Biosafety and biosecurity for pathogens and toxins news: Q1, June 2023 issue

On this page

• Upcoming regulatory public consultation
• HPTR updates to the PHAC Forward Regulatory Plan
• Canadian Biosafety Standard, third edition
• New biosafety resources
  • New Canadian Biosafety Guideline: Biosafety Program Management
  • New Biosafety Directive for Risk Group 3 Fungi
• Seasonal variation in exposure incidents
• RegFacts: #DYK
• Identifying assets in biosecurity risk assessments
• Canadian Centre for Cyber Security resources
• Security threats in licensed facilities

Upcoming regulatory public consultation

The Centre for Biosecurity (CB) will be publishing a regulatory consultation questionnaire for public input in the coming months. We'll send an email to our subscribers with information on how to participate once it's available. Please consult the following link to subscribe.

HPTR updates to the PHAC Forward Regulatory Plan

After a pause during the COVID pandemic, we're pleased to announce updates to our Forward Regulatory Plan. It provides stakeholders with meaningful access to information, and an opportunity to respond to proposed regulatory changes.

The forward regulatory plan describes regulatory initiatives that PHAC intends to work on within a 2-year period. It includes any regulatory initiatives associated with the regulatory stock review plan, a multi-year plan to review existing regulations. It may also include regulatory initiatives that we plan to bring forward over a longer period.

We've updated the forward regulatory plan webpage to reflect high-level commitments to undertake regulatory changes for:

• amendment of the HPTR
• Schedule 1 of the HPTA

We'll update the forward regulatory plan over time to reflect progress in regulatory development and changes to regulatory priorities.

Canadian Biosafety Standard, third edition

The Canadian Biosafety Standard, third edition (CBS3) came into effect on April 1, 2023. The Public Health Agency of Canada (PHAC) and the Canadian Food Inspection Agency (CFIA) worked together to update the standard.

The CBS has been revised to:

• clarify the biosafety and biosecurity intent of all requirements
• clarify how the requirements are based on risk, evidence and performance
• be non-prescriptive and technology-neutral

The CBS3 is the national standard for the safe handling and storage of human and terrestrial animal pathogens and toxins in Canada. It sets out the requirements related to:

• physical containment
• operational practice
• performance and verification testing

Facilities that conduct controlled activities with regulated materials must now comply with the requirements outlined in the CBS3.

After publishing the CBS3 in November 2022, PHAC hosted a 2-part CBS3 webinar series about it.

The first webinar:

• provided an overview of key changes in the CBS3
• outlined project milestones
• shared insights from the public consultation that helped inform the CBS3

The second webinar:

• addressed questions about interpretation of CBS3 requirements
• helped guide facilities in implementing CBS3 requirements and achieving compliance

Both webinars are available on the PHAC e-learning portal CB Webinar Series.

We're currently updating biosafety advisories, directives and guidelines that refer to CBS requirements. We'll continue to communicate these updates to you in this newsletter.

Please contact us at pathogens.pathogenes@phac-aspc.gc.ca if you have any questions.

New biosafety resources

PHAC and the CFIA published 2 new resources to support compliance with the Human Pathogens and Toxins Act (HPTA) and Human Pathogens and Toxins Regulations (HPTR), as well as the Health of Animals Act and Regulations.

New Canadian Biosafety Guideline: Biosafety Program Management

The new Canadian Biosafety Guideline for Biosafety Program Management expands upon the concepts presented in the CBS3. It provides comprehensive guidance on how to develop, implement and manage a biosafety program in facilities where controlled activities with human and terrestrial animal pathogens and toxins are conducted. It also aligns with the approach recommended in the World Health Organization's Laboratory Biosafety Manual, 4th edition.

This guideline is designed to be used in conjunction with the CBS3.

New Biosafety Directive for Risk Group 3 Fungi

PHAC and the CFIA are pleased to announce the publication of the Biosafety Directive for Risk Group 3 Fungi (the Directive). The Directive comes into full effect October 1, 2023.

The Directive outlines the physical containment, operational practice and performance and verification testing requirements for safely handling certain Risk Group 3 (RG3) fungi such as:

• Blastomyces dermatitidis
• Histoplasma capsulatum
• Cryptococcus gattii (formerly Cryptococcus neoformans serotype B, C or Cryptococcus neoformans var. gattii).

Cryptococcus gattii was previously classified as an RG2 human and animal pathogen but was reassessed and added to Schedule 3 of the HPTA in 2017.

RG3 fungi must typically be handled at Containment Level 3. However, if you follow additional operational practice requirements, you may handle some RG3 fungi safely at Containment Level 2 (CL2) or CL2-Agriculture (CL2-Ag, that is, CL2 large animal containment zone). The Directive outlines the activities, fungal species and specimen types you can safely handle at CL2 or CL2-Ag with additional operational practices to mitigate the risk.

Organizations must comply with the applicable requirements of the directive by October 1, 2023, if they:

• conduct or plan to conduct controlled activities with RG3 fungi
• conduct controlled activities with Cryptococcus gattii under an RG2 Pathogen and Toxin Licence.

Organizations may apply for a new RG3 Pathogen and Toxin Licence, or amend their existing RG3 Pathogen and Toxin Licence via the Biosecurity Portal.

If you have any questions or concerns about licensing, please contact licence.permis@phac-aspc.gc.ca or 613-957-1779. For any other question regarding the Directive, please contact biosafety.biosecurite@phac-aspc.gc.ca.

Seasonal variation in exposure incidents

The annual Laboratory Incident Notification Canada report shares data about exposure incidents occurring in licensed Canadian laboratories. An exposure incident is an event of contact with infectious material or toxins that can potentially cause:

• harm
• injury
• damage
• disease
• infection
• intoxication

In 2022, there were 40 reported exposure incidents, affecting 93 people of varying technical, professional, and educational backgrounds. Most occurred in the academic sector, followed by the hospital sector. The 2022 annual incident exposure rate was 3.8 incidents per 100 active licenses, a decrease from 2021.

Analysis of median incidents per month from 2016 to 2021 found that May and September had more exposure incidents, whereas June and August had fewer. These findings examine cyclical and seasonal fluctuations due to the following:

• May is the beginning of the summer hiring period, which could involve new lab members and summer students
• September is the beginning of the fall semester, with the return of students to academic labs
• June and August typically have more staff on vacation, which may result in fewer incidents in labs

2022 findings fit the trend observed in the previous 6 years, with the exceptions of April and November. Both had far fewer incidents than the median of the previous 6 years.

April may be explained by:

• reduced laboratory staff due to the Omicron variant of the SARS-CoV-2 virus, and
• increased awareness of good biosafety and laboratory practices

November may have seen more laboratory workers on vacation as travel restrictions were eased.

For information about laboratory acquired infections and intoxications, register for the free Laboratory Acquired Infections course on PHAC's Training Portal.

RegFacts: #DYK

Did you know that the HPTA and HPTR set out reporting and notification requirements for Licence Holders, Licence Holder Representatives, Biological Safety Officers (BSOs), and persons conducting controlled activities authorized under a Pathogen and Toxin Licence?

The 4 categories of situations that require mandatory notification, as specified in the HPTA/R are:

• laboratory incidents
• changes requiring the issuance of a new licence
• changes that may require an amendment or revocation of an existing HPTA security clearance
• other events

Laboratory incidents that require mandatory notification include:

• exposures and laboratory-acquired infections or intoxications [HPTA 13]
• inadvertent possession, production, or release [HPTA 12(1),(2), and HPTR 9(1)(c)(ii)]
• missing, stolen or lost biological agent (pathogen or toxin) [HPTA 14], including a security-sensitive biological agent (SSBA) not received within 24 hours of when it was expected [HPTR 9(1)(c)(iii)]

Other events requiring notification include:

• changes that could affect biocontainment [HPTR 6(1)]
• exemptions based on risk group reduction [HPTR 26(4)]
• prohibiting an HPTA Security Clearance holder from accessing a part of the facility where SSBAs are handled or stored [HPTA 32]

Notification and reporting are done through PHAC's online Biosecurity Portal. The guideline Notification and Reporting Under the HPTA and HPTR Using the Reporting Module of the Biosecurity Portal provides comprehensive information on completing and submitting a notification report or a subsequent follow-up report as per the HPTA/R and the CBS. The guideline is currently being updated.

You must report incidents without delay to meet your notification obligation under the HPTA and HPTR.

Incidents (mandatory or voluntary) can be reported through the Biosecurity Portal. If the Biosecurity Portal is unavailable or inaccessible (or for voluntary reporting by non-license holders), email pathogens.pathogenes@phac-aspc.gc.ca.

Identifying assets in biosecurity risk assessments

All licensed facilities in Canada must conduct a biosecurity risk assessment in order to develop a comprehensive biosecurity plan (CBS3, 4.1.5 and 4.1.8). One of the most important steps in a biosecurity risk assessment is identifying the assets in need of protection. An organization must determine if it's likely to be a target of a biosecurity incident based on the assets handled or stored in its facilities. A biosecurity risk assessment is driven by an organization's risk tolerance and takes into account potential consequences of a biosecurity incident.

Examples of biosecurity incidents include:

• loss
• theft
• misuse
• diversion
• sabotage
• intentional release of assets

Biosecurity risk assessments can include:

• tangible assets (such as pathogens, toxin, animals, laboratory equipment)
• intangible assets (such as intellectual property, experimental protocol with dual-use potential)
• people assets (such as technicians, scientists, students)

Other assets that an organization may need to protect include:

• reputation
• intellectual property
• critical infrastructure biocontainment components

Intellectual property

Intellectual property is any product of human intellect that the law protects from unauthorized use by others. Intellectual property includes:

• novel findings
• new or modified laboratory techniques or procedures
• inventions (patent)
• designs (industrial design)

If your organization can financially benefit from its novel findings, it may have a very low risk tolerance for intellectual property theft. As part of your biosecurity plan's information management security strategy, you could restrict access to all information related to research until publication or patent application. This could also help prevent the publication of sensitive research findings from being published. For example, an organization shouldn't publish research findings that could be easily misused to do harm (research with dual-use potential). As demonstrated by recent criticism of organizations publishing protocols on how to synthesize viruses, dual-use potential of scientific research with pathogens can sometimes only be properly assessed after a project has been completed (for example, after the new modified pathogen is fully characterized).

Critical biocontainment components

If biocontainment failure could severely affect the health of personnel, the surrounding community or beyond, your organization should have an extremely low risk tolerance to sabotage of critical biocontainment components. The following can help prevent sabotage to critical biocontainment components:

• identifying vulnerabilities
• developing physical security measures
• developing information management strategies in your biosecurity risk assessment

Security measures could include mitigating the risks of cyberattacks on laboratory equipment or restricting access to architectural, mechanical, and electrical drawings of critical biocontainment components to only security-cleared individuals on a need-to-know basis.

Reputation

If reputational damage could affect its funding or collaborations with reputable facilities across the world, your organization may have a very low risk tolerance for reputational damage. Collaborations, affiliations and disinformation campaigns can cause a significant negative impact to an organization's reputation. Such campaigns can also increase the risk of violence and attacks against your facility. Your biosecurity risk assessment can help identify appropriate mitigation strategies in your biosecurity plan. For example, your organization may choose to implement National Security Guidelines for Research Partnerships and create guidance for personnel regarding the use of social media platforms.

For more information on how to conduct a biosecurity risk assessment, consult the Canadian Biosafety Guideline: Conducting a Biosecurity Risk Assessment or contact CB at biosafety.biosecurite@phac-aspc.gc.ca.

Canadian Centre for Cyber Security resources

The Canadian Centre for Cyber Security (CCCS) is Canada's technical authority on cyber security. It provides advice, guidance, free services and support on cyber security for government, critical infrastructure, the private sector and the Canadian public. CCCS also has:

• a portal to report cyber incidents
• many publications on best practices and knowledge of cyber security
• reports such as the National Cyber Threat Assessment (NCTA) 2023-2024, which highlights the cyber threats facing individuals and organizations in Canada

Support provided by the CCCS to its Cyber Centre partners include the following:

• education
• threat intelligence
• community building
• advice and guidance
• cyber defence services
• incident handling support

The CCCS provides the following free services:

• Alerts, which provide time-sensitive information about:
  • a discovery of a zero-day vulnerability
  • ongoing malicious code
  • denial of service attack
• Cyber Flashes, which provide time-sensitive information about high-impact cyber issues with actionable indicators of compromise (IOCs) before the IOCs are publicly available. IOCs can help an organization determine if their network has been breached.
• The National Cyber Threat Notification System which notifies Canadian organizations of possible:
  • misconfigured services
  • vulnerabilities
  • compromised infrastructure
• Scorecards, which are personalized reports for critical infrastructure owners and operators, with data visualizations of malware and vulnerable service events occurring on their networks
• Aventail, a CCCS threat feed that shares trusted IOCs at machine speed
• Malware.cyber.gc.ca, which analyzes malicious files for your organization without installation and configuration. Automation of this tool is available by leveraging the application programming interface
• Community Calls, which are bi-weekly calls to discuss vulnerabilities and cyber threats that CCCS is tracking

To register for any of the services provided by the CCCS, please contact health-par-sante@cyber.gc.ca.

Security threats in licensed facilities

Safeguarding information is increasingly important as the global threat landscape evolves, and security incidents become more sophisticated. Adversaries threaten Canada's life-sciences sector by trying to take advantage of Canada's open and collaborative research.

Threats from adversaries can include:

• espionage
• cyber attacks
• theft of technology
• hijacking physical infrastructure
• proliferation of biological weapons
• intellectual property or other sensitive information (such as genetic sequences of concern or location of pathogens)

Canada's biopharmaceutical and health sectors are facing particularly severe threat activity. Canadian Security Intelligence Service's 2020 Public Report indicated that researchers and third parties may be used to exploit vulnerabilities in background and security checks to gain access to restricted areas. Licensed facilities should consider additional precautionary measures.

Before applying for a licence

Before applying for a licence, your facility must identify and prioritize assets in the biosecurity risk assessment (refer to section 4.1.5 of the CBS3). Only authorized individuals should have access to sensitive records and documentation related to controlled activities (refer to 4.9.3 in the CBS3). This includes information during the construction phase to support the biosecurity plan once your facility is operational (refer to 4.1.8 in the CBS3).

Licensed facilities

Unauthorized access to sensitive information is a serious risk to public health, safety and security. Licensed facilities must consider mitigation strategies to prevent biosecurity incidents such as sabotage of:

• gas lines
• HVAC systems
• control systems
• emergency doors
• accessible windows
• electrical power lines
• decontamination systems

To mitigate the risks of biosecurity incidents, consider protecting, classifying, or redacting drawings used during construction based on the risks associated with controlled activities. Examples of these drawings include:

• architectural drawings, which may identify:
  • doors
  • security walls
  • load bearing points and columns
  • blind spots in the security layout
• mechanical drawings, which may help identify laboratory space and specialized equipment for venting and scrubbing ductwork or potential attack points via the external make up air intake.
• electrical drawings, which may help identify critical elements for operations such as:
  • generators
  • transfer switches
  • internal day tanks
  • fridges or freezers
  • external fuel tanks
  • uninterruptible power supply
  • normal and back up power lines
  • Local Area Network (LAN) or server rooms

Based on the biosecurity risk assessment and biosecurity plan, you may opt not to publicly share identifying information such as a building name, address or architectural features from drawings of the building. Based on the assets you need to secure, you may consider all labelled floor plans confidential, including room numbers, names and titles. Security experts can help identify vulnerabilities and propose mitigation strategies. This may include Public Safety Canada's free Critical Infrastructure Resilience Tool.

Understanding the threat landscape (that is, identifying adversaries and their targets) can help you to identify sensitive information that needs safeguarding. Local, provincial and federal law enforcement agencies can help you better understand the type of suspicious and criminal activities occurring near your facility (for example, the likelihood of break-ins based on available statistics). Identify how your facility's activities may be perceived by the public or targeted by adversaries such as ideologically or religiously motivated extremists.

We recommend that you contact biosafety.biosecurite@phac-aspc.gc.ca before building new facilities or making changes to existing ones. This can help you meet the requirements of the CBS and conditions of licence.

Please contact biosafety.biosecurite@phac-aspc.gc.ca if you have any questions.