The manufacture of controlled substances and valuable medical supplies is an industry that must meet heightened standards and comply with strict regulations. Security is paramount, because the products produced by this market sector are highly desired for their value on the black market.
Publications Security and SDM brought together three security professionals who are involved in the regulated manufacturing industry to discuss the unique needs and challenges faced by clients in this sector. Some areas of discussion: advanced technology for employee and visitor access as well as perimeter security, contamination concerns and how those affect the implementation of a security solution, protection from raw material to finished product and delivery of that product.
In the following discussion, conducted by Security editor, Diane Ritchey, and SDM editor, Laura Stepanek, security professionals offer an insight into this specialized world.
What are the unique security needs for manufacturing pharmaceuticals and healthcare products as you see them?
David Kraus: I see protection of incoming raw materials and supplies, a generally stricter employee and visitor access control than other non-DOD industries and maintenance and support of GMP standards (cleanliness, manufacturing monitoring) as unique needs to this industry. Another challenge is meeting regulatory requirements related to security, such as security video recording storage length, access and alarm reporting and investigative follow up to incidents.
Tom Catagnus: Pharmaceutical manufacturing facilities have several issues that affect their security needs. One of the biggest is that they are often dealing with controlled substances that are strictly regulated, targeted by thieves and highly marketable on the black market. This means they have to take extra steps to protect against both internal and external theft. They need additional security measures at all levels including access control, visitor management and escort and video monitoring.
Contamination is another major concern. This means additional security, but it also affects the installation and maintenance of the security system by the integrators. In some cases, integrators have to attend special education classes on clean rooms and contamination before beginning work on an installation. Some facilities and manufacturing processes are so tightly regulated that a technician cannot work in building A and then do additional work in building B. Regulations may require that someone who has been working in building A may not enter building B for 24 hours. The access control solution has to take this into account and it may mean that the integrator has to send two separate technicians to the site.
Extra care has to also be taken in areas with clean rooms, research materials and animals. Integrators and their staffs have to know what can be done in these areas and what protocols they have to follow. In some cases, it can get complicated and workers have to be very careful.
What types of problems do you face and what solutions are available, and how are they being implemented in your facilities?
Greg Halvacs: We have to be aware of good controls and monitoring through security video and access control systems within the manufacturing and warehousing of high-value products. We also have security protocols in place for the transport of these products to the end customer to ensure safety of our drivers and to ensure a secure supply chain.
David Kraus: We face primary risks associated with internal theft of product or raw materials, plus external risks associated with shipping, robbery, or counterfeiting. Solutions to mitigate those risks include large scale security technological deployment including increased security video coverage, DVRs, electronic access control, individual manufacturing room access and alarms, networked building-to-building visitor controls and strict regulatory and security compliance. We recently designed and built a pair of full height electronic turnstiles at the employee access doors to the main manufacturing site to increase staff protection and for better access control.
What do you see on the horizon? What could help you the best in terms of security and security technology for what you do?
David Kraus: I see continued convergence growth and development opportunities between IT and security programs, with an increased focus on cost effectiveness. There also may be greater challenges for internal theft protection and transportation integrity. Enterprise access control, security video and remote alarm control monitoring and response will be a part of the future horizon. I see the possibility of “miniaturization” of security components becoming a greater likelihood in the future. Smaller, more robust components will increase security technology reliability and diversity in the future. I see more portability of security devices, such as security officer carried security video monitoring and GPS locators. I have always hoped for a completely reliable and affordable electronic asset tagging system that is not static or tied to a single door or group of doors. Some attempts have been tried and applied, but I believe a better idea may come in the future.
More security executives are being forced to justify their role in organization, with some coming up with some creative solutions. Do you find that you need to do that in your role?
David Kraus: I believe that effective security managers must continually be prepared to explain their department’s contributions and impact to the bottom line. In my previous security management roles I have used spatial metrics (square footage to budget), as well as activity-based metrics (total security officer daily activities measured over time and cost figures) to assess departmental productivity. Whatever justification used to measure productivity should relate to the specific business activities and mission of the security organization being assessed. I have been the department head for security in my organization, as well as the project manager of a long-term (five-year) master security plan and building project. I have not typically been asked to justify an ROI for the overall project, but have annually presented the next segment of the master plan project to senior management and the Board of Directors (through my manager) for approval and continuation.
Greg Halvacs: The safety and security of the nation’s pharmaceutical supply chain is a key priority for our company, and something that is well understood at all levels of our organization. Security is part of our business model, and therefore isn’t something we need to justify. In addition, over the years I have continued to look for opportunities to take on additional work or areas of responsibilities. Because of this, our Global Security department also oversees our drug testing program, aviation group and crisis management functions, in addition to our core role as global security. I believe the more value you bring to an organization (and more diverse you become), the less you have to justify your role.
Tom, as a systems integrator, what has stood out in your experience working with clients in the healthcare field? What trends are you observing in technologies implemented, as well as trends in what healthcare institutions look for in a security provider?
Tom Catagnus: Pharmaceutical manufacturers are looking for integrators that know the manufacturer’s business, special needs and challenges. They want a security partner that can offer them a full selection of products and services and will provide them with the best solutions available. They also need a partner that is knowledgeable about the industry and can work with outside agencies such as DEA, FBI and local municipalities. All of these entities have to be included in the process.
Perimeter security has become of increasing concern. More manufacturers are pushing their perimeters out farther. This gives them more control and greater ability to recognize and stop problems or situations before they reach a building or facility. IP video is being increasingly used in pharmaceutical manufacturing facilities. End users are looking for all of the technology to integrate and for information to come together in one centralized location. They want different components to talk with each other and to provide them with “situational awareness” or a real picture of what is going on in the facilities at any given time.
These end users are combining security with IT and we are finding that security directors know more about IT and the IT people know more about security now. In large firms the security director now has a corporate team with different specialties. Someone on the team is in charge of video and another handles all of the badging and access issues. The security executive now has IT and technology experts on his team.
Access control is another area with increased emphasis for pharmaceutical manufacturers as they recognize the need to control who is accessing their facilities and when. Timed access and visitor management are also trends. Pharma companies have to manage employees, visitors, regulators, contractors and vendors. Pharmaceutical manufacturers use multiple or nested layers of access control. Clean rooms and drug vaults are more tightly controlled with limited or timed access. They also use biometric access devices including hand geometry and iris readers for the most tightly secured areas of a facility.
David Kraus: As a security director, I have worked with systems integrators who have been carefully screened and selected for their track records and reputations, budget attentiveness and results, and for their “360-degree communications style.” We are not a healthcare institution; however our company sought integrators who have multi-site capabilities with enterprise system development knowledge or experience. I do not like security “template” types of security solutions that come in one-size-fits-all sizes. We are a pharmaceutical company with very specific risks and needs. I want integrators who listen carefully to our needs, who provide solid written plans or proposals and who have the adaptability to modify or change course if necessary. We were fortunate to select a vendor who met these specific needs in the completion of our long term security plan to date. As far as technologies for possible future use in our company and in healthcare we are interested in video analytics, RFID technology, and advanced access control applications (using contactless smart cards and barcodes).
How have medical threats, such as the H1N1 pandemic, impacted your security efforts?
David Kraus: The H1N1 epidemic has not affected our company in the same way it would affect a hospital or clinic setting. Our concerns are mutually shared by businesses all around the world in terms of employee well being and health. Our company has provided medical information to employees, as well as flu vaccine locations for employees to access protective treatment. In a previous life as a hospital security director my concerns would have included both external and internal issues. We would have provided employees with flu vaccinations to ensure that they could continue to support and provide healthcare medical services, while developing security contingency plans to assist hospital healthcare providers to maintain control in the emergency room and other units should the H1N1 virus become a full pandemic.
What’s on your wish list beyond wanting more time and money…in terms of solutions, emerging technologies, training, etc.?
David Kraus: At the risk of sounding overly dramatic, I wish that executive leadership in all companies took a regular and serious interest in business security that was on par with the level of interest taken in the first year after 9/11. Businesses have the tendency to ramp up or down on security given their most recent experience or experiences. While many of my contemporaries in security management and I strive to keep the C-suite informed about risks and threats to our respective business environments, cost containment and reputation management sometimes affects the level of support given to security. Security is generally seen as a cost centered environment, not a revenue producing one. As long as this reality exists, security has the difficult task of constantly needing to sell its value and purpose to organizations that are struggling with an economy that suffers from reduced growth. Many C-suite executives have to make critical decisions about where limited budget dollars go, and security’s needs sometimes take a back seat to other more pressing needs. Given this rather dour outlook at the present time, security leaders have to be careful to choose wisely when provided the opportunity to create a “wish list.”
The one “wish list” item that I have for the future is for the development of certified training for security officers and operators on the leading-edge and future technologies. I have personal concern that while security technology continues to advance at a rapid pace; training for the average line officer lags behind. What value do we add to security solutions if we put a poorly trained or inexperienced officer at a high tech security console? We need user training programs that customize education to level needed for rank and file officers or operators to efficiently use the equipment we deploy. Some manufacturers offer this type of training of purchasers and systems administrators, but the grass roots officer training to keep pace operationally is not always a part of the transition plan.
Greg Halvacs: I believe that benchmarking with peer companies and attending trade shows is the key to staying on top of this ever changing industry. Reinventing the “security” wheel is not the way to succeed in this highly complex and competitive world.
The Roundtable ParticipantsThomas Catagnus is vice president of corporate accounts for ADT-Advanced Integration. He has been in the electronic security industry since 1982. He has held several key positions including regional president for northern sales and operations while at Security Services & Technologies (SST). He is a former principal and one of the original founders of SST. Previously, he worked for two national security companies and a large regional privately held systems integrator.
Gregory J. Halvacs is senior vice president and chief security officer for Cardinal Health. Halvacs is responsible for all aspects of asset protection and corporate aviation. Prior to joining Cardinal in April 2006, Halvacs was the senior director of corporate security at Kraft Foods and the director of risk and safety at Raytheon Data Systems. He also led the security functions at both Frito-Lay and Pepsi Food Systems, divisions of the PepsiCo organization.
David A. Kraus, CPP, is director of security at Impax Laboratories, a pharmaceutical manufacturing company based in Hayward, Calif. Kraus has worked in security management for more than 20 years, primarily in industrial and healthcare security. Prior to his current position, Kraus served as the director of security for the Northeast Bay Area of Kaiser Permanente healthcare (Northern California). Kraus also spent five years as the director of security, parking and transportation at Sarasota Memorial Hospital in Sarasota, Fla. and manager of corporate security at Quaker Oats Company in Chicago.