Health Care Companies Not Prepared to Manage IT Risks
The American Recovery and Reinvestment Act promises massive new opportunities for the health care industry with the widespread adoption and use of electronic health records, but a new study finds the industry is ill-prepared to meet the security challenges.While health care and life sciences companies are on the brink of new opportunities with the widespread adoption and use of electronic health records technologies called for under the American Recovery and Reinvestment Act, the industries are not prepared to meet the challenges of managing the risk as opportunities emerge, according to a new survey by Deloitte.
Worse, the study states, inadequate security budgets, lack of a strong reporting structure and sophisticated security threats pose significant trouble for the industries, exacerbated by the challenging economy.
"The lifeblood of any health care or life sciences organization is information, be it patient, intellectual property or financial. But organizations are dealing with a lot right now," Amry Junaideen, Deloitte's Health Sciences & Government leader for Security & Privacy, said in a statement. "They have the challenge of how to protect their information while facing increasingly sophisticated security threats and increasing regulatory and legislative requirements-all against a backdrop of reduced spending, staff cuts and organizational changes."
More than 100 global life sciences companies, health care providers and health care insurance companies participated in the Deloitte study, The Time Is Now. Approximately half of the companies that participated in the study are based in the United States.
Among the potential problems cited by the respondents were outsourcing data management functions to third-party sources; internal breaches and internal threats, including third-party relationships; and protection from data leakage. Identity and access management was also recognized as a top priority. "Based on the results of our study, the industry is not yet prepared to meet the risk management challenges as we head into a period of massive opportunity to maximize the value of data and the promise of new automation," Junaideen said. "This may be because the industry is behind in implementing important foundational technologies, such as identity and access management solutions, or reluctance to adequately fund the security functions. Bottom line: The industry needs to act aggressively to catch up."
Despite the fact that more than half of the respondents reported their information security budgets increased, the majority of increases were nominal, ranging from 1 to 15 percent. The companies also reported that information security budgets are not separate from the IT budget, and most IT budgets dedicated just 1 to 3 percent to information security.