Chapter 6: Principles of Laboratory Biosecurity
Since the publication of the 4th edition of BMBL manual in 1999, significant events have brought national and international scrutiny to the area of laboratory security. These events, including the anthrax attacks on U.S. citizens in October 2001 and the subsequent expansion of the United States Select Agent regulations in December 2003, have led scientists, laboratory managers, security specialists, biosafety professionals, and other scientific and institutional leaders to consider the need for developing, implementing and/or improving the security of biological agents and toxins within their facilities. Appendix F of BMBL 4th edition provided a brief outline of issues to consider in developing a security plan for biological agents and toxins capable of serious or fatal illness to humans or animals. In December 2002, Appendix F was updated and rereleased as a security and emergency response guidance for laboratories working with Select Agents. A further updated and revised Appendix F is included in the 5th edition of BMBL and is focused exclusively on Select Agent Laboratories and includes current references for the USDA and CDC Select Agent Programs.
This chapter describes laboratory biosecurity planning for microbiological laboratories. As indicated below, laboratories with good biosafety programs already fulfill many of the basic requirements for security of biological materials. For laboratories not handling select agents, the access controls and training requirements specified for BSL-2 and BSL- 3 in BMBL may provide sufficient security for the materials being studied. Security assessments and additional security measures should be considered when select agents, other agents of high public health and agriculture concern, or agents of high commercial value such as patented vaccine candidates, are introduced into the laboratory.
The recommendations presented in this chapter are advisory. Excluding the Select Agent Regulations, there is no current federal requirement for the development of a biosecurity program. However, the application of these principles and the assessment process may enhance overall laboratory management. Laboratories that fall under the Select Agent regulations should consult Chapter 14 (42 CFR part 73; 7 CFR 331 and 9 CFR 121).
The term “biosecurity” has multiple definitions. In the animal industry, the term biosecurity relates to the protection of an animal colony from microbial contamination. In some countries, the term biosecurity is used in place of the term biosafety. For the purposes of this chapter the term “biosecurity” will refer to the protection of microbial agents from loss, theft, diversion or intentional misuse. This is consistent with current WHO and American Biological Safety Association (ABSA) usage of this term.
Security is not a new concept in biological research and medical laboratories. Several of the security measures discussed in this chapter are embedded in the biosafety levels that serve as the foundation for good laboratory practices throughout the biological laboratory community.
Most biomedical and microbiological laboratories do not have select agents or toxins, yet maintain control over and account for research materials, protect relevant sensitive information, and work in facilities with access controls commensurate with the potential public health and economic impact of the biological agents in their collections. These measures are in place in most laboratories that apply good laboratory management practices and have appropriate biosafety programs.
The objective of biosecurity is to prevent loss, theft or misuse of microorganisms, biological materials, and research-related information. This is accomplished by limiting access to facilities, research materials and information. While the objectives are different, biosafety and biosecurity measures are usually complementary.
Biosafety and biosecurity programs share common components. Both are based upon risk assessment and management methodology; personnel expertise and responsibility; control and accountability for research materials including microorganisms and culture stocks; access control elements, material transfer documentation, training, emergency planning, and program management.
Biosafety and biosecurity program risk assessments are performed to determine the appropriate levels of controls within each program. Biosafety looks at appropriate laboratory procedures and practices necessary to prevent exposures and occupationally acquire infections, while biosecurity addresses procedures and practices to ensure that biological materials and relevant sensitive information remain secure.
Both programs assess personnel qualifications. The biosafety program ensures that staff are qualified to perform their jobs safely through training and documentation of technical expertise. Staff must exhibit the appropriate level of professional responsibility for management of research materials by adherence to appropriate materials management procedures. Biosafety practices require laboratory access to be limited when work is in progress. Biosecurity practices ensure that access to the laboratory facility and biological materials are limited and controlled as necessary. An inventory or material management process for control and tracking of biological stocks or other sensitive materials is also a component of both programs. For biosafety, the shipment of infectious biological materials must adhere to safe packaging, containment and appropriate transport procedures, while biosecurity ensures that transfers are controlled, tracked and documented commensurate with the potential risks. Both programs must engage laboratory personnel in the development of practices and procedures that fulfill the biosafety and biosecurity program objectives but that do not hinder research or clinical/diagnostic activities. The success of both of these programs hinges on a laboratory culture that understands and accepts the rationale for biosafety and biosecurity programs and the corresponding management oversight.
In some cases, biosecurity practices may conflict with biosafety practices, requiring personnel and management to devise policies that accommodate both sets of objectives. For example, signage may present a conflict between the two programs. Standard biosafety practice requires that signage be posted on laboratory doors to alert people to the hazards that may be present within the laboratory. The biohazard sign normally includes the name of the agent, specific hazards associated with the use or handling of the agent and contact information for the investigator. These practices may conflict with security objectives. Therefore, biosafety and biosecurity considerations must be balanced and proportional to the identified risks when developing institutional policies.
Designing a biosecurity program that does not jeopardize laboratory operations or interfere with the conduct of research requires a familiarity with microbiology and the materials that require protection. Protecting pathogens and other sensitive biological materials while preserving the free exchange of research materials and information may present significant institutional challenges. Therefore, a combination or tiered approach to protecting biological materials, commensurate with the identified risks, often provides the best resolution to conflicts that may arise. However, in the absence of legal requirements for a biosecurity program, the health and safety of laboratory personnel and the surrounding environment should take precedence over biosecurity concerns.
- establishes which, if any, agents require biosecurity measures to prevent loss, theft, diversion, or intentional misuse
- ensures that the protective measures provided, and the costs associated with that protection, are proportional to the risk
The need for a biosecurity program should be based on the possible impact of the theft, loss, diversion, or intentional misuse of the materials, recognizing that different agents and toxins will pose different levels of risk. Resources are not infinite. Biosecurity policies and procedures should not seek to protect against every conceivable risk. The risks need to be identified, prioritized and resources allocated based on that prioritization. Not all institutions will rank the same agent at the same risk level. Risk management methodology takes into consideration available institutional resources and the risk tolerance of the institution.
Developing a Biosecurity Program
Management, researchers and laboratory supervisors must be committed to being responsible stewards of infectious agents and toxins. Development of a biosecurity program should be a collaborative process involving all stakeholders. The stakeholders include but are not be limited to: senior management, scientific staff, human resource officials, information technology staff, and safety, security and engineering officials. The involvement of organizations and/or personnel responsible for a facility’s overall security is critical because many potential biosecurity measures may already be in place as part of an existing safety or security program. This coordinated approach is critical in ensuring that the biosecurity program provides reasonable, timely and cost effective solutions addressing the identified security risks without unduly affecting the scientific or business enterprise or provision of clinical and/or diagnostic services.
The need for a biosecurity program should reflect sound risk management practices based on a site-specific risk assessment. A biosecurity risk assessment should analyze the probability and consequences of loss, theft and potential misuse of pathogens and toxins. Most importantly, the biosecurity risk assessment should be used as the basis for making risk management decisions.
Example Guidance: A Biosecurity Risk Assessment and Management Process
Different models exist regarding biosecurity risk assessment. Most models share common components such as asset identification, threat, vulnerability and mitigation. What follows is one example of how a biosecurity risk assessment may be conducted. In this example, the entire risk assessment and risk management process may be divided into five main steps, each of which can be further subdivided:
- identify and prioritize biologicals and/or toxins
- identify and prioritize the adversary/threat to biologicals and/or toxins
- analyze the risk of specific security scenarios
- design and develop an overall risk management program
- regularly evaluate the institution’s risk posture and protection objectives
Example guidance for these five steps is provided below.
- Identify the biological materials that exist at the institution, form of the material, location and quantities, including non-replicating materials (i.e., toxins).
- Evaluate the potential for misuse of these biologic materials.
- Evaluate the consequences of misuse of these biologic materials.
- Prioritize the biologic materials based on the consequences of misuse (i.e., risk of malicious use).
At this point, an institution may find that none of its biologic materials merit the development and implementation of a separate biosecurity program or the existing security at the facility is adequate. In this event, no additional steps would need to be completed.
- Identify the types of “Insiders” who may pose a threat to the biologic materials at the institution.
- Identify the types of “Outsiders” (if any) who may pose a threat to the biologic materials at the institution.
- Evaluate the motive, means, and opportunity of these various potential adversaries.
- Develop a list of possible biosecurity scenarios, or undesired events that could occur at the institution (each scenario is a combination of an agent, an adversary, and an action). Consider:
- access to the agent within your laboratory;
- how the undesired event could occur;
- protective measures in place to prevent occurrence;
- how the existing protection measures could be breached (i.e., vulnerabilities).
- Evaluate the probability of each scenario materializing (i.e., the likelihood) and its associated consequences. Assumptions include:
- although a wide range of threats are possible, certain threats are more probable than others;
- all agents/assets are not equally attractive to an adversary;
- valid and credible threats, existing precautions, and the potential need for select enhanced precautions are considered.
- Prioritize or rank the scenarios by risk for review by management.
- Management commits to oversight, implementation, training and maintenance of the biosecurity program.
- Management develops a biosecurity risk statement, documenting which biosecurity scenarios represent an unacceptable risk and must be mitigated versus those risks appropriately handled through existing protection controls.
- Management develops a biosecurity plan to describe how the institution will mitigate those unacceptable risks including:
- a written security plan, standard operating procedures, and incident response plans;
- written protocols for employee training on potential hazards, the biosecurity program and incident response plans.
- Management ensures necessary resources to achieve the protection measures documented in the biosecurity plan.
- Management regularly reevaluates and makes necessary modifications to the:
- biosecurity risk statement
- biosecurity risk assessment process
- the institution’s biosecurity program/plan
- the institution’s biosecurity systems
- Management assures the daily implementation, training and annual re-evaluation of the security program.
Access should be limited to authorized and designated employees based on the need to enter sensitive areas. Methods for limiting access could be as simple as locking doors or having a card key system in place. Evaluations on the levels of access should consider all facets of the laboratory’s operations and programs (e.g., laboratory entrance requirements, freezer access, etc.). The need for entry by visitors, laboratory workers, management officials, students, cleaning/maintenance staff and emergency response personnel should be considered.
It is important to emphasize that microbiological agents are capable of replication and are often expanded to accommodate the nature of the work involving their use. Therefore, knowing the exact “working” quantity of organisms at any given time may be impractical. Depending on the risks associated with a pathogen or toxin, management can designate an accountable individual who is knowledgeable about the materials in use and responsible for security of the materials under his or her control.
The objective of an information security program is to protect information from unauthorized release and ensure that the appropriate level of confidentiality is preserved. Facilities should develop policies that govern the identification, marking and handling of sensitive information. The information security program should be tailored to meet the needs of the business environment, support the mission of the organization, and mitigate the identified threats. It is critical that access to sensitive information be controlled. Policies for properly identifying and securing sensitive information including electronic files and removable electronic media (e.g., CDs, computer drives, etc.) should be developed.