When it comes to security, lab managers must match the zeal of the threat with equal animus.
In the pre-dawn hours of November 14, 2004, a Sunday, a group of animal rights fanatics illegally entered the locked Spence Laboratories, an animal research facility in the Psychology Department at the University of Iowa. The intruders somehow compromised the four-walled security system that featured perimeter, elevator, corridor, and animal room access control, including card-key access. Offices and laboratories were selectively vandalized. Paper-dissolving acid was poured on research documents. Computers used in animal research work were destroyed.
The radical UK-based animal rights group Animal Liberation Front, or ALF, later claimed responsibility for the attack.
The ALF also ‘liberated’ 88 mice and 313 rats that morning, animals used in basic behavioral and biological research aimed at better understanding, memory, learning, body temperature regulation, and sleep. The raiders then spray-painted incendiary slogans on the walls: “Science not sadism” and “Free the animals.”
The incident on the University of Iowa campus illustrates the principle distinction between securing animal research facilities and securing banks, jewelry stores, or automobile dealerships. Whereas the concern of most enterprises is to secure inventory from theft or data from compromise, laboratory animal facilities must contend also with the zealotry of the ALF and similar groups, such as People for the Ethical Treatment of Animals.
Animal research facilities are the prime targets for radical groups that oppose using animals for research. The intimidation bar has been raised, with even the families of researchers now being threatened.
In an email message sent to the press four days after the Iowa break-in, the ALF said, “This raid was carried out to halt the barbaric research of the UI Psychology Department’s seven primary animal researchers.” The message listed each researcher’s addresses, home telephone numbers, and spouses’ name.
Former police detective Tim Dimoff, now president of Akron, OH-based SACS Consulting & Investigative Services (www.sacsconsulting.com), said management of animal research labs have had their vehicles and homes vandalized, and family members threatened.
“There have been actual physical attacks, personal information is listed on animal rights group websites, and monetary rewards posted for their deaths and/or intimidation,” Dimoff said.
Animal rights activists aren’t the only threat to laboratories. Since the 2001 anthrax letter scares there is also the stark awareness that biologic, chemical, and radioactive materials found in laboratory environments could be used as agents of terror.
Lab managers must therefore summon a comparable zeal to thwart such incidents. Laboratory security measures should be commensurate with risk potential.
Bible of Biosecurity
In the realm of animal research labs the bible of biosafety and security is a document called Biosafety in Microbiological and Biomedical Laboratories, known as the BMBL – a collaborative project by the Centers for Disease Control (CDC) and the National Institutes of Health (NIH). The book applies to facilities where select agents are used under biosafety levels 2, 3, or 4. The BMBL’s long-anticipated 5th edition, released finally in February after a two year wait, presents guidelines for managers of labs where the regulatory mandate of Title 42, Code of Federal Regulations, Part 73 (Possession, Use and Transfer of Select Agents and Toxins) applies. This edition includes security information pertaining to inventory controls, risk assessment, and the screening of personnel — reflecting the harsh realities in which laboratory animal facilities currently exist. The earlier 1999 4th edition dealt primarily with preventing unauthorized entry to laboratory areas, as well as unauthorized removal of dangerous biologic agents from the laboratory.
Since infiltration is now a popular new tactic with hate groups, the BMBL advises extensive background checks be run for all applicants. These checks should screen for such items as previous affiliations with radical groups, as well as any prior criminal and civil court records.
Dimoff also recommends that labs conduct personality tests on applicants to be sure they are hiring the type of person they intend. “Background checks are vital to screen out sympathizers,” he said.
“There’s no better tactic for radical groups than to be positioned ‘inside’ by having a member of their group employed by the very research facility they are targeting.”
Threat v. Risk
Threat and risk assessments are the keys to achieving adequate security. Dimoff said each facility should have a total vulnerability assessment that not only focuses on facility strengths and weaknesses, but also provides recommendations for security measures, plans, and enhancements.
Nine years ago, the General Accounting Office issued a report regarding terrorism, a key finding of which was that threat and risk assessments were widely recognized as indispensable decision-support tools for establishing a security program.
“We’re still dealing with the same issues we’ve been dealing with in the animal field for many years,” said former research virologist Jonathan Richmond, CEO of Jonathan Richmond and Associates (www.bsafe.us), a biosafety consulting firm. Richmond is also a biosafety consultant to the World Health Organization.
These issues include protection against potential breakins or breakouts, particularly for laboratories dealing with select agents. The CDC maintains a master list of about six dozen such agents — mostly viruses and toxins capable of causing substantial harm to human, plant, or animal health.
“Any of the infectious disease agents pose a potential risk,” Richmond said. The big issue facing any facility, then, is doing a threat assessment, the first step in determining risk.
When performing threat assessments, Richmond reminds lab managers to ask themselves why their facility might be targeted. What makes the lab different from other labs across town? Do you house unique animals or unique agents? Maybe you have unique people, such as a Nobel Laureate. Maybe it’s as simple as target size, that the lab is the largest one in the region so intruders get the biggest bang for their buck, he said.
Once the threat analysis is complete, a risk assessment is then indicated.
Risk management is the deliberate process of understanding risk, i.e., the likelihood that a threat will harm an asset with certain severity of consequences — and deciding on and implementing actions to reduce that risk, Richmond said.
“Let’s say you find you are particularly threatened because you’re working with anthrax or because you’ve gotten a contract to develop a vaccine for ebola virus,” he said. “Now, you need to do a classical risk assessment to determine not only how to protect your people and animals, but also determine what kinds of control measures are required to protect against potential intrusion.”
Control measures mean a security plan, which must include collaboration between senior management, scientific staff, human resource officials, information technology staff, engineering, and security officials. One asset frequently overlooked here is the FBI.
We recommend that individual facilities also engage in discussions with their local FBI office as part of the threat assessment because the Bureau today is very attuned to these issues and are more than willing to work with institutions to do threat assessments,” Richmond said.
Guards, Guns, and Gates
Assessments emerge from planning sessions in the form of guards, guns, and gates on the outside, and biometrics on the inside to address access control. Biometrics was once the domain of James Bond films or ultra-
sensitive military installations, but the nature of the threats to animal research labs now requires positive identification of staff moving into and throughout the facility.
“You must assure that only those people who are registered to have access to a particular agent or animal room have any chance of getting through the layers of the security onion,” said Randy Kray, a CUH2A architect specializing in laboratory security designs.
Biometric technology is therefore growing quickly in laboratory security schemes, and is often regarded as security’s silver bullet because physical characteristics such as thumb prints and iris patterns cannot be imitated or forged by others to gain unauthorized entry.
But the sheen on that gloss is often tarnished by practicality. “There has been a big push toward the use of biometrics such as thumb print readers for access control in animal labs, but if you have to wear gloves – which is quite common in laboratory areas – thumb print readers don’t work,” Kray said.
Other species of biometric equipment such as retinal and iris scanners work better in the sense that nothing has to be touched, but these units tend to be several times more expensive than thumb print systems, quickly pushing capital costs beyond most reasonable budgets, Kray said.
Architects like Kray, who must incorporate layer upon layer of security features in plans to meet mandated security requirements in laboratory animal facilities, therefore find it challenging to bring the right biometric devices into animal environments. All designs must meet the standards of the 2003 Select Agent Regulations, another CDC document. These regulations place stringent requirements on laboratory facilities that possess, use, transfer, or receive any of the select agents.
Compliance with regulations is sometimes easier said than done, particularly for architects charged with designing secure labs. For instance, trying to maintain security while ensuring cleanliness and proper protocol for researchers moving from space to space is particularly challenging, Kray said. This is the vivaria protocol in the University of California, San Diego, Animal Care Program:
Each vivarium has a designated traffic pattern based on the premise that clean areas should be entered before contaminated areas, in a progressive fashion. Clean supplies should be gathered before entering any animal room. Once an animal room has been entered, research personnel should not enter the clean side of the cagewasher. Additionally, research personnel should avoid entering the dirty side of the cage-washer at any time....It is especially important to properly use disinfectant foot baths, spray the soles of shoes, or don shoe covers prior to entering any animal rooms.
Compromised by Complacency
Still, even the most elaborate safety and security measures can be compromised by staff complacency. Tailgating, for instance, is a persistent worry. Tailgating is where one person swipes an access card through a reader and other person, perhaps not authorized or nor decontaminated, follows them through the door on the same swipe.
Door detective and dual door sally port solutions exist to prevent this breech, but they tend to be expensive and add yet another layer to the security onion.
Another issue with card readers are the readers themselves, which run the risk of doubling as incubators if protocols are ignored.
“Proximity cards and card readers aren’t the best devices to employ in vivaria because the act of swiping cards through a reader could potentially pass contamination,” Kray said. To avoid this, cards have to be decontaminated on the way in and out of certain areas, another problem with using standard security devices in nonstandard animal research for security access, Kray said.
Instead, Kray sees closed circuit television (CCTV) being used more and more to replace card readers, since digital camera technology has now become smaller, lighter, digital, and far less expensive.
“You used to be able to only save about 20 minutes of data, but with the newer models you can save hours if not days worth of data on DVD, making it easier to use cameras as security tools,” Kray said. “ Five years ago we were installing these cameras behind elaborate camera bubbles so the cameras were outside of the research space looking in, but today they’re so affordable they’re almost disposable so they can be positioned inside now.”
Other recent design ideas include the use of telemetry to move clinical data instead of moving people from animal rooms, minimizing cross-contamination opportunities.
“We’re seeing increasing use of electronic devices in order to export data out, as well as have visual access to the animal without physically having to be in those rooms,” Kray said.
These electronic schemes are especially applicable in academia, where many animal research facilities reside. Academia is permeated by the concepts of data availability and information sharing, presenting a dichotomy between this culture of openness and the strict requirements of select agent biosecurity.
“What we’re finding is the use of CCTV, telemetry, and other electronic devices in order to get access to the research without actual access to the agent or animal,” Kray said.
Extra Measures Other special security measures continue to emerge as needs are identified.
The University of California, Davis Police Department, for instance, recently recruited the first three of six protective service officers, or PSOs, to provide still another level of security for the University’s California National Primate Research Center.
PSOs are trained by the police department in crime prevention, access control, customer service, and tactical communications. The officers began providing security and checking IDs at the lab gate in early January. The remaining three PSOs will patrol the 300 acre site at the western edge of the campus in vehicles around the clock.
The PSO staffing is part of a continuing security enhancement process at the center, which is one of eight national primate research centers sponsored by the National Center for Research Resources, a division of the NIH, to provide specialized research resources for studies into health problems including AIDS, autism, asthma, Alzheimer’s disease, aging, and developmental biology.
“It’s an ongoing strategy the University is undertaking to make sure that researchers are safe, animals are safe, and the value of research is maintained,” said Lt. Nader Oweis, of the UC Davis Police Department.
Other security upgrades implemented at Davis in recent years have included new fences, perimeter lighting, cameras, alarms, and training manuals with video companions on safety and security topics for researchers – measures financed jointly by a grant from the NIH and UC Davis.
In the end, safeguarding lab resources from unauthorized access, misuse, or removal is a duty of all staff. This obligation rests primarily with the principal investigator. However, all laboratory personnel have a responsibility to take reasonable precautions against theft or misuse of materials, particularly those that could threaten the public.
Many laboratories already implement various extra security measures, including locking up controlled substances, syringes, and needles. Principal investigators are admonished to review and assess the security of their highly hazardous materials, such as infectious agents, toxins, radioactive materials, acutely toxic chemicals, carcinogens, explosive or reactive chemicals, and compressed gases.
Richmond’s mantra is keep it simple.
“If you can put a lock on your freezer, or lock your doors to keep people out who aren’t supposed to be there, then that’s what you should do,” he said.
Douglas Page is a California-based freelance writer. He can be reached at email@example.com.