The American Recovery and Reinvestment Act promises massive new opportunities for the health care industry with the widespread adoption and use of electronic health records, but a new study finds the industry is ill-prepared to meet the security challenges.



While health care and life sciences companies are on the brink of new opportunities with the widespread adoption and use of EHR (electronic health records) technologies called for under the ARRA (American Recovery and Reinvestment Act), the industries are not prepared to meet the challenges of managing the risk as opportunities emerge, according to a new survey by Deloitte. Worse, the study states, inadequate security budgets, lack of a strong reporting structure and sophisticated security threats pose significant trouble for the industries, exacerbated by the challenging economy. "The lifeblood of any health care or life sciences organization is information, be it patient, intellectual property or financial. But organizations are dealing with a lot right now," Amry Junaideen, Deloitte's Health Sciences & Government leader for Security & Privacy, said in a statement.

"They have the challenge of how to protect their information while facing increasingly sophisticated security threats and increasing regulatory and legislative requirements -- all against a backdrop of reduced spending, staff cuts and organizational changes." More than 100 global life sciences companies, health care providers and health care insurance companies participated in the Deloitte study, The Time Is Now. Approximately half of the companies participating in the study are based in the United States. Among the potential problems cited by the respondents were outsourcing data management functions to third-party sources, internal breaches and internal threats, including third-party relationships, and protection from data leakage. Identity and access management was also recognized as a top priority.

"Based on the results of our study, the industry is not yet prepared to meet the risk management challenges as we head into a period of massive opportunity to maximize the value of data and the promise of new automation," Junaideen said. "This may be because the industry is behind in implementing important foundational technologies, such as identity and access management solutions, or reluctance to adequately fund the security functions. Bottom line: the industry needs to act aggressively to catch up."


Despite the fact that more than half of the respondents reported their information security budgets increased, the majority of increases were nominal, ranging from 1 to 15 percent. The companies also reported that information security budgets are not separate from the IT budget, and most IT budgets dedicated just 1 to 3 percent to information security.

"The problem with folding information security into the overall IT budget," said Junaideen, "is that security often falls to the bottom of the funding list. Priority is given to projects and infrastructure that are perceived as being more important to the business or contributing to revenue generation."

In what Deloitte describes as a glaring weakness for the industries, 43 percent of the companies do not have a CISO (chief information security officer). "This is a disturbing statistic," said Junaideen, "especially since a strong level of preparedness to meet current and future security and privacy requirements is a direct corollary to the existence of an appropriately positioned -- and empowered -- CISO."

Junaideen added that the respondents acknowledged that identity and access management is a top operational imperative and a core enabler of enterprise applications as access to information and data is a growing need. Moreover, with the full-scale adoption of electronic health record technologies -- particularly within healthcare providers -- and the use and reliance of third parties and vendors, the need will escalate and increase risk to consumer, patient and business information.

"The constant balancing act for organizations is providing convenient access for employees while maintaining strong access control to information," said Junaideen.