Recent government action
has made President Obama's plan to digitize all health care records by 2014 more of a reality, but health care organizations are currently unprepared to manage the security risks of such a move, according to Deloitte's 2009 Global Security Study
for health care and life sciences organizations.
“Whether it is because the industry is behind in implementing important foundational technologies, such as identity and access management solutions, or because there is a reluctance to adequately fund the security functions to meet the ever-increasing volume and sophistication of threats, the reality remains that the industry must now act aggressively to catch up,” the report states.
Released Wednesday, the survey of more than 100 global life sciences companies found that 43 percent of organizations do not currently have a CISO on staff, which is a huge disadvantage. Having a CISO on staff, organizations often can meet the challenges of future security and privacy requirements, Amry Junaideen, health sciences and government leader within Deloitte's security and privacy services practice, told SCMagazineUS.com on Wednesday.
“If you don't have somebody specifically accountable for one area of the business and empowered to enable the right kind of funding to be obtained and the governance to be in place, the chances are that the organization will apply ‘Band-Aids' to a problem rather than enabling the right solution,” Junaideen said.
The survey also found that the majority of respondents do not have any form of data leakage prevention in place. But, even so, the majority of organizations do have firewalls and anti-virus protection.
Data leakage prevention (DLP) technologies are the primary technology that health care and life sciences companies plan to deploy in the next 12 months, the survey found. But on top of DLP technology, organizations also must have the right processes in place and education for their employees to ensure that sensitive information is handled correctly, according to the study.
Organizations also are lagging in their security measures because of meager budgets and because of an ever-growing threat landscape, survey respondents noted. Indeed, the report's findings revealed that security accounted for just one to three percent of overall IT budgets.
“Security budgets are not considered adequate,” Junaideen said. "Because of this, organizations compromise when it comes to security."
Finally, organizations tend to utilize the specialties of third-parties, either as a means of keeping budgets under control or because they do not have the talent in-house. But this trend is leaving organizations increasingly at risk to insider threats, according to the report. Although most organizations conduct reviews of the potential business partners before utilizing them, few perform spot checks or audits once vendors are employed, the survey found. Such missteps in vetting third parties often can lead to internal breaches -- whether due to malicious actions or careless mistakes.
“Right now I think a lot of organizations need to get their act together in order to recognize this is a lot of work and they need to have the people and processes in place to get there,” Junaideen said.