and physical security are world-class. This brochure provides details on AWS SOC 3 compliance reports, FedRAMP compliant services in AWS US East-West regions, and how the global information system infrastructure resources support isolated customer data with limited access. Development environments are maintained at AWS, ensuring separation between production and non-production systems.

Information Security Classifications and Controls

Four-Tier Security Framework

The brochure details LabLynx’s information security standard governing the security, protection, and handling of information and records through four broad classifications: Internal data available to company personnel, Public data freely available, Confidential data requiring special qualifications including PII, PHI, GDPR categories, and PCI-regulated data, and Restricted data that could lead to irreparable harm if accessed without authorization.

Access Control and Authorization

Access to data is restricted to users or information systems with legitimate business needs, authorized by data owners on a need-to-know basis. Systems are configured to enforce access privileges based on job classification and function, with access restricted to only the data, programs, or portions of operating systems required to perform assigned functions.

Encryption and Data Protection

This brochure outlines encryption requirements including encryption at rest for all systems of moderate or higher risk impact and encryption in transit using modern algorithms appropriate to the software. For web traffic, LabLynx currently uses TLS version 1.2 or higher, ensuring all data transmissions are protected against interception.

Data Sharing and Retention Policies

LabLynx holds all client electronic data and records for at least six years unless directed otherwise. Clients can request adherence to their internal retention policies, with LabLynx responsible for data and records of clients hosted and maintained on LabLynx servers.

Comprehensive Privacy and Cybersecurity Policies

The brochure provides a complete listing of LabLynx’s security policies including Change Management, Access Control, Configuration Management, Data Management, Development Integration and Maintenance, End-User Messaging, End-User Computing, Malicious Software, Password Control, Information Security, Laptop Encryption, Log Management, Problem and Incident Management, Server and Host Security, Separation of Duties, Incident Response Plan, Third Party Services, and Disaster Recovery.

Access Management and Single Sign-On

OpenSocial SSO Implementation

LabLynx offers single sign-on via SAML through OpenSocial, built by LabLynx specifically for handling SSO authentication. For each organization utilizing OpenSocial-based SSO, a new application instance is created and manageable by the client. Access to the hosted network is provided to personnel only on an as-needed basis and only on approved devices.

Asset Inventory and Administrative Controls

The brochure details how organizational assets are formally inventoried and classified with critical assets identified. LabLynx maintains an inventory of authorized devices and software, reduces and controls administrative privileges on all assets, and conducts semi-annual reviews of access privileges to ensure granted authorities remain required.

HIPAA Compliance and PHI Protection

As a HIPAA Business Associate, LabLynx is responsible for providing appropriate security and maintaining privacy for data hosted and stored on behalf of covered entities or other HIPAA business associates. The brochure explains strict protocols ensuring non-production environments with PII data never leave the hosted, protected network, protecting personal information against unauthorized release or exposure consistent with production environment controls.

Security Assessments and Monitoring

Regular Vulnerability Scanning

LabLynx conducts regular security assessments, security audits, and internal risk assessments of information systems, identifying potential risks from external parties including service providers, contractors, and outsourcing entities. AlienVault USM SIEM agents scan for vulnerabilities on all systems at least once per week, with asset reviews conducted every 30 days.

Continuous Monitoring Capabilities

The platform monitors for unauthorized personnel, connections, devices, and software using AlienVault USM that tracks logins and connections. LIMS systems provide successful and failed login information, and there are no wireless networks associated with sensitive networks. Periodic audits including remote access reviews are performed regularly.

Incident Response and Client Communication

This brochure outlines formal incident response policies and procedures where an Incident Response Team quickly reacts to computer-related incidents including virus infections, hacker attempts, break-ins, unauthorized disclosure of confidential information, system service interruptions, and breaches of personal information. The team subscribes to various security industry alert services to stay informed of relevant threats, vulnerabilities, and alerts from actual incidents.

Client Support and Transparency

Clients are provided help desk accounts where all ticket creation and updates are emailed to clients. LabLynx may also directly call or email outside the ticketing system when situations warrant immediate attention, ensuring transparent communication during security events.

Disaster Recovery and Business Continuity

Backup and Recovery Procedures

Regular backups of all production environments with AWS are synchronized to multiple data centers in the AWS region, with encrypted backups kept for 10 weeks. All environments are scanned for malware, viruses, and other malicious code. The disaster recovery plan is tested annually for effective operation, with alternate recovery sites maintained in case of major disasters.

Recovery Time Objectives

The brochure provides detailed recovery time objectives based on one hour per 100GB of restored data plus one hour system configuration. Specific procedures are outlined for server instance disasters, VPC/network disasters, and AWS availability zone disasters, ensuring laboratories can maintain operations even during significant infrastructure events.

Physical and Logical Isolation

The hosted network is physically and logically isolated from all remote locations including company offices. Hosted with AWS where personnel have no physical access, damage to central offices or remote sites will not impede continued operations from other locations, ensuring true business continuity.