Security in healthcare sector needs to improve, says report

According to a global study, the highly valuable intellectual property found in healthcare and life sciences companies may not be properly protected.

A global study of 100 large healthcare and life sciences companies has exposed major security vulnerabilities that could leave them open to data theft and fines for failing to comply with regulations. Despite most of the companies having annual revenues of more than $1 billion, responses revealed that security in healthcare and life sciences organisations was hampered by limited budgets and lack of resources.

The study was carried out by management consultants Deloitte & Touche LLP, and researchers questioned companies from all parts of the world. According to the analysis, many of the companies' approaches to security had failed to keep pace with changing business practices, possibly exposing the organisations to data leakage from internal staff and business partners.

The respondents were drawn from three main sectors: life sciences (biotechnology and pharmaceutical), healthcare providers and healthcare payers.

In the life sciences sector, 44% of the surveyed companies did not have a chief information security officer, or CISO, in place to oversee an organisation's security posture. Among healthcare payers, the figure was even higher, at 57%.

As the report points out: "Biotech and pharmaceutical companies face greater security risks than the other two sectors, given the tremendous value of their intellectual property and the amount of clinical trial information that they generate, as well as the risks associated with data sharing necessitated by partnerships and alliances."

But all three sectors are saddled with what the report authors describe as "traditional thinking," which reflects a time when systems were more self-contained and easier to protect. Although the companies have embraced outsourcing and greater data sharing with third parties, their security posture has failed to reflect those changes.

SSO helps doctors work more effectively

See how a single-sign on product gave Manchester doctors faster and more secure access to their applications.
"Based on the results of our study, the life sciences industry is not yet prepared to meet the risk management challenges to make the most of their valuable data," said Mike Maddison, U.K. head of Deloitte's security practice, in a written statement. "This may be because the industry is behind in implementing important technologies, such as identity and access management solutions, or reluctant to adequately fund their security functions. The bottom line is that the industry needs to act aggressively to catch up."

The report notes that, while only a small percentage of companies currently have data leakage prevention technology in place, most said they will deploy it over the next 12 months. This sudden rush, it claims, indicates a reactive approach and appears to be as a result of some high-profile data breaches, particularly in the U.S.

According to the report, as the business and regulatory environment of the industry evolves, the CISO needs to take on a more strategic role. In 43% of the companies that had a CISO, that person reported to the chief information officer, or CIO. In this kind of relationship, the CISO tends to be responsible for technology, but has less influence over the way information is managed. The authors of the report describe the discovery as "a disturbing statistic, since a strong level of preparedness to meet current and future security and privacy requirements is a direct corollary to the existence of an appropriately positioned and empowered CISO."

Read more on IT risk management