Title
Biological Safety Manual - Chapter 06: Principles of Laboratory Biosecurity
Introduction
The anthrax attacks on U.S. citizens in October 2001 and the subsequent expansion of the United States Select Agent regulations in December 2003 have led scientists, laboratory managers, security specialists, biosafety professionals, and other scientific and institutional leaders to consider the need for developing, implementing and/or improving the security of biological agents and toxins within their facilities. Since the publication of the fifth edition of the Biosafety in Microbiological and Biomedical Laboratories (BMBL)1, laboratory biosecurity was better defined by biorisk management documents including the International Standard Organization (ISO) 35001: Biorisk Management for Laboratories and Other Related Organizations. Other efforts include pre-access suitability, personnel reliability, and threat management approaches that identify and manage behavioral problems that could result in laboratory biorisk.
This chapter describes laboratory biosecurity planning for microbiological and biomedical laboratories. As indicated below, laboratories with good biosafety programs already fulfill many of the basic requirements needed to secure biological materials. For laboratories not handling Select Agents, the access controls and training requirements specified for Biosafety Level (BSL)-2 and BSL-3 in Chapter 4 of the Biological Safety Manual may provide sufficient security for the materials being studied. Security assessments and additional security measures should be considered when Select Agents, other agents of high public health and agriculture concern, or agents of high economical/commercial value such as patented vaccine candidates, are introduced into the laboratory.
The recommendations presented in this chapter are advisory. Excluding the Select Agent regulations, Executive Order (EO) 13546, and the Global Health Security Agenda EO 13747 (GHSA), there is no current federal requirement for the development of a laboratory biosecurity program. However, the application of these principles and the assessment process may enhance overall laboratory management, safety, and security. Laboratories that fall under the Select Agent regulations should consult Chapter 14 of the Biological Safety Manual (42 CFR part 73; 7 CFR 331 and 9 CFR 121).2,3,4
The term "biosecurity" has multiple definitions. In the plant and animal industry, the term biosecurity relates to policies, measures, and regulatory frameworks based in science, applied to protect, manage, and respond to risk associated with food, agriculture, health, and the environment. In some countries, the term biosecurity is used in place of the term biosafety. For the purposes of this chapter the term laboratory biosecurity will refer to measures designed to prevent loss, theft, or deliberate misuse of biological material, technology, or research-related information from laboratories or laboratory-associated facilities. See Appendix D of the BMBL for additional information about agricultural biosecurity.
Security is not a new concept in laboratories handling biological agents or materials. Several of the security measures discussed in this chapter are embedded in the biosafety levels that serve as the foundation for good laboratory practices throughout the biological laboratory community. Most biomedical and microbiological laboratories do not have Select Agents or Toxins; however, they maintain control over and account for research materials, protect relevant sensitive information, and work in facilities with access controls commensurate with the potential public health, agricultural, environmental, and economic impact of the biological agents in their collections. These measures are in place in most laboratories that apply good laboratory management practices and have appropriate biosafety programs.
Table of Contents
- Biosafety and Laboratory Biosecurity
- Risk Management Methodology
- Developing a Biosecurity Program
- Example Guidance: A Biosecurity Risk Assessment and Management Process
- Elements of a Laboratory Biosecurity Program
- Program Management
- Physical Security - Access Control and Monitoring
- Personnel Management
- Inventory and Accountability
- Information Security
- Transport of Biological Agents
- Accident, Injury, and Incident Response Plans
- Reporting and Communication
- Training and Practice Drills
- Security Updates and Reevaluations
- Select Agents
- References
I. Biosafety and Laboratory Biosecurity
Biosafety and laboratory biosecurity are related concepts, but not identical. Biosafety programs reduce or eliminate exposure of individuals and the environment to potentially hazardous biological agents.
Biosafety is achieved by:
- implementing various degrees of performance-based control and containment measures for biological materials;
- infrastructure design and access restrictions;
- personnel expertise and training;
- use of containment equipment; and
- safe methods of managing infectious materials.
Laboratory biosecurity - the prevention of the theft, loss or misuse of biological material, technology, or research-related information - is accomplished through:
- personnel vetting;
- personnel reliability;
- violence prevention programs;
- laboratory biosecurity training;
- dual-use research oversight process;
- cybersecurity standards;
- material and facility control; an
- accountability standards.
However, laboratory biosecurity is not limited to this list.
While the objectives are different, biosafety and laboratory biosecurity measures are usually complementary and share common components.
Both are based on the following:
- risk assessment and management methodology;
- personnel expertise and responsibility;
- control and accountability for research materials including microorganisms and culture stocks;
- access control elements;
- material transfer documentation;
- training; and
- emergency planning; and program management.
Both programs assess personnel qualifications. The biosafety program ensures that personnel are qualified to perform their jobs safely through training and documentation of technical expertise. Staff must exhibit the appropriate level of professional responsibility for the management of research materials by adherence to appropriate materials management procedures. Biosafety practices require laboratory access to be limited when work is in progress. Laboratory biosecurity practices require laboratory access to be limited when work is in progress. Laboratory biosecurity practices ensure that access to the laboratory facility and biological materials are limited and controlled as necessary. Facilities should have pre-established reporting mechanisms regarding any concerning behavior/incidents in order to alleviate laboratory biosecurity insider threat concerns. An inventory or material management process for control and tracking of biological stocks or other sensitive materials is also a component of both programs. For biosafety, the shipment of infectious biological materials must adhere to safe packaging, containment and appropriate transport procedures; laboratory biosecurity ensures that transfers are controlled, tracked and documented commensurate with the potential risks. Both programs must engage laboratory personnel in the development of practices and procedures that fulfill the biosafety and laboratory biosecurity program objectives but that do not hinder research or clinical/diagnostic activities. The success of both programs hinges on a laboratory culture that understands and accepts the rationale for biosafety and laboratory biosecurity programs and the corresponding management oversight.
In some cases, laboratory biosecurity practices may conflict with biosafety practices, requiring personnel and management to devise policies that accommodate both sets of objectives (e.g., signage). Standard biosafety practice requires that signage be posted on laboratory doors to alert people to the hazards that may be present within the laboratory. The biohazard sign normally includes the name of the agent, specific hazards, and precautions (e.g., PPE) associated with the use or handling of the agent and contact information for the investigator. These hazard communication practices may conflict with security objectives. Therefore, biosafety and biosecurity considerations must be balanced and proportional to the identified risks when developing institutional policies. Alternative solutions may be developed and implemented to meet both sets of objectives.
Designing a laboratory biosecurity program that does not jeopardize laboratory operations or interfere with the conduct of research requires a familiarity with microbiology and the materials that require protection. Protecting pathogens and other sensitive biological materials while preserving the free exchange of research materials and information may present significant institutional challenges. Therefore, a combination or tiered approach to protecting biological materials, commensurate with the identified risks, often provides the best resolution to conflicts that may arise. However, in the absence of legal requirements for a laboratory biosecurity program, the health and safety of laboratory personnel and the surrounding environment should take precedence over biosecurity concerns.
A. Risk Management Methodology
A risk management methodology can be used to identify the need for a laboratory biosecurity program.
A risk management approach to laboratory biosecurity:
- Establishes which, if any, agents, technology, and/or research-related information require biosecurity measures to prevent loss, theft, diversion, or intentional misuse; and
- Ensures the protective measures provided, and the costs associated with that protection, are proportional to the risk.
The need for a laboratory biosecurity program should be based on the possible impact of the theft, loss, diversion, or intentional misuse of the materials, recognizing that different agents and toxins will pose different levels of risk. Resources are not infinite. Laboratory biosecurity policies and procedures should not seek to protect against every conceivable risk. The risks need to be identified and prioritized, and resources allocated based on that prioritization. Not all institutions will rank the same agent at the same risk level. Risk management methodology takes into consideration available institutional resources and the risk tolerance of the institution.
Developing a Biosecurity Program
Management, researchers, and laboratory supervisors must be committed to being responsible stewards of infectious agents and toxins. Development and implementation of a laboratory biosecurity program should be a collaborative process involving all stakeholders.
The stakeholders include, but are not limited to:
- senior management;
- scientific staff;
- human resource officials;
- information technology staff; and
- safety, security, and engineering officials.
The involvement of organizations and/or personnel responsible for a facility's overall security is critical because many potential biosecurity measures may already be in place as part of an existing safety or security program. This coordinated approach is critical in ensuring that the laboratory biosecurity program provides reasonable, timely, and cost-effective solutions addressing the identified security risks without unduly affecting the scientific or business enterprise or provision of clinical and/or diagnostic services.
There is a need to include law enforcement and security communities in the development of preventative measures and enforcement principles going beyond response and consequence management, especially for laboratories working at BSL-3 or BSL-4. The FBI has a Weapons of Mass Destruction (WMD) Coordinator assigned to each of its field offices across the United States (U.S.). WMD Coordinators are responsible for conducting laboratory biosecurity outreach in their area of responsibility and being a point of contact for any concern/threats involving WMD, including biological agents and materials.
The need for a laboratory biosecurity program should reflect sound risk management practices based on a site-specific risk assessment. A laboratory biosecurity risk assessment should analyze the probability and consequences of loss, theft and potential misuse of biological material, technology, or research-related information. Most importantly, the biosecurity risk assessment should be used as the basis for making risk management decisions that are balanced with the needs of the biosafety risk assessment.
B. Example Guidance: A Biosecurity Risk Assessment and Management Process
Different models exist regarding biosecurity risk assessment. Most models share common components such as asset identification, threat, vulnerability and mitigation. What follows is one example of how a laboratory biosecurity risk assessment may be conducted. In this example, the entire risk assessment and risk management process may be divided into five main steps, each of which can be further subdivided. Example guidance for these five steps is provided below.
Step 1: Identify and Prioritize Biological Materials, Research-Related Information, and Technology
- Identify the biological materials, research-related information, and technology that exist at the institution.
- Identify the form of the material, location and quantities, including non-replicating materials (e.g., toxins).
- Evaluate the potential for misuse of these assets.
- Evaluate the consequences of misuse of these assets.
Prioritize the assets based on the consequences of misuse (i.e., risk of malicious use). At this point, an institution may find that none of its biologic materials, research-related information, or technology merit the development and implementation of a separate laboratory biosecurity program or that the existing security at the facility is adequate. In this event, no additional steps would need to be completed.
Step 2: Identify and Prioritize the Threat to Biological Materials, Research-Related Information, and Technology
- Identify the types of "Insiders" who may pose a threat to the biologic materials, research-related information, and technology at the institution.
- Identify the types of "Outsiders" (if any) who may pose a threat to the biologic materials, research-related information, and technology at the institution.
- Evaluate and prioritize the motive, means, and opportunity of these various potential adversaries.
Step 3: Analyze the Risk of Specific Security Scenarios
- Develop a list of possible laboratory biosecurity scenarios or undesired events that could occur at the institution. Each scenario is a combination of an item, an adversary, and an action. Consider:
- access to the agent within your laboratory;
- how the undesired event could occur;
- protective measures in place to prevent occurrence; and
- how the existing protection measures could be breached (i.e., vulnerabilities).
- Evaluate the probability of each scenario materializing (i.e., the likelihood) and its associated consequences. Assumptions include:
- although a wide range of threats are possible, certain threats are more probable than others;
- all agents/assets are not equally attractive to an adversary; valid and credible threats, existing precautions, and the potential need for select enhanced precautions are considered.
- Prioritize or rank the scenarios by risk for review by management.
Step 4: Develop an Overall Risk Management Program
- Management commits to oversight, implementation, training, and maintenance of the laboratory biosecurity program.
- Management develops a laboratory biosecurity risk statement, documenting which laboratory biosecurity scenarios represent an unacceptable risk and must be mitigated versus those risks appropriately handled through existing protection controls.
- Management develops a laboratory biosecurity plan to describe how the institution will mitigate those unacceptable risks including:
- a written security plan, standard operating procedures, and incident response plans; and
- written protocols for employee training on potential hazards, the laboratory biosecurity program, and incident response plans.
- Management ensures necessary resources to achieve the protection measures documented in the laboratory biosecurity plan.
Step 5: Reevaluate the Institution's Risk Posture and Protection Objectives
- Management regularly reevaluates and makes necessary modifications to the:
- Laboratory biosecurity risk statement;
- Laboratory biosecurity risk assessment process;
- Institution's laboratory biosecurity program/plan;
- Institution's laboratory biosecurity systems.
- Management assures the daily implementation, training, annual re-evaluation, and practice drills of the security program.
II. Elements of a Laboratory Biosecurity Program
Many facilities may determine that existing safety and security programs provide adequate mitigation for the security concerns identified through laboratory biosecurity risk assessment. This chapter offers examples and suggestions for components of a laboratory biosecurity program should the risk assessment reveal that further protections may be warranted. Program components should be site-specific and based upon organizational threat/vulnerability assessment and as determined appropriate by facility management. Elements discussed below should be implemented, as needed, based upon the risk assessment process. They should not be construed as minimum requirements or minimum standards for a laboratory biosecurity program.
A. Program Management
If a laboratory biosecurity plan is implemented, institutional management must support the laboratory biosecurity program. Appropriate authority must be delegated for implementation and the necessary resources provided to assure program goals are being met. An organizational structure for the laboratory biosecurity program that clearly defines the chain of command, roles, and responsibilities should be distributed to the staff. Program management should ensure that laboratory biosecurity plans are created, implemented, exercised, and revised as needed. The laboratory biosecurity program should be integrated into relevant institutional policies and plans.
B. Physical Security - Access Control and Monitoring
The physical security elements of a laboratory biosecurity program are intended to prevent the introduction and removal of assets for non-official purposes. An evaluation of the physical security measures should include a thorough review of the building(s) and premises, the laboratories and biological material storage areas. Many requirements for a laboratory biosecurity plan may already exist in a facility's overall security plan.
Access should be limited to authorized and designated employees based on the need to enter sensitive areas. Methods for limiting access could be as simple as locking doors or having a card key system in place. Evaluations of the levels of access should consider all facets of the laboratory's operations and programs (e.g., laboratory entrance requirements, freezer access). The need for entry by visitors, laboratory workers, management officials, students, cleaning and maintenance staff, and emergency response personnel should be considered.
C. Personnel Management
Personnel management includes identifying the roles and responsibilities for employees who handle, use, store, and transport pathogens and/or other important assets. The effectiveness of a laboratory biosecurity program against identified threats depends, first and foremost, on the integrity and awareness of those individuals who have access to pathogens, toxins, sensitive information and/or other assets. Employee vetting/screening policies and procedures are used to help evaluate these individuals. To maintain a personnel reliability and violence prevention plan, management should conduct periodic review of staff, establish an anonymous peer and threat reporting system, institute an Employee Health and Wellness Program, and foster leadership accountability to address submitted reports. Policies should be developed for personnel and visitor identification, visitor management, access procedures, and reporting of security incidents.
D. Inventory and Accountability
Material accountability procedures should be established to track the following:
- inventory of biological materials and toxins;
- storage, including physical and digital;
- the use, transfer, and destruction of dangerous biological materials and assets when no longer needed; and
- the inactivation of biological materials, particularly prior to transport outside the facility.
See Appendix K of the BMBL for more information. The objective is to know what assets exist at a facility, where they are located, and who is responsible for them.
To achieve this, management should define the following:
- the materials (or forms of materials) subject to accountability measures;
- records to be maintained and timelines for record retention;
- operating procedures associated with inventory maintenance (e.g., how material is identified, where it can be used and stored); and
- documentation and reporting requirements.
It is important to emphasize that microbiological agents are capable of replication and are often propagated. Therefore, knowing the exact quantity of organisms at any given time may be impractical. Depending on the risks associated with a pathogen or toxin, management can designate an individual who is accountable, knowledgeable about the materials in use, and responsible for security of the materials under the individual's control.
E. Information Security
An information security program is intended to accomplish the following objectives:
- ensure data integrity;
- protect information from unauthorized release; and
- ensure that the appropriate level of confidentiality is preserved.
Policies should be established for handling sensitive information associated with the laboratory biosecurity program. For the purpose of these policies, "sensitive information" is information that is related to the security of pathogens and toxins, or other critical infrastructure information.
Examples of sensitive information may include:
- facility security plans;
- access control codes;
- newly developed technologies or methodologies;
- agent inventories; and
- storage locations.
Discussion of information security in this chapter does not pertain to information that has been designated "classified" by the United States pursuant to Executive Order 13526 (or successor Executive Orders), and is governed by United States law or to research-related information which is typically unregulated or unrestricted through the peer review and approval processes.
Facilities should develop policies that govern the proper identification, marking and handling, securing, and storage of sensitive information including electronic files and removable electronic media (e.g., CDs, external hard drives, USB flash drives). The information security program should be tailored to meet the needs of the business environment, support the mission of the organization, and mitigate the identified threats. It is critical that access to sensitive information be controlled.
F. Transport of Biological Agents
Material transport policies should include accountability measures for the movement of materials within an institution (e.g., between laboratories, during shipping and receiving activities) and outside of the facility (e.g., between institutions or locations). Transport policies should address the need for appropriate documentation and material accountability and control procedures for biological materials and toxins in transit between locations. Transport security measures should be instituted to ensure that appropriate authorizations have been received and that adequate communication between facilities has occurred before, during, and after transport of pathogens or other potentially hazardous biological materials. Personnel should be adequately trained and familiar with regulatory and institutional procedures for proper containment, packaging, labeling, documentation and transport of biological materials.
G. Accident, Injury, and Incident Response Plans
Laboratory security policies should consider situations that may require emergency responders or public safety personnel to enter the facility in response to an accident, injury, or other safety issue or security threat. The preservation of human life and the safety and health of laboratory employees and the surrounding community must take precedence over laboratory biosecurity and biosafety concerns in an emergency.
Facilities are encouraged to coordinate with medical, fire, police, and other emergency officials when preparing emergency and security breach response plans. Standard Operation Procedures (SOPs) should be developed that minimize the potential exposure of responding personnel to potentially hazardous biological materials. Laboratory emergency response plans should be integrated with relevant facility-wide or site-specific security plans. These plans should also consider such adverse events as bomb threats, natural disasters, severe weather, power outages, and other facility emergencies that may introduce security threats.
H. Reporting and Communication
Communication is an important aspect of a laboratory biosecurity program. A "chain-of-notification" should be established in advance of an actual event. This communication chain should include laboratory and program officials, institution management, and any relevant regulatory or public authorities. The roles and responsibilities of all involved officials and programs should be clearly defined. Policies should address the reporting and investigation of potential security breaches (e.g., missing biological agents, unusual or threatening phone calls, unauthorized personnel in restricted areas, and unauthorized transfer of assets to and from the facility).
I. Training and Practice Drills
Laboratory biosecurity training is essential for the successful implementation of a laboratory biosecurity program. Program management should establish training programs that inform and educate individuals regarding their responsibilities within the laboratory and the institution. For example, it might be difficult to identify suspicious activity that warrants attention without appropriate training on security awareness, laboratory biosecurity best practices, and the facility’s established reporting mechanisms.
Practice drills should address a variety of scenarios such as loss or theft of materials, emergency response to accidents and injuries, incident reporting and identification of and response to security breaches. These scenarios may be incorporated into existing emergency response drills such as fire drills or building evacuation drills associated with bomb threats. Incorporating laboratory biosecurity measures into existing procedures and response plans often provide efficient use of resources, saves time, and can minimize confusion in an emergency situation.
J. Security Updates and Reevaluations
The laboratory biosecurity risk assessment and program should be reviewed and updated routinely and following any laboratory biosecurity-related incident. Re-evaluation is a necessary and on-going process in the dynamic environments of today's biomedical and research laboratories. Laboratory biosecurity program managers should develop and conduct laboratory biosecurity program audits and implement corrective actions as needed. Audit results and corrective actions should be documented. The appropriate program officials should maintain records.
K. Select Agents
If an entity possesses, uses, or transfer select agents, the entity must comply with all requirements of the National Select Agent Program. See Chapter 14 of the Biological Safety Manual for additional guidance on the CDC and USDA Select Agent Programs (42 CFR part 73; 7 CFR 331 and 9 CFR 121).
References
- U.S. Centers for Disease Control and Prevention. Biosafety in Microbiological and Biomedical Laboratories (BMBL).
- Select agents and toxins, 42 C.F.R. Part 73.
- Possession, use, and transfer of select agents and toxins, 7 C.F.R. Part 331.
- Possession, use, and transfer of select agents and toxins, 9 C.F.R. Part 121.
Back to Chapter Five
Proceed to Chapter Seven