Security Planning for the Pharmaceutical Industry

Aug. 11, 2011
Far-flung enterprises and stringent regulations create a challenge for security executives

Over the past few decades, no other business segment has faced as many different types of external security threats as the Pharmaceutical industry — threats emanating from corporate espionage, product tampering, animal rights activism, organized crime and most recently, international terrorism.

Information gained through research and manufacturing techniques is the lifeblood of this industry. Espionage or theft of that information continues to be a real threat as competition is becoming more and more aggressive. Animal rights activists continue to fight for their cause using many different methods to create havoc, including the use of explosive devices. Terrorists may revert to sabotage by releasing toxic, flammable or explosive chemicals or by contamination of products.

These are chemicals or materials that if stolen have the potential to be used as or converted to weapons. Each one of these events could have the potential to create significant adverse consequences for human life and, in addition to loss of revenues, may also cause the pharmaceutical corporation's image to be damaged irreparably.

A Challenging Security Environment

The security practitioner in the pharmaceutical environment must plan for a wide range of potential security situations and scenarios, and develop and implement a suite of performance-based security measures commensurate with the identified risks for each critical facility.

Pharmaceutical corporations may have a presence in every corner of the world. They are typically comprised of many facilities — each planned and designed to provide a specific function. Corporate headquarters may be located on one continent with regional office buildings, manufacturing facilities, warehouses, distribution centers and research facilities strewn throughout the rest. Since each facility will present a unique set of threats, the security practitioner responsible for protecting the corporation's assets must be proactive with the ability to adopt non-conventional strategies that will neutralize those threats.

Controlling this environment from a security perspective requires knowledge of current and future physical and logical access needs, coupled with an understanding of the many regulations emanating from the FDA to the Department of Homeland Security (DHS) and possibly some international regulations as well. The DHS Chemical Facility Anti-Terrorism Standards (CFATS), which may also apply to pharmaceuticals, is a federal effort to increase security at high-risk facilities to minimize the potential for terrorists to gain access to dangerous chemicals.

Vulnerability assessments should be conducted annually at each facility to identify security requirements, and to develop and implement site-security plans with guidelines that address the physical security needs for each type of facility. Creating layers of security and placing the most critical assets within the most inner layer should be an important aspect of physical security planning for these type of facilities.

Access Control

The application of access control becomes a key instrument for developing layers of security for protecting the assets of a pharmaceutical corporation within each of its facilities. It is important to identify critical assets, such as: intellectual properties and products; high-profile targets which may include the corporate executives, managers and researchers; the data center with its associated infrastructure; and research labs and vivariums — and ensure they are located within those inner layers of protection.

The corporate headquarters office building can be provided with strict physical security measures starting at the outer security layer. Depending on the facility’s geographic location, the outer layer may be the sidewalk of a large metropolitan city or the parking lot of a suburban office complex.

Perimeter Security

If possible, maintaining a clear zone between surface parking and the building or the use of barriers and planters will protect the building from ramming. The application of video cameras in combination with video analytics at the perimeter of the building and the parking area can enable security personnel to detect unusual behavior such as movement in a no-man zone, erratic movement of pedestrians or vehicles, or abandoned objects.

Potential grade level intrusion points such as windows, emergency exit doors, utility, service and loading dock entrances should be identified and alarmed as part of that outer layer of security.

Manufacturing, warehouse, distribution centers and research facilities may be standalone buildings with defined perimeters or outer layers of security consisting of natural barriers or constructed obstacles that limit the movement of persons, animals, vehicles or materials. Natural barriers could include bodies of water, "living" fences (thorn bushes), marshes or other terrain that is difficult to traverse. A structural barrier physically and psychologically deters, discourages, delays and channels the flow of authorized traffic through entrances.

Since any perimeter barrier will only delay and not prevent an entry attempt, it should be supplemented with video surveillance that is enhanced with analytics. For critical research facilities that may have vivariums or storage facilities containing toxic, flammable or explosive chemicals, perimeter intrusion detection systems that monitor the entire length of the barrier should also be considered. Where local community ordinances do not permit adequate security lighting, infrared lighting should be used to supplement nighttime video surveillance. As an option, thermal imaging cameras can be deployed which can detect would-be intruders in total darkness.

The number of perimeter gates or entrances should be kept to a minimum consistent with the efficient operation of each facility. Card reader-controlled motorized vehicle gates or barrier arms located across the access road may be used to restrict unauthorized vehicles from gaining access to the site. For critical research or storage facilities or where there is a lot of expected commercial vehicular traffic such as at a distribution center, use of security officers stationed at a gate may be the best option for screening visitors and contractors and directing them to their destination. Performing an extensive vehicle check including undercarriage inspection with the use of video cameras may be required before permitting any trucks access to the loading docks or near storage areas containing any flammable or explosive chemicals.

Visitor Management

To aid in identification and processing of visitors, many corporations in this environment have implemented visitor management systems that reside on the corporate network. Enterprise-class visitor management provides the ability for registration, tracking, validating, reporting as well Web-based pre-registration by employees across the entire network. Facilities with a high volume of guests may have a visitor center in its lobby. Through the use of walk-through metal detectors and package x-ray systems, some of them have adopted the airport-type screening method for visitors.

The integration of visitor management with the building's access control system becomes necessary when guests are allowed access to a facility without escorts. Temporary visitor badges can be issued, which provide for limited access through card reader-controlled doors or lobby turnstiles and elevator access. A recent innovation called elevator destination control (typically found in new corporate facilities), will direct visitors (as they pass through the turnstiles) to a specified elevator cab which will automatically take them to their host's floor. In corporate office buildings or research facilities, individual floors may be secured through card access-controlled portals at their elevator lobbies, and — local fire codes permitting — at each floor's stairway.

For the larger and more populated facilities, a messenger drop-off center or mail room isolated on the ground level should be considered to eliminate unescorted messengers and outside delivery personnel from roaming the building. Packages and envelopes can be screened before being delivered by internal personnel. Packages destined for the research lab may have to go through an entire validation process rather than subjecting them to X-ray screening. Screening through an x-ray system may destroy biological matter or affect its efficacy and usability. After the anthrax scare which started in 2001, a number of pharmaceutical corporations have moved their mail room operations and messenger centers to off-site facilities to confine any potential contamination to a smaller controlled environment.

Laboratories and animal research facilities require stringent access control not only from a security perspective but also to ensure that these areas are maintained within a controlled environment. The revised 21 Code of Federal Regulations (CFR) Part 11 stipulated by the Food and Drug Administration (FDA) requires pharmaceutical manufacturers to provide greater production transparency through audit trails and access control functions. Some facilities have taken the next step and are using biometrics, such as fingerprint identification, either in smart cards featuring embedded biometrics or in devices that record fingerprints and the use of retinal scan systems for ultra-clean processing environments, where operators must wear gloves.

Protecting the Supply Chain

After prescription medications leave the manufacturing facility, they typically pass through a number of wholesale and retail drug distributors before ultimately reaching the local pharmacy or hospital. While shipping and handling of controlled substances is conducted under secure conditions, every step along the pharmaceutical supply chain presents an opportunity for tampering or diversion by criminals. Some manufacturers have gone to great lengths to protect the pharmaceutical supply chain by introducing innovative security measures where they tag individual bottles of medication with small electromagnetic chips known as radio frequency identification (RFID) tags, which enable pharmaceutical manufacturers and wholesale distributors to more closely track products as they move throughout the distribution chain.

Centralized Command and Control

Whether an organization consists of a few facilities that are locally dispersed or many that span the globe, an integrated enterprise security solution gives corporate security personnel in this environment central control over the entire system, while each local facility maintains independent control of its individual operation. Residing on the corporation's network, an enterprise solution typically consists of the integration between access control, intrusion monitoring, video and visitor management as well as audio communication systems. It provides corporate security administrators the ability to configure and monitor from a central location.

A number of pharmaceutical companies with national and global presence have implemented Crisis Management Centers which are staffed around the clock to monitor, manage and coordinate responses to incidents that may threaten or have harmed the organization at any of its locations. By reviewing intelligence reports from various sources for daily specifics on natural and man-made disasters, animal rights activities and terrorism, corporate security can dynamically deal with situations as they unfold.

As part of the crisis response tools, the enterprise security solution provides the ability to monitor and record emergency events as they occur via video management and initiate response actions and notification through the access control and communication systems.

Fred Miehl is a Certified Protection Professional with the security systems design consulting firm of Aggleton and Associates, Inc. He is a member of ASIS, and a member of the IAHSS; he is also a former board member of the International Association of Professional Security Consultants (IAPSC). Fred has been planning and design­ing security systems for more than 30 years and can be reached at [email protected]