NEW YORK, July 22 // -- Bolstered by the promise of the information age, coupled with billions of dollars in economic stimulus funding, life sciences and health care companies still may not meet lofty expectations of maximizing the value of data and automation efficiencies. That's one way to interpret the key findings of Deloitte's 2009 Global Security Study for Life Sciences and Health Care companies. Worse yet, inadequate security budgets, lack of a strong reporting structure and ever-increasing sophisticated security threats pose significant trouble to life sciences and health care companies, exacerbated by the challenging economy.
More than 100 global life sciences companies, health care providers and health care insurance companies, with approximately half of the companies based in the United States, participated in the Deloitte study, The Time Is Now. The overarching objective of the study is to help companies assess the state of information security within their organizations, make comparisons with similar organizations around the world and provide management with insights to help identify trends and make better and informed strategic decisions.
Respondents also cited outsourcing data management functions to third-party sources, internal breaches and internal threats, including third party relationships, and protection from data leakage as primary concern of their information and security programs. Identity and access management was also recognized as a top priority.
"The lifeblood of any health care or life sciences organization is information, be it patient, intellectual property or financial. But organizations are dealing with a lot right now. They have the challenge of how to protect their information while facing increasingly sophisticated security threats and increasing regulatory and legislative requirements -- all against a backdrop of reduced spending, staff cuts and organizational changes," said Amry Junaideen, Health Sciences & Government leader -- Security & Privacy, Deloitte.
"And based on the results of our study, the industry is not yet prepared to meet the risk management challenges as we head into a period of massive opportunity to maximize the value of data and the promise of new automation. This may be because the industry is behind in implementing important foundational technologies, such as identity and access management solutions, or reluctance to adequately fund the security functions. Bottom line: the industry needs to act aggressively to catch up," Junaideen added.
Despite more than 50 percent of respondents across sectors reporting their information security budgets increased, the majority of increases were in the low range of 1 to 15 percent. Moreover, respondents confirmed that information security budgets are not separate from the IT budget, and most IT budgets dedicated just 1 to 3 percent to information security.
"The problem with folding information security into the overall IT budget," said Junaideen, "is that security often falls to the bottom of the funding list. Priority is given to projects and infrastructure that are perceived as being more important to the business or contributing to revenue generation."
In examining areas such as governance, and in particular the information security function and the role of the Chief Information Security Officer (CISO), respondents revealed a glaring weakness. While the majority of respondents across all regions indicated they indeed have a CISO and this role is taking on greater significance with respect to planning, governance, administration, architecture and IT risk management, 43 percent of respondents do not have a CISO.
"This is a disturbing statistic," said Junaideen, "especially since a strong level of preparedness to meet current and future security and privacy requirements is a direct corollary to the existence of an appropriately positioned -- and empowered -- CISO."
Among other key findings of the study, respondents acknowledge that identity and access management is a top operational imperative and a core enabler of enterprise applications as access to information and data is a growing need. Also factored into this are productivity via flexible working environments and retaining top talent, and fixed costs savings via a reduced need for real estate assets.
With full-scale adoption of electronic health record technologies, particularly within healthcare providers, and the use and reliance of third parties and vendors, it will escalate and increase risk to consumer, patient and business information.
"The constant balancing act for organizations is providing convenient access for employees while maintaining strong access control to information," said Junaideen.
Data loss and information leakage (the movement of a data asset from an intended state to an unintended, inappropriate or unauthorized state) were also a great concern to respondents. The data could be patient names, phone numbers, addresses and lab results, among other items. Only a small percentage of respondents currently have data leakage protection technology fully deployed, compared to the majority of respondents that have firewalls and anti-virus technology.
"Most organizations have been relatively slow to embrace technologies that prevent data leakage because of traditional thinking," said Junaideen. "In the past, securing operating systems, networks, storage, communication channels and the hardware they ran on was enough. And that's no longer true."
The Deloitte 2009 Global Security Study for Life Sciences and Health Care companies is available free at http://www.deloitte.com/us/LSHCSecSurvey09" target="_new">www.deloitte.com/us/LSHCSecSurvey09. Please contact Daniel Mucisko at 212-492-2870 or email@example.com" target="_new">firstname.lastname@example.org or Marykate Reese at 203-708-4269 or email@example.com" target="_new">firstname.lastname@example.org to arrange an interview with Amry Junaideen.
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms. As used in this article Deloitte means Deloitte Touche Tohmatsu member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in 140 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's 165,000 professionals are committed to becoming the standard of excellence.