Deloitte's "2009 Global Security Study for Life Sciences and Health Care" (PDF) found that life sciences companies, healthcare providers, and health insurance firms are ill-equipped for securing a new generation of electronic patient records and other changes that President Obama's healthcare reform could bring.
Overall, more than 40 percent of the 100 companies surveyed for the report don't have a chief information security officer (CISO). More than 80 percent said they are equally or more concerned about inside versus outside threats to their data, while few have data leakage prevention controls in place.
"Based on the results of our study, the industry is not yet prepared to meet the risk management challenges as we head into a period of massive opportunity to maximize the value of data and the promise of new automation," said Amry Junaideen, health sciences and government leader for security and privacy at Deloitte. "This may be because the industry is behind in implementing important foundational technologies, such as identity and access management solutions, or reluctance to adequately fund the security functions. Bottom line: the industry needs to act aggressively to catch up."
Among healthcare organizations, 33 percent said their IT budgets allocate only 1 to 3 percent to data security, 19 percent said security makes up 4 to 6 percent, and 17 percent said security is more than 7 percent, while 31 percent don't know the breakdown.
Around 68 percent of healthcare organizations said their organizations do not align security with their business initiatives. But 58 percent have increased security spending from year to year by 1 to 5 percent, with one-fourth of the healthcare firms upping their spending by 6 to 15 percent or more year to year.
And half of healthcare providers worry more about internal people causing security breaches than outside attackers (15 percent). Around 57 percent are "somewhat confident" that their data is safe from an inside attack, while 16 percent say they are "very" or "extremely" confident they're safe from an insider attack, according to the report.
"They have the challenge of how to protect their information while facing increasingly sophisticated security threats and increasing regulatory and legislative requirements -- all against a backdrop of reduced spending, staff cuts, and organizational changes," Deloitte's Junaideen said.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.