Life sciences and health care companies unprepared for IT security risks

Life sciences and healthcare companies are unprepared for IT security risks, with inadequate security budgets, lack of a strong reporting structure and increasingly sophisticated security threats posing the greatest challenge, according to a new report by business advisory firm Deloitte.

The firm’s 2009 Global Security Study found that when it comes to protecting valuable information, 44 per cent of companies were more concerned about the internal threat, compared to just 18 per cent who were worried about the threat from outside the organisation.

Inappropriate use of sensitive data and information leakage were seen to be the greatest threat, with 79 per cent of those surveyed citing human error as the top cause of information systems failure.

According to the report, the majority (77 per cent) of respondents outsource their data management functions to third-party sources, however, one in ten (nine per cent) do not review the security of their vendors and third parties before exchanging data with them. One fifth (22 per cent) do not require data to be encrypted in transit between vendors/third parties.

Stuart Henderson, life and health sciences partner at Deloitte in Cambridge, said: “The lifeblood of any health care or life sciences organisation is information, be it patient, intellectual property or financial.  They have the challenge of how to protect their information while facing increasingly sophisticated security threats and increasing regulatory and legislative requirements — all against a backdrop of reduced spending, staff cuts and organisational changes.

“Based on the results of our study, the life sciences industry is not yet prepared to meet the risk management challenges to make the most of their valuable data. This may be because the industry is behind in implementing important technologies, such as identity and access management solutions, or reluctant to adequately fund their security functions. The bottom line is that the industry needs to act aggressively to catch up.”

Of the companies surveyed, half said their information security budgets had increased, the majority of which by between one and 15 per cent. However, the report found that information security budgets are not separated from IT budgets, which dedicate between just one and three per cent to information security.

Mr Henderson said: “These findings reveal the increasing number of security issues faced by the sector on a day-to-day basis.  Folding information security into the overall IT budget can often result in it falling to the bottom of the funding list with priority given to projects and infrastructure perceived as being more important to the business or contributing to revenue generation.

“In light of this, it is also worrying that 43 per cent of businesses do not have a Chief Information Security Officer (CISO), especially since a strong level of preparedness to meet current and future security and privacy requirements is a direct outcome of an appropriately positioned, and empowered, CISO.  The constant balancing act for organisations is providing convenient access for employees while maintaining strong access control to information.”

ENDS