A new report on the state of security within health care shows that these organizations are unprepared to meet the increased risks to their information in the wake of coming requirements by the federal government to push adoption of digital patient records.

Released last week, the 2009 Global Security Study for Life Sciences and Health Care from Deloitte found that these organizations lag far behind other vertical when it comes to security practices.

“Many of them may not have reached the level of maturity that is considered acceptable,” Amry Junaideen, Deloitte’s global life sciences leader within the security and privacy services division, told Channel Insider.

In a survey of more than 100 companies, Deloitte found that most of these organizations only dedicate 1 to 3 percent of their IT budgets to security and that 43 percent of these organizations lack a Chief Information Security Officer.

As the Obama administration continues to push forward plans to implement a centralized digital medical record system by 2014, health care organizations are going to have to adjust their security strategies in three key areas in order to properly protect such a system, Junaideen says.

The first is governance and personnel awareness training. The second is developing a risk management framework to prioritize security activities. And the third is layering the right processes and technologies around the governance and risk management frameworks.

Of the three, Junaideen believes risk management to be the most critical.
“Every organization needs to take a risk-oriented view of their environment,” he says. “Especially organizations that don’t have the resources to do what they absolutely have to do. What they must do is ensure they are spending their limited resources on only the right kinds of things.”

Junaideen says that value added resellers with security solutions have a good opportunity to profit from what has traditionally been known as a tricky market to sell to if they approach it in the right way.

“What they can do for those kind of organizations is to provide cost-effective, package type solutions that do not require all of the infrastructure and resources and the sophistication that will be required if an organization is trying to do something in house internally on their own,” he says. “If they go in with a solution or a process or a  framework that really will require as much commitment from the organization that they are trying to provide the service to, I think that the whole process breaks down.”