In the United Kingdom, breaches in internal access control and other security measures have resulted in public exposure to a spate of harmful and contagious bacteria and viruses, including Shigella, the leading bacterial cause of dysentery.
It’s clear that contamination and/or leakage of controlled substances can be the cause of severe public health risks, including contagious disease. Granted, the lack of attention to safety is a key cause in such incidents, but unauthorized access to certain internal facilities (e.g. where harmful substances are kept) are a related factor.
If left unchecked, such security vulnerabilities can be the root-cause of not only extensive health risks, but if connected to your lab, the cause for government penalties (including closure) and a loss of reputation in the pharmaceutical industry.
Why the Controlled Drugs & Substances Act Matters
Pharmaceutical laboratories must adhere to the Controlled Drugs and Substances Act (CDSA) and, by extension, Health Canada’s Directive on Physical Security Requirements for Controlled Substances (Directive). As per Health Canada, the Directive applies “to all licensed dealers of controlled substances as well as to research scientists and analysis laboratories.”
The CDSA was introduced in 1996 to restrict access to certain substances – e.g. chemicals and drugs – to organizations that are specially authorized to manage and/or sell those substances. In order to acquire that authorization organizations – such as pharmaceutical labs – must adhere to clearly defined regulatory requirements, especially in the domain of physical security.
These security requirements are outlined by Health Canada in the Directive. Health Canada had listed the necessary components of a viable lab security system, including visual monitoring and access control, among others. To obtain and retain your right to manage controlled substances, your pharmaceutical lab must fulfill the Directive’s core objectives, which is to prevent breaches by deterring and, if necessary, aggressively addressing criminal activity.
Granted, the Directive’s security requirements are not easy to implement, but it’s important to also understand Health Canada’s perspective on the issue. Ottawa is restricting accessibility to certain substances because those substances pose an inherent risk to public health and safety.
Be it to mitigate the risk of contamination or driving criminal activity, controlled substances must be managed carefully and available to only those qualified and legally vetted to handle them. It’s certainly a sensible expectation for such materials.
However, not only is applying the Directive a necessity from a legal standpoint, but it’s vital from a profitability perspective as well. Breaches, especially those that result in the theft of controlled substances (which could include proprietary research), is incredibly costly.
Rather than going through an expensive recovery process, it is best to just prevent the risk of theft entirely by installing a professional security system at your facility.
Is Your Lab Correctly Applying its Security System?
We’ll Identify and Help You Close Gaps
Common Mistakes to Major Security Risks
Gaps in Visual Monitoring
Gaps in your visual monitoring systems are unacceptable. Vulnerabilities of this kind essentially leave you blind to the workings of your facility. This could either be a risk (by providing an area for illegal activity to occur) or be surplus capacity that you are paying for, but cannot use due to not having enough (or poor quality) closed-circuit television (CCTV) systems.
Visual monitoring is a critical piece to both deterring and investigating security incidents.
Firstly, by having CCTVs placed at every place where controlled substances are located and/or flow through (e.g. from shipping/receiving to the storage facility), you lower the incentive for illicit activity by having functional – and visible – CCTVs in place at every relevant location.
Secondly, should an incident occur, law-enforcement will request your CCTV footage. You must ensure that the footage is both recoverable and of high-enough quality.
Inadequate Access Controls
The purpose of having access control systems – such as biometric authentication and key codes – is to restrict access to sensitive areas (e.g. substance storage areas) at your facility.
For example, you would not want an outsider or a staff member untrained in handling controlled substances to be exposed to harmful bacteria. Likewise, preventing access to such facilities will also protect your substances and other assets from external contamination, damage or theft.
Not only do access control measures shield you from non-compliance penalties, but they also enable you to protect your intellectual property (IP) from a range of threats.
For example, key codes can be reprogrammed immediately following the departure of an employee, thus ensuring that ex-employees are unable to access (and harm) your facility.
You could also have incorrectly applied access control processes, e.g. staff sharing their key codes or cards with another. It’s essential that you pair your system installation with complete training and standard-operating procedures (SOP) to ensure their correct implementation.
Finally, the extent of your access control requirements will also depend on the nature of your controlled substances. Health Canada has defined 11 security levels corresponding to what it deems as the potential risk of each substance.
Weak Intrusion Detection & Response Systems
Intruder detection and response systems are integral to a viable security system. Some might be satisfied with just having an alarm, but an alarm hardly has any impact if it is not augmented by a mechanism to alert law-enforcement to the scene.
A functioning intrusion detection system is vital in periods where you will not have as many staff on-site at your lab. For example, holidays, weekends and overnight, i.e. periods where external crime is likelier to take place. This system is your first line of defence against such threats.
Supply Chain Complexity
In some cases, especially following mergers and acquisitions, pharmaceutical companies could be managing large and complex supply chains. For example, a company can have multiple labs between which controlled substances must be transported securely.
While in transit, your substances could be at elevated risk of theft, loss or unauthorized access.
Besides airtight SOPs outlining how to manage harmful material in such scenarios, you should use asset monitoring systems – such as RFID (radio-frequency identification) chips – to closely keep tabs on the cargo to ensure that it’s being handled in alignment with SOPs.
The objective is to ensure that your logistics channel is complying with your security procedures while also having the means to identify and investigate irregularities.
The effectiveness of your security system is contingent on how well you had identified the risks posed to your pharmaceutical laboratory. This is a crucial part of the planning stage because it equips you with insights into the systems your lab needs to protect itself from its actual threats.
In fact, the vulnerabilities you have at your pharmaceutical lab are likely a result of incomplete design work and, prior to that, insufficient planning. The ones that are best equipped to identify and address security threats, especially less apparent ones, are those with many years of real -world experience designing security systems in the pharmaceutical industry.
Identify and Resolve Security Weaknesses
Correctly Scope Your Requirements
Health Canada defined 11 security levels regarding controlled substances. You must start by correctly identifying your security level and design your security system accordingly.
Undertake a Thorough Risk Analysis
The risks posed to your lab depend on the controlled substances it’s managing, its location and operational realities (e.g. does it have a complex supply or logistics channel?). It would take an experienced security systems design and installation company to fully uncover these threats as well as select the right systems to appropriately protect your lab.
Get a Professionally Designed Security System
Once you have determined the scope of your security requirements and the risks posed to your laboratory, you will need to install your security system.
There is more to this stage than simply installing new hardware; rather, it involves installation, testing, certification and training to verify that the system is fully functional. In case of failure, a contingency plan involving redundancies and repairing your primary system must be in place.
It’s clear that the input of a professional security company is practically required for each stage of this process. Be it identifying your actual security requirements to properly implementing the solution (including the technical installation side), you need industry expertise and partnerships with system vendors on your side. There is no better way to equip your lab so that its security is compliant with Health Canada’s Directive and fortified against all threats.
Veridin leverages more than 25 years of real-world experience in supporting pharmaceutical labs with their complex security requirements. Our experience provides us with a wealth of expertise to identify the threats your lab faces and, in turn, shield your lab using fully compliant and first-in-class solutions from the top vendors, including Honeywell, S2 Security and others.
Contact us today to discuss how we can spot and close your pharmaceutical lab’s security gaps.