Information Security in Healthcare and Life Sciences Is Facing a Tipping Point

Deloitte Touche Tohmatsu’s (DTT) Member Firm Security and Privacy Services practices, and DTT’s Life Sciences and Health Care Industry group, have completed a benchmarking survey of information security practices worldwide among life sciences manufacturers, healthcare providers and payor organizations: The Time is Now: 2009 Life Sciences and Health Care Security Study.”*

For organizations in the United States, the billions being invested by the federal government in the healthcare industry as part of the recent economic stimulus will have huge ramifications. There is the promise of great improvements in the quality and availability of useful information coupled with efficiency gains. On the other hand, there is increased responsibility to protect this information and a commensurate level of risk for not doing so. Whether it is the broader purview of the Health Insurance Portability and Accountability Act (HIPAA), the widespread adoption and use of electronic health record (EHR) technologies under the HITECH ACT of the American Recovery and Reinvestment Act (ARRA), or the implementation of electronic exchanges for health, there will be significant pressure on organizations to meet these challenges.

Based on the answers provided by study respondents, some of the key findings of the 2009 study include:

• The priority concern of data loss and information leakage, especially of protected patient information among healthcare providers, and clinical data among life science manufacturers.
• The trend toward outsourcing and third-party information security, and ensuring that data and privacy are protected at these third parties.
• Budgeting for information security is failing to keep pace with heightened security requirements.
• The role of the Chief Information Security Officer (CISO)—whether the role exists, and to whom the CISO reports.

According to the survey respondents, security regulatory compliance is the top organizational initiative for the life sciences sector, security infrastructure improvements and identity and access management are the top operational initiatives, and data leakage protection is the top threat-based initiative. Respondents also indicated that top expenditures for the life sciences sector are infrastructure protection, desktop and gateway anti-virus, and security consultants.

When it comes to barriers to information security, life sciences was the only sector in the study where respondents felt that the increasing sophistication of threats was as great a factor as budget constraints and lack of resources, and this is understandable. The study also indicates that Biotech and pharmaceutical companies face greater security risks than the other two sectors, given the tremendous value of their intellectual property and the amount of clinical trial information that they generate, as well as the risks associated with data sharing necessitated by partnerships and alliances.

CISO role

For those organizations that have a Chief Information Security Officer (CISO), the stature of that individual is dependent upon the sophistication of the organization’s risk management program and the reporting relationship of the CISO. Study findings indicate that the role of the CISO has taken on a greater significance and visibility in that the scope of the position is now more heavily weighted toward a C-suite focus on security (planning, governance, administration, architecture and IT Risk Management).

Approximately 44% of respondent’s organizations in the life sciences sector do not have a CISO. This is a major detriment to the profile of the security function, given that part of the CISO’s role is to make senior management aware of increasing risks to the organization and the importance of an adequate security budget to combat them.

The industry is heading into a period of massive opportunity as it seeks to maximize the value of data and the promise of new automation. However, the study seems to indicate that the industry is not yet prepared to meet the challenges of managing the risk as this opportunity emerges. Whether this is because the industry is behind in implementing important foundational technologies, such as identity and access management solutions, or because there is a reluctance to adequately fund the security functions to meet the ever-increasing volume and sophistication of threats, the reality remains that the industry must now act aggressively to catch up.

ABOUT THE AUTHORS

> Amry Junaideen is Health Sciences & Government Leader — Security & Privacy, for Deloitte & Touche LLP, United States. Ted DeZabala is National Managing Partner – Security & Privacy, Deloitte & Touche LLP, United States.

*The time is Now: 2009 Life Sciences and Health Care Security Study is available at deloitte.com.