Urgent care: Safeguarding data at health care providers
Urgent care: Safeguarding data at health care providers
Striking a balance
One of the biggest difficulties, say health care industry observers, is that at the end of the day, the primary focus of health care organizations is on the patients. Therefore, technology budgets historically skew greatly toward the kind of diagnostic equipment and medical tools that are used to treat patients, rather than the tools to secure their IT resources.
“Hospitals, in part, and health care, in general, are starting from an immature base in terms of IT technology,” Kam says. “Most investments are going to the super-duper diagnostic or treatment equipment. The main goal of the hospital is to help patients. Core IT is the laggard in this market.”
As a result, the health care industry has traditionally had trouble attracting IT security talent, which is in high demand across most industries nowadays.
“This is not an industry that has a great track record on security issues,” says CDT's McGraw. “Their primary issue is patient care, and for so many health care providers, security is only secondary or tertiary to patient care.”
And, even for large health systems, that IT budget is typically tiny relative to other industries, she adds.
In a recent survey from the Health Care Information and Management Systems Society, nearly six out of 10 respondents said the portion of IT budget earmarked for information security had increased the year before. However, at an average of just three percent of their IT allocation as a whole, the amount health care organizations spend on IT security is still well below the five to 10 percent spent in other industries.
“It's still business as usual,” says Kam. “They're not really taking into account the new threats.” Further, according to recent Ponemon-ID Experts research, three out of five hospitals and health care organizations don't have a budget appropriate to protect the personal health information of their patients.
“It's a significant problem,” Kam says, “and at the same time there are so many pressures to improve health care and reduce costs, and they're not keeping up on the security side.”
And those security and privacy demands are just going to get more stringent. According to the PwC survey, three out of 10 patients would choose a hospital with clear privacy and security policies over one without if cost, quality and access were the same.
But, as Delano sees it, the cost to provide and manage better security will increase, while typical health care reimbursements to hospitals decline. Therefore, health care IT security executives have their work cut out for them. “It's as big a challenge as any,” he says.
“Security is a cat and mouse game,” he adds. “I told the CEO a couple of years ago that my fear is to be sitting in front of the board, and explain why instead of spending a million dollars on a new CT scanner that can generate revenue, we should spend a million on securing a new wireless network.”
“We're working through it,” Delano plainly admits. “It's a little bit difficult to achieve.”
