In Canada, complying with the Controlled Drugs and Substances Act (CDSA) is required in order to maintain a viable pharmaceutical research, development, production or retail enterprise in the country. Introduced in 1996, the CDSA restricts access to various bacteria, chemicals and other substances to authorized organizations and companies.
Failing to comply with the CDSA could result in a range of penalties, not least fines but possibly suspension or removal of one’s authorization to manage controlled substances.
However, some might not realize that the CDSA also mandates specific security requirements upon all entities managing controlled substances. This is defined by Health Canada under its Directive on Physical Security Requirements for Controlled Substances (Directive).
Health Canada states that the Directive applies “to all licensed dealers of controlled substances as well as to research scientists and analysis laboratories.” Not complying with the Directive will not only impact you from a regulatory standpoint, but it would also put your facilities and assets at risk of theft and damage from serious security threats.
Understanding the Controlled Drugs and Substances Act
While the Directive imposes extensive requirements onto your pharmaceutical lab operations, it’s important to understand that security must always be at the core of your planning.
Seeing that Canada exported nearly $9 billion in pharmaceutical goods in 2017, it would follow that pharmaceutical companies would prioritize protecting their valuable business assets from theft or damage. However, should your lab suffer a breach – especially as a result of a security vulnerability – then you (and many others) could be prone to other significant risks.
The Government’s Priorities
With the CDSA and the Directive, the Canadian government is trying to maintain public health and safety by restricting access to controlled substances.
For example, the Directive’s security requirements are meant to prevent public exposure to harmful chemicals, bacteria and viruses that can emerge from pharmaceutical labs. This is a genuine threat as exposure is known to occur in other places, such as the UK (where a lab’s improper access controls resulted in the bacteria Shigella being exposed to the public).
Likewise, Health Canada’s calls for access controls, visual monitoring and other measures are intended to deter criminal activity over those substances. Security requirements vary between each substance; Health Canada has defined 11 security levels in the Directive.
Consequences for Non-Compliance
Failing to comply with the CDSA and the Directive can have several consequences ranging from regulatory issues with the government as well as critical security vulnerabilities.
Risk of Losing Licenses and Permits
Firstly, not complying with the CDSA and Directive will stop you from attaining and retaining the necessary permits to manage and trade controlled substances. For example, legal commercial marijuana producers in Canada must comply with the Access to Cannabis for Medical Purposes Regulations (ACMPR) in order to operate.
If pharmaceutical labs, biotech companies and pharmacies fail to demonstrate their compliance to Health Canada’s Directive, they cannot operate in Canada (or if they stop complying, are at severe risk of being penalized and/or shuttered).
Loss of Reputation
Besides regulatory challenges, not complying with the Directive would essentially mean putting your lab operations at severe risk to security threats, such as intrusion and theft. Health Canada had designed the Directive to ensure that you equip your lab to prevent illicit activity by deterring and, if need be, neutralizing it using today’s security technology.
However, with a weak security system, you could be at risk of suffering from intrusion, robbery and/or internal theft. Be it the theft of your lab’s assets – such as its proprietary research or its intellectual property (IP) – or public exposure to harmful substances, your lab will ultimately be held responsible for the outcome by a number of parties.
For example, your reputation could suffer, resulting in prospective shareholders walking away, future talent overlooking your company or difficulties gaining additional licenses, permits and/or approvals for your products. Either one (or several) of these will affect your business operations.
Loss of Assets
Finally, intrusion and theft will result in losses that you will have to deal with down the line, and that will simply add to your costs. Recovering from the loss of IP, damage to your facilities and technology and other assets is far from low-cost in most cases.
In terms of security vulnerabilities, weaknesses can be present in a number of areas ranging from the lack of visual monitoring systems to cover the entire facility to limited access control systems (e.g. biometric authentication, key codes, etc).
Insufficient Visual Monitoring
Typically, organizations achieve visual monitoring by installing closed-circuit television (CCTV) networks at installations. Some installations will not have CCTV in each of the relevant places, especially in shopping/receiving or other areas where outsiders enter and exit the premises.
However, not only should you have enough of a CCTV presence, but the footage must be both recoverable and an acceptable quality for later use by law-enforcement.
Weak or Incorrectly Implemented Access Controls
Biometric authentication, key codes and swipe cards are essential for restricting access to specific areas from non-authorized persons. However, some installations can suffer from a combination of poorly implemented access control systems and poor user processes.
For example, certain areas might not have sufficient access control measures, thus enabling non-authorized personnel to contaminate research assets or access controlled substances.
Alternatively, your staff might be of the habit of sharing their swiping-cards or key codes with one another. This is poor operational practice and would place your facility at elevated risk of a breach, be it internally or from outside.
Intruder Detection Without Monitoring & Response
During an intrusion, your intruder detection system should trigger an alert to law-enforcement, enabling the police to act as first-responders at your lab.
Some facilities only retain passive systems that will only have an alarm which – besides alerting their security staff – is not optimal and exposes the lab to a breach.
|Learn the importance of mitigating security risks with these blogs:|
Rather, a complete security system would adopt an active approach where it would have professional security experts on-hand to monitor the detection system (especially at night, weekends and holidays).
Complex Supply Chain
In pharmaceutical companies with multiple facilities, particularly where controlled substances are transported as part of a complex logistics or supply network, asset tracking could also be a requirement. Theft or pilfering could occur in-transit, thus necessitating the use of RFID (radio -frequency identification) chips to track the location of your assets.
Mitigate Your Risks
Be it determining the current state of your pharmaceutical lab’s security system or installing a new system entirely, the correct way to start is by contacting a professional security company.
Health Canada details 11 distinct security levels for controlled substances. However, selecting the right level and matching that with a specific lab’s security requirements, which are shaped by its location and other factors, requires experience and expertise.
A professional security company will bring experience from the pharmaceutical sector to fully identify the risks posed to your facility and secure effective measures for shielding your lab.
The foundation of an effective security system is the scope. You must identify the security level Health Canada requires you to adhere to and plan accordingly.
The next step is to undertake a thorough risk analysis. The threats posed to your lab depend on your lab’s location, its controlled substances, its sub-industry (in pharmaceuticals) and an array of other factors that can only be determined through security experience and expertise.
Design & Implementation
Once you have identified the threats posed to your lab, you must select the appropriate security systems – e.g. CCTV, biometric authentication and intrusion detection system – for your facility.
Health Canada outlines several system design concepts, but the Rings of Protection Concept is the most applicable to pharmaceutical labs. Under the Rings of Protection Concept, your goal is to construct “various rings or barriers of protection around the items being protected.”
In other words, the objective is to establish as many obstacles between your assets (e.g. IP and controlled substances) and the threat through visual monitoring (deterrence), access controls (for restricting access) and intrusion detection (for effective first-response to an incident).
To correctly design and implement your security system – i.e. to ensure that your pharmaceutical lab is free of inherent vulnerabilities – a professional security company’s services are essential.
Not only will you have the benefit of leveraging years of experience, but a security firm will also bring experience drawn from other real-world cases. You will benefit from the lessons learned by others and incorporate best practices (including user training and processes) into your system.
Logixx Security brings over 47 years of experience designing and implementing security systems in the pharmaceutical industry. We leverage partnerships with the security industry’s top vendors and complete competency in compliance matters to ensure that your pharmaceutical lab is shielded from all threats and regulatory obstacles.
Contact us today to see how we have supported pharmaceutical companies aligning their security systems with regulatory mandates and industry best practices.