Mike Melo – LifeLabs Medical Laboratory Services

Security breach.

Two words that have become increasingly common in the digital world—and the last thing anyone in charge of cybersecurity wants to hear applied to their workplace.

Mike Melo | Chief Information Security Officer | LifeLabs Medical Laboratory Services

Companies and cities alike have fallen victim to the trend, and in its 2019 Cost of a Data Breach Report, IBM Security and the Ponemon Institute showed a 130 percent global increase in cyberattacks since 2016, with the average cost of a breach being $4 million.

It was during a proactive security assessment of LifeLabs Medical Laboratory Services in October 2019 that the words “security breach” became a reality for the company and Mike Melo, then the senior manager of IT security.

Millions of LifeLabs customers may have been affected as health card numbers, names, email addresses, logins, passwords and dates of birth were accessed, as were test results of some customers living in Ontario.

While assessing and responding to the breach, setting a transparent course of action was crucial, Melo says.

“It was quite a stressful time, but everyone on our team understood what we had to do to respond swiftly and effectively to contain the breach and eradicate the threat,” he says. “This also included our readiness to prepare for the increase in our threat landscape once we made our public announcement.”

Breached

Canada’s largest diagnostic testing laboratory, LifeLabs has been providing services for more than 50 years. Headquartered in Toronto and Burnaby, British Columbia, it has more than 380 service centers, or collection sites, across the country, as well as 16 labs, the primary ones also in Toronto and Burnaby.

More than 79,000 customers visit the service centers each day, and LifeLabs was one of the first Canadian testing companies to provide an online portal for test results.

After the breach was announced, and Melo was named chief information security officer, he says the company first had to fend off more cyberattacks while working with the third-party auditor and vendors to shore up its security in the short term.

“You have a giant red target on you once you announce a breach publicly,” Melo says. “We knew what we had to do. We came together collectively as an organization and responded to the crisis.”

By that, Melo means everyone recognizing the importance of security and privacy as a business risk and not solely an IT function.

“There was a great sense of urgency amongst the team, who inherently understood how our customers would be impacted,” he says. “These cyberattacks are becoming more everyday occurrences. It’s high stakes and high tension, but I was impressed by how the team was laser-focused on responding and acting for the best interests of our customers.”

The recovery

For Melo, LifeLabs’ response was ambitious not only in its ability to regain the trust of its patients and customers; but also in its efforts to achieve an industry standard of information security certifications: ISO 27001.

Created by the International Organization for Standardization, the certification entails having both the leadership and the tech framework to maintain secure systems, Melo explains.

That security service framework is being enhanced and accelerated by both outside consultants and a bolstered internal team, Melo says. Among the investments are 35 added IT staff, a new chief privacy officer, a new CIO and an initial $50 million for resources and technology.

And though LifeLabs President and CEO Charles Brown said no public disclosure of customer data from the attack has been identified, the company is also providing a year of online protection and monitoring services to those affected by the breach.

Brown and Melo now co-chair an internal cybersecurity and governance council looking to implement best practices, and LifeLabs has integrated technologies enabling critical controls. Among the tech additions are Netskope, to secure cloud strategy and enable a secure remote workforce; and CrowdStrike, Stealthbits and Signal Sciences.

Melo was also certified by the SANS Institute to develop and enhance the cybersecurity awareness and training program for LifeLabs employees.

“The user is not the weakest link, they are the primary attack vector and we are ensuring they are armed with the knowledge and awareness in how to protect themselves and the organization in this digital world,” he explains.

It’s an all-encompassing approach to protect LifeLabs and rebuild customer trust—an approach that wasn’t slowed even as COVID-19 arrived. In fact, Melo notes, the pandemic underscores the greater need for security, as remote use of LifeLabs’ systems increased by 800 percent.

Drawn to complexity

While it’s now on his mind more than ever, Melo has made information and cybersecurity his career for nearly a decade.

Yet the threats that first fascinated him were microbial, not digital, as he studied for a degree in microbiology. When he saw that passion had ebbed, Melo also considered a music career—he’s a classical guitarist and earned a performance certificate from Mohawk College.

But computers have always struck a chord with him, too, and working in information security appealed to him as one of the most complex opportunities he could explore.

“I went into the security industry because it’s a fascinating field which requires high talent and leadership demand to combat the daily threats organizations face every day,” Melo says. “It requires more than just the baseline of expertise. You need a vast knowledge of many areas to really be able to excel at the CISO level.”

Among his degrees and certifications, Melo double majored—in software development and network engineering, and internet communications technology—at Sheridan College. He’s also been in charge of information security at companies throughout the Toronto area. Before joining LifeLabs in May 2018, he worked in fintech with DV Trading LLC.

Melo knows rebuilding trust and repairing LifeLabs’ image will take time and that the rebuilding process is anchored in a foundation shared by all.

“We’re transforming the way we operate to ensure security is always considered and involved in the decisions we make,” Melo adds. “It’s about how we can support our enterprise strategy, achieve our vision and exceed business goals, while ensuring we are within our risk appetite and protecting our customers’ personal health information.”