The Physical Security & Compliance Requirements of Canada's Pharmaceutical Industry
Table of Contents
Part I: Introduction
In 2017, the Canadian pharmaceutical market was the 10th largest pharmaceutical market in the world, constituting a 1.9% share in the global pharma market. The industry employed nearly 30,000 people that year, with employment growing by 10.7% from 2012 to 2017. The Canadian pharmaceutical market exported $8.9 billion goods to the world market in 2017 as well.
Market in the World
in Pharmaceutical Goods to the
World Market in 2017
There is no doubt that the pharmaceutical industry is a vital sector of Canada’s economy, but it’s also under intense pressure, and that too from multiple areas.
Firstly, it’s becoming more difficult to export due to growing global competition. For example, Canada’s exports dipped from $11.8 billion in 2016 to $8.9 billion in 2017 (i.e. a drop of nearly $3 billion or 25%). Secondly, the industry also facing downward pressure on pricing and overall profitability. Finally, Canadian biopharma small and medium enterprises (SME) have identified regulatory issues as a “added hindrance” to their growth objectives.
Physical security is an essential aspect to Canada’s regulatory requirements. These security measures are not only mandated by the law, but they are vital to shielding your pharmaceutical business. Be it protecting your critical intellectual property (IP), prime research assets or preventing the risk of fatal damage to your brand’s reputation as a result of a breach, your actions must center on strong security practices.
Part II: Pharmaceutical Security Regulations Apply to Labs and Pharmacies Alike
Canada’s regulatory requirements on security – defined by the Controlled Drugs and Substances Act (CDSA) and enforced under the Directive on Physical Security Requirements for Controlled Substances – apply to both pharmaceutical laboratories/producers and pharmacies alike. In fact, the Government of Canada states that the Directive applies “to all licensed dealers of controlled substances as well as to research scientists and analysis laboratories.”
Part III: Security Requirements for Pharmaceutical Laboratories
Within the Directive on Physical Security Requirements for Controlled Substances (Directive), government regulatories have defined 11 security levels. The security level applicable to you depends on the nature of your lab’s research work and its controlled substance inventories.
Why Does Security Matter?
To the government, theft of uncontrolled substances would be a significant public health and safety risk. Moreover, a breach will not only drive your costs up in direct terms (e.g. for fixing security, paying penalties and/or dealing with civil legal challenges), but it will also heavily (or fatally) damage your brand’s reputation, thus jeopardizing its long-term business activities.
What Your Security System Needs to Achieve
Besides controlled substances, a pharmaceutical laboratory is a prime target for crime targeting intellectual property (IP), research, patient or client information and other commercial assets. A breach in any of these areas will severely impact your competitive stature and brand reputation, which can affect you in terms of gaining investors and markets.
The security risks at hand are not theoretical. In fact, the counterfeit pharma market itself relies on illicit activity that includes compromising the supply chains of legitimate pharmaceutical firms.
In 2013, the Organisation for Economic Co-operation and Development (OECD) concluded that counterfeit pharmaceutical trade had generated $200 billion in sales (i.e. 25% of global pharma sales that year). In addition, Cisco outlined that the pharmaceutical industry was among the top three industries with the highest threat perceptions based on real-world criminal activity.
The Directive details the following as necessary domains for a fully compliant security system:
1. Purpose and Scope
Your security system should start with properly identifying where you stand in terms of the 11 security levels defined by Health Canada. Each level has its own set of security requirements for which you are accountable to in terms of your security hardware and processes.
Government regulators recommend maintaining diversity in the industry so that those agents who succeed in causing a breach in one company will not be able to replicate the method with another one. Evidently, this requires the input of an experienced security solutions consultant and provider that can speak to that knowledge and help you build a solution based on it.
2. Risk Analysis
The risk analysis phase must account for every relevant issue affecting your pharmaceutical company. In terms of physical security, factors such as your location and its proximity to theft (including professional burglars), wider criminal activity that can involve controlled substances, and the value of your controlled substances and/or research.
The second aspect of your risk analysis involves identifying actual threats. Health Canada has identified robbery, pilferage and theft as the primary threats posed to pharmaceutical labs. The results of your scope and risk analysis will let you design your lab’s security system in terms of both the necessary equipment and how you should deploy that equipment.
3. Security System Design
In designing the security system of your pharmaceutical laboratory, you must decide on three core areas: (1) selecting the correct protection concept for your lab; (2) procuring the correct security systems to protect your assets; and (3) ensuring that the equipment is integrated as well as properly supported in terms of lifecycle maintenance and compliance reporting.
3A. Select the Right Model
Health Canada has identified four potential security models for pharmaceutical companies to adopt. However, pharmaceutical laboratories should adopt the Rings of Protection Concept.
Health Canada describes the Rings of Protection Concept as “the construction of various rings or barriers of protection around the items being protected.” Fundamentally, this approach aims to raise a number of barriers – which take the form of physical fencing, access control systems, 24/7 visual monitoring and fortified storage hardware – around your prime assets.
The objective of this approach is to both shield your assets from an attempted breach and to psychologically deter prospective thieves. Should a breach occur, the barriers will function to slow the intruder and extend law enforcement’s response window.
3B. Procuring the Right Pharma Lab Security Systems
For the Rings of Protection Concept to practically work, it’s imperative that you select the right equipment for your facility’s security system.
24/7 Visual Monitoring
This necessitates the procurement of a closed circuit television (CCTV) suite capable of both high-quality video capture and storage. The latter is critical should law-enforcement and/or the government require it as part of a criminal investigation or compliance-related matter. Quality is essential as a technical failure would result in lapses in your visual monitoring coverage.
Technology such as access cards, key codes and other methods of restricting access to prized assets (e.g. IP), controlled substances and restricted facilities (e.g. uncontaminated labs and/or research rooms) are critical components of your access control barriers.
Besides protecting your assets from theft, access control measures also support efficiency in your business operations. You can restrict access to testing labs to prevent decontamination, which is costly to remediate after-the-fact. Likewise, should a issue – such as a compromised keycode – occur, the lab can preempt its impact by digitally reprogramming (e.g. changing the codes) instead of having to replace every physical lock on-site.
Intruder Detection & Alerting Law-Enforcement
The perimeter of your laboratory must be secured. This may involve physical fencing outside of your facility integrated with an intrusion detection system. For example, you could have alarm system monitoring wherein your facility alerts law-enforcement the moment an intruder attempts (much less proceeds to) interfere with your pharmaceutical facility.
Due to the risk of losing controlled substances during transit, loading and dispatch, you might be required to install real-time location tracking hardware to your assets as well. You could achieve this by using location-based trackers and/or RFID (radio-frequency identification).
4. Integration and Support
The effectiveness of your security system is not only contingent on your selection of equipment, but the operational and lifecycle support it leverages as well. For example, a CCTV system that has a high failure-rate is a critical liability. Not only would it fail to fully monitor your facility, but it will also compromise your compliance efforts.
To guarantee effectiveness and control costs (by avoiding compliance penalties and avoiding frequent equipment servicing), you should get your system designed, installed and tested by a professional security company with pharmaceutical industry experience.
Part IV: Pharmacy Security Policy and Procedures
Like pharmaceutical labs, pharmacies must adhere to the CSDA and Directive. However, these facilities are also unique in that they are liable to not only managing controlled substances, but they must do so within the retail or storefront environment. The latter has its own security risks.
1. Purpose and Scope
The retail/storefront environment adds another dimension to your security requirements. In this case, your priority will center on protecting inventory, staff and customers from potential threats.
Although the core ideas of Health Canada’s Directive apply, such as identifying your pharmacy’s security level (carrying certain drugs could result in a higher security level than others), you also have a different scope compared to pharmaceutical labs, which must also protect key business assets (such as IP) that you will not. However, you are also more exposed to the public.
2. Risk Analysis
In your risk analysis, you must determine how your retail site affects you in terms of threat exposure. For example, your location (such as a certain residential area) will have a unique crime-rate, one that could be relatively worse compared to other areas.
Likewise, retail sites such as pharmacies in such areas are vulnerable to specific kinds of threats, notably robbery and break-ins. However, your risk analysis must also account for granular issues as well, such as the layout of your storefront
For example, a mall will have entrances and exits that the pharmacy cannot control (such as the main entrance), but one could see these as vulnerabilities since people could be in proximity to the pharmacy outside of its operating hours. Unlike a lab, you cannot control the flow of people at all times near your pharmacy as you do not own or manage the surrounding property.
Thus, your security system must account for these retail-specific threats (along with the relevant vulnerabilities of managing controlled substances). As with pharmaceutical labs, having access to an experienced security solutions provider will help you properly identify these threats as well as design and install an effective security system.
For a pharmaceutical laboratory or pharmacy, implementing a professionally designed, installed and maintained security system is vital on both regulatory and best practices grounds.
Failure to do so will not only keep you vulnerable to the plethora of real-world security threats that aim to steal your IP assets, but in doing so, will work to cause irreparable damage to your brand and your pharmaceutical company’s ability to do business in the future.
However, the process of designing and implementing a security system that fully accounts for your risks while also seamlessly adhering to government compliance requirements cannot be done alone. You need professional expertise that leverages experience in the pharmaceutical industry along with a range of other insights (such as retail) to ensure every box is checked.
Veridin Systems Canada leverages more than 25 years of experience in providing clients in a range of complex industries, including pharmaceuticals, with professionally designed security systems. We combine extensive pharmaceutical experience, strong regulatory competency and partnerships with the physical security industry’s top vendors to equip labs and pharmacies alike with first-in-class solutions that are fully compliant and thoroughly effective.
Contact us today to discuss your requirements and how we can proceed to protect you from the security threats, compliance vulnerabilities and security-related inefficiencies you face.