|
Laboratory Security and Emergency
Response Guidance for Laboratories Working with Select Agents
Prepared by Jonathan Y. Richmond, Ph.D.1 Shanna L.
Nesby-O'Dell, D.V.M.2 1Office of the
Director Office of Health and Safety (Retired) 2Office of
the Director Office of Health and Safety
The material in this report originated in the Office of
Health and Safety, Robert H. Hill, Jr., Ph.D., Acting
Director.
Summary
In recent years, concern has increased regarding use of biologic
materials as agents of terrorism, but these same agents are often
necessary tools in clinical and research microbiology laboratories.
Traditional biosafety guidelines for laboratories have emphasized use of
optimal work practices, appropriate containment equipment, well-designed
facilities, and administrative controls to minimize risk of worker injury
and to ensure safeguards against laboratory contamination.
The guidelines discussed in this report were first published in
1999 (U.S. Department of Health and Human Services/CDC and National
Institutes of Health. Biosafety in microbiological and biomedical
laboratories [BMBL]. Richmond JY, McKinney RW, eds. 4th ed.
Washington, DC: US Department of Health and Human Services, 1999 [Appendix
F]). In that report, physical security concerns were addressed, and
efforts were focused on preventing unauthorized entry to laboratory areas
and preventing unauthorized removal of dangerous biologic agents from the
laboratory. Appendix F of BMBL is now being revised to include additional
information regarding personnel, risk assessments, and inventory controls.
The guidelines contained in this report are intended for laboratories
working with select agents under biosafety-level 2, 3, or 4 conditions as
described in Sections II and III of BMBL. These recommendations include
conducting facility risk assessments and developing comprehensive security
plans to minimize the probability of misuse of select agents.
Risk assessments should include systematic, site-specific reviews of 1)
physical security; 2) security of data and electronic technology systems;
3) employee security; 4) access controls to laboratory and animal areas;
5) procedures for agent inventory and accountability; 6) shipping/transfer
and receiving of select agents; 7) unintentional incident and injury
policies; 8) emergency response plans; and 9) policies that address
breaches in security. The security plan should be an integral part of
daily operations. All employees should be well-trained and equipped, and
the plan should be reviewed annually, at least.
Introduction
Traditional laboratory biosafety guidelines have emphasized use of
optimal work practices, appropriate containment equipment, well-designed
facilities, and administrative controls to minimize risks of unintentional
infection or injury for laboratory workers and to prevent contamination of
the outside environment (1). Although clinical and research
microbiology laboratories might contain dangerous biologic, chemical, and
radioactive materials, to date, only a limited number of reports have been
published of materials being used intentionally to injure laboratory
workers or others (2--7). However, recently, concern has increased
regarding possible use of biologic, chemical, and radioactive materials as
terrorism agents (8,9). In the United States, recent terrorism
incidents (10) have resulted in the substantial enhancement of
existing regulations and creation of new regulations governing laboratory
security to prevent such incidents.
The Public Health Security and Bioterrorism Preparedness and Response
Act of 2002* (the Act) required institutions to notify the U.S. Department
of Health and Human Services (DHHS) or the U.S. Department of Agriculture
(USDA) of the possession of specific pathogens or toxins (i.e., select
agents†), as defined by DHHS, or certain animal and plant
pathogens or toxins (i.e., high-consequence pathogens), as defined by
USDA. The Act provides for expanded regulatory oversight of these agents
and a process for limiting access to them to persons who have a legitimate
need to handle or use such agents. The Act also requires specified federal
agencies to withhold from public disclosure, among other requirements,
site-specific information regarding the identification of persons, the
nature and location of agents present in a facility, and the local
security mechanisms in use. In addition, the Uniting and Strengthening
America by Providing Appropriate Tools Required To Intercept and Obstruct
Terrorism (USA PATRIOT) Act of 2001§ prohibits restricted
persons from shipping, possessing, or receiving select agents. Violation
of either of these statutes carries criminal penalties.
Appendix F of the 4th edition of the CDC/National Institutes
of Health, Biosafety in Microbiological and Biomedical Laboratories (BMBL)
was the first edition to address laboratory security concerns (1).
However, that publication primarily addressed physical security concerns
(e.g., preventing unauthorized entry to laboratory areas and preventing
unauthorized removal of dangerous biologic agents from the laboratory).
The guidelines presented here are provided to assist facility managers
with meeting the regulatory mandate of 42 Code of Federal Regulation (CFR)
73 and, therefore, include information regarding personnel, risk
assessments, and inventory controls. These guidelines are intended for
laboratories where select agents are used under biosafety levels (BSL) 2,
3, or 4 as described in Sections II and III of BMBL. Appendix F of BMBL is
being revised to include consideration of the following biosecurity
policies and procedures:
- risk and threat assessment;
- facility security plans;
- physical security;
- data and electronic technology systems;
- security policies for personnel;
- policies regarding accessing the laboratory and animal areas;
- specimen accountability;
- receipt of agents into the laboratory;
- transfer or shipping of select agents from the laboratory;
- emergency response plans; and
- reporting of incidents, unintentional injuries, and security
breaches.
Definitions
Biosafety: Development and implementation of administrative
policies, work practices, facility design, and safety equipment to prevent
transmission of biologic agents to workers, other persons, and the
environment.
Biosecurity: Protection of high-consequence microbial agents and
toxins, or critical relevant information, against theft or diversion by
those who intend to pursue intentional misuse.
Biologic Terrorism: Use of biologic agents or toxins (e.g.,
pathogenic organisms that affect humans, animals, or plants) for terrorist
purposes.
Responsible official: A facility official who has been
designated the responsibility and authority to ensure that the
requirements of Title 42, CFR, Part 73, are met.
Risk: A measure of the potential loss of a specific biologic
agent of concern, on the basis of the probability of occurrence of an
adversary event, effectiveness of protection, and consequence of loss.
Select agent: Specifically regulated pathogens and toxins as
defined in Title 42, CFR, Part 73, including pathogens and toxins
regulated by both DHHS and USDA (i.e., overlapping agents or toxins).
Threat: The capability of an adversary, coupled with intentions,
to undertake malevolent actions.
Threat assessment: A judgment, based on available information,
of the actual or potential threat of malevolent action.
Vulnerability: An exploitable capability, security weakness, or
deficiency at a facility. Exploitable capabilities or weaknesses are those
inherent in the design or layout of the biologic laboratory and its
protection, or those existing because of the failure to meet or maintain
prescribed security standards when evaluated against defined threats.
Vulnerability assessment: A systematic evaluation process in
which qualitative and quantitative techniques are applied to arrive at an
effectiveness level for a security system to protect biologic laboratories
and operations from specifically defined acts that can oppose or harm a
person's interest.
Risk Assessment
Recommendation: Conduct a risk assessment and threat analysis of
the facility as a precursor to the security plan.
Background: In April 1998, the General Accounting Office issued
a report regarding terrorism (11). A key finding of that report was
that threat and risk assessments are widely recognized as valid
decision-support tools for establishing and prioritizing security program
requirements. A threat analysis, the first step in determining risk,
identifies and evaluates each threat on the basis of different factors
(e.g., the capability and intent to attack an asset, the likelihood of a
successful attack, and the attack's probable lethality). Risk management
is the deliberate process of understanding risk (i.e., the likelihood that
a threat will harm an asset with certain severity of consequences) and
deciding on and implementing actions to reduce that risk. Risk management
principles are based on acknowledgment that 1) although risk usually
cannot be eliminated, it can be reduced by enhancing protection from
validated and credible threats; 2) although threats are possible, certain
threats are more probable than others; and 3) all assets are not equally
critical. Therefore, each facility should implement certain measures to
enhance security regarding select agents. The following actions should
assist decision-makers in implementing this recommendation:
- Each facility should conduct a risk assessment and threat analysis
of its assets and select agents. The threat should be defined against
the vulnerabilities of the laboratory to determine the necessary
components of a facility security plan and system (12,13).
- The risk assessment should include a systematic approach in which
threats are defined and vulnerabilities are examined; risks associated
with those vulnerabilities are mitigated with a security systems
approach (12,13).
- Ensure the security plan includes collaboration between senior
management, scientific staff, human resource officials, information
technology (IT) staff, engineering officials, and security officials.
This coordinated approach is critical to ensuring that security
recommendations provide a reasonable and adequate assurance of
laboratory security without unduly impacting the scientific work.
Facility Security Plans
Recommendation: Establish a facility security plan.
- Each facility should develop a comprehensive security plan that
complies with 42 CFR Part 73 and reviews the need for policies in
---
physical security; --- data and IT system security; --- security
policies for personnel; --- policies for accessing select agent
areas; --- specimen accountability; --- receipt of select agents
into the laboratory; --- transfer or shipping of select agents from
the laboratory; --- emergency response plans; and --- reporting of
incidents, injuries, and breaches.
- Develop security policies based on site-specific assessments.
Security plans should include measures that address physical security of
building and laboratory areas. Policies should also address concerns
associated with access, use, storage, and transfer of sensitive data. If
sensitive electronic data are present, IT specialists should assess the
security of hardware and software products in addition to the security
of local area networks.
- Review safety, security, and IT policies and procedures at least
annually for consistency and applicability. These procedures should also
be reviewed after any incident or change in regulations. Necessary
changes should be incorporated into the revised plans and communicated
to all.
- Laboratory supervisors should ensure that all laboratory workers and
visitors understand security requirements and that all employees are
trained and equipped to follow established procedures. The security plan
should be an integral part of daily operations. New employees should
receive training when they first begin work, and all employees should
receive training at least annually thereafter. Training should be
updated as policies and procedures change. All training should be
documented by maintaining records of training schedules and employee
attendance.
- Security plans should receive periodic performance testing to
determine their effectiveness. Test procedures can vary from a simple
check of keys, locks, and alarms to a full-scale laboratory or facility
exercise.
Security Policies for
Personnel
Recommendation: Establish security-related policies for all
personnel.
- Honest, reliable, and conscientious workers represent the foundation
of an effective security program. Facility administrators and laboratory
directors should be familiar with all laboratory workers.
- Establish a policy for screening employees who require access to
select agent areas to include full- and part-time employees,
contractors, emergency personnel, and visitors. Additional screening
might be necessary for employees who require access to other types of
sensitive or secure data and work areas. These screening procedures
should be commensurate with the sensitivity of the data and work areas
(e.g., federal security clearances for government employees and
contractors).
- Ensure that all workers approved for access to select agents (e.g.,
students, research scientists, and other short-term employees) wear
visible identification badges that include, at a minimum, a photograph,
the wearer's name, and an expiration date. Facility administrators
should consider using easily recognizable marks on the identification
badges to indicate access to sensitive or secure areas.
Access Control
Recommendation: Control access to areas where select agents
are used or stored.
- Consolidate laboratory work areas to the greatest extent possible to
implement security measures more effectively. Separate select agent
areas from the public areas of the buildings. Lock all select agent
areas when unoccupied. Use keys or other security devices to permit
entry into these areas.
- Methods of secure access and monitoring controls can include key or
electronic locking pass keys, combination key pad, use of lock-boxes to
store materials in freezers or refrigerators, video surveillance
cameras, or other control requirements. Protocols for periodically
changing combination keypad access numbers should be developed.
- Assess the need for graded levels of security protection on the
basis of site-specific risk and threat analysis. This security can be
accomplished through card access systems, biometrics, or other systems
that provide restricted access.
- Lock all freezers, refrigerators, cabinets, and other containers
where select agents are stored when they are not in direct view of a
laboratory worker.
- Limit access to select agent areas to authorized personnel who have
been cleared by the U.S. Department of Justice as indicated in 42 CFR
Part 73. All others entering select agent areas must be escorted and
monitored by authorized personnel.
- Record all entries into these areas, including entries by visitors,
maintenance workers, service workers, and others needing one-time or
occasional entry.
- Limit routine cleaning, maintenance, and repairs to hours when
authorized employees are present and able to serve as escorts and
monitors.
- Establish procedures and training for admitting repair personnel or
other contractors who require repetitive or emergency access to select
agent areas.
- Ensure visitors are issued identification badges, including name and
expiration date, and escorted and monitored into and out of select agent
areas. Such visits should be kept to a minimum.
- Ensure procedures are in place for reporting and removing
unauthorized persons. These procedures should be developed through
collaboration among senior scientific, administrative, and security
management personnel. These procedures should be included in security
training and reviewed for compliance at least annually.
Select Agent
Accountability
Recommendation: Establish a system of accountability for
select agents.
- Establish an accounting procedure to ensure adequate control of
select agents and maintain up-to-date inventory of seed stocks, toxins,
and agents in long-term storage. Records should include data regarding
the agent's location, use, storage method, inventory, external transfers
(sender/receiver, transfer date, and amount), internal transfer
(sender/receiver, transfer date, amount), further distribution, and
destruction (method, amount, date, and a point of contact).
- Establish procedures that maintain accurate and up-to-date records
of authorizations for entry into limited access areas (i.e., a current
list of persons who possess door keys and those who have knowledge of
keypad access numbers or the security system).
Receiving Select
Agents
Recommendation: Develop procedures for bringing select agent
specimens into the laboratory.
- A centralized receiving area for select agents is recommended to
maximize safety and minimize security hazards associated with damaged or
unknown packages.
- Facilities should establish procedures for inspecting all packages
(i.e., by visual or noninvasive techniques) before they are brought into
the laboratory area. Suspicious packages should be handled as prescribed
by federal and state law enforcement agencies.
- Biologic safety cabinet or other appropriate containment device
should be used when opening packages containing specimens, bacterial or
virus isolates, or toxins. Packages should be opened by trained,
authorized personnel.
Transfer or Shipping of Select
Agents
Recommendation: Develop procedures for transferring or
shipping select agents from the laboratory.
- Package, label, and transport select agents in conformance with all
applicable local, federal, and international transportation and shipping
regulations, including U.S. Department of Transportation (DOT)
regulations.¶ Materials that are transported by airline
carrier should also comply with packaging and shipping regulations set
by the International Air Transport Association (IATA). Personnel who
package, handle, and ship these agents (including import and export)
should be subject to all applicable training. The responsible facility
official should be notified of all select agent transfers, internal or
external.
- Ensure required permits (e.g., granted by the U.S. Public Health
Service, USDA, DOT, U.S. Department of Commerce, and IATA) are obtained
before select agents are prepared for transport. Standard operating
procedures should be in place for import and export activities.
- Decontaminate contaminated or possibly contaminated materials before
they leave the laboratory area.
- Avoid hand-carrying select agents when transferring them to other
external facilities. If select agents are to be hand-carried on common
carriers, all applicable packaging, transport, and training regulations
should be followed.
- Develop and follow a protocol for intrafacility transfer of all
select agents.
Emergency Response
Plans
Recommendation: Implement an emergency response plan.
- Limiting access to select agent laboratory and animal areas can make
implementing an emergency response more difficult. This should be
considered as emergency plans are developed.
- Evaluate select agent laboratory and animal areas for safety and
security concerns before an emergency plan is developed.
- Develop and integrate laboratory emergency plans with facilitywide
plans. These plans should also include such adverse event assessments as
bomb threats, severe weather (e.g., hurricanes or floods), earthquakes,
power outages, and other natural or man-made disasters.
- Include facility administrators, scientific directors, principal
investigators, laboratory workers, maintenance and engineering support
staff, facility safety officers, and facility security officials in
emergency planning.
- Include provisions for immediate notification of and response by
laboratory and animal directors, laboratory workers, safety office
personnel, or other knowledgeable persons when an emergency occurs.
- Establish advance coordination with local police, fire, and other
emergency responders to assist community emergency responders in
planning for emergencies in select agent laboratory and animal areas.
Discussion should address security concerns associated with sharing of
sensitive information regarding secure work areas.
- Consider circumstances that might require the emergency relocation
of select agents to another secure location.
- Reevaluate and train employees and conduct exercises of the
emergency response plan at least annually.
Incident Reporting
Recommendation: Establish a protocol for reporting adverse
incidents.
- Ensure that laboratory directors, in cooperation with facility
safety, security, and public relations officials, have policies and
procedures in place for reporting and investigating unintentional
injuries, incidents (e.g., unauthorized personnel in restricted areas,
missing biologic agents or toxins, and unusual or threatening phone
calls), or breaches in security measures.
- DHHS or USDA should be notified immediately if select agents are
discovered to be missing, released outside the laboratory, involved in
worker exposures or infections, or misused. Additionally, all incidents
involving select agents (e.g., occupational exposure or breaches of
primary containment) should be reported to local and state public health
authorities.
Acknowledgments
CDC is grateful to the members of the Select Agent Interagency
Workgroup, Biosecurity Subcommittee, and recognizes the contributions of
Rachel E. Levinson, M.A., Chairman Biosecurity Subcommittee and Jonathan
Y. Richmond, Ph.D., Assistant Chairman, Biosecurity Subcommittee.
References
- US Department of Health and Human Services/CDC and National
Institutes of Health. Biosafety in microbiological and biomedical
laboratories. Richmond JY, McKinney RW, eds. 4th ed.
Washington, DC: US Department of Health and Human Services, 1999.
- Török TJ, Tauxe RV, Wise RP, et al. Large community outbreak of
salmonellosis caused by intentional contamination of restaurant salad
bars. JAMA 1997;278:389--95.
- Kolavic SA, Kimura A, Simons SL, Slutsker L, Barth S, Haley CE.
Outbreak of Shigella dysenteriae type 2 among laboratory workers
due to intentional food contamination. JAMA 1997;278:396--8.
- US Nuclear Regulatory Commission. Report to Congress on abnormal
occurrences July--September 1995; dissemination of information. Federal
Register 1996;61:7123--4.
- US Nuclear Regulatory Commission. Incident investigation report:
ingestion of phosphorus-32 at Massachusetts Institute of Technology,
Cambridge, Massachusetts, identified on August 19, 1995 [NUREG-1535].
Washington, DC: US Nuclear Regulatory Commission, 1995.
- US Nuclear Regulatory Commission. Preliminary notification of event
or unusual occurrence PNO-1-98-052. Subject: intentional ingestion of
iodine-125 tainted food (Brown University), November 16, 1998.
Washington, DC: US Nuclear Regulatory Commission, 1998.
- US Nuclear Regulatory Commission. National Institutes of Health
issuance of director's decision under 10 CFR Sec. 2.206. Federal
Register 1997;62:50018--33.
- Atlas RM. Biological weapons pose challenge for microbiology
community. ASM News 1998;64:383--9.
- Ruys T. Laboratory design principles. In: Handbook of facilities
planning. Ruys T, ed. New York, NY: John Wiley & Sons, 1990;257--64.
- CDC. Update: investigation of anthrax associated with intentional
exposure and interim public health guidelines, October 2001. MMWR
2001;50:889--93.
- US General Accounting Office. Combating terrorism: threat and risk
assessments can help prioritize and target program investments.
Washington, DC: US General Accounting Office, 1998. Publication no.
GAO/NSIAD-98-74.
- Johnson B. Understanding, assessing, and communicating topics
related to risk in biomedical research facilities [Chapter 10]. In:
Richmond JY, ed. Anthology of biosafety: IV. Issues in public health.
Mundelein, IL: American Biological Safety Association, 2001;149--166.
- Royes C, Johnson B. Security considerations for microbiological and
biomedical facilities [Chapter 6]. In: Richmond JY, ed. Anthology of
biosafety: V. BSL--4 laboratories. Mundelein, IL: American Biological
Safety Association, 2002;131--148.
* Public Law 107--188, June 12, 2002.
† Throughout this report, the term select agent
refers to specifically regulated pathogens and toxins as defined in Title
42, Code of Federal Regulations (CFR), Part 73, including pathogens and
toxins regulated by both DHHS and USDA (i.e., overlapping agents and
toxins). The reader should note that 42 CFR Part 73 has not been published
yet, and is still under federal review with anticipated publication in
December 2002.
§ Public Law 107--56, October 26, 2001.
¶ U.S. Department of Transportation, Research and Special
Programs Administration, 49 CFR, Parts 171--180.
Use of trade names and commercial sources is for
identification only and does not imply endorsement by the U.S.
Department of Health and Human Services.
References to non-CDC sites on the Internet are provided as a
service to MMWR readers and do not constitute or imply
endorsement of these organizations or their programs by CDC or the
U.S. Department of Health and Human Services. CDC is not responsible
for the content of pages found at these sites. URL addresses listed
in MMWR were current as of the date of publication.
|
All MMWR HTML versions of articles are electronic
conversions from ASCII text into HTML. This conversion may have resulted
in character translation or format errors in the HTML version. Users
should not rely on this HTML document, but are referred to the electronic
PDF version and/or the original MMWR paper copy for the official
text, figures, and tables. An original paper copy of this issue can be
obtained from the Superintendent of Documents, U.S. Government Printing
Office (GPO), Washington, DC 20402-9371; telephone: (202) 512-1800.
Contact GPO for current prices. **Questions or messages
regarding errors in formatting should be addressed to mmwrq@cdc.gov.
Page converted:
11/20/2002 |
|