Health Care Unprepared to Secure Digital Health Records

A new report on the state of security within health care shows that
these organizations are unprepared to meet the increased risks to their
information in the wake of coming requirements by the federal
government to push adoption of digital patient records.

Released last week, the 2009 Global Security Study for Life Sciences
and Health Care from Deloitte found that these organizations lag far
behind other vertical when it comes to security practices.

“Many of them may not have reached the level of maturity that is
considered acceptable,” Amry Junaideen, Deloitte’s global life sciences
leader within the security and privacy services division, told Channel
Insider.

In a survey of more than 100 companies, Deloitte found that most of
these organizations only dedicate 1 to 3 percent of their IT budgets to
security and that 43 percent of these organizations lack a Chief
Information Security Officer.

As the Obama administration continues to push forward plans to
implement a centralized digital medical record system by 2014, health
care organizations are going to have to adjust their security
strategies in three key areas in order to properly protect such a
system, Junaideen says.

The first is governance and personnel awareness training. The second is
developing a risk management framework to prioritize security
activities. And the third is layering the right processes and
technologies around the governance and risk management frameworks.

Of the three, Junaideen believes risk management to be the most critical.

“Every organization needs to take a risk-oriented view of their
environment,” he says. “Especially organizations that don’t have the
resources to do what they absolutely have to do. What they must do is
ensure they are spending their limited resources on only the right
kinds of things.”

Junaideen says that value added resellers with security solutions have
a good opportunity to profit from what has traditionally been known as
a tricky market to sell to if they approach it in the right way.

“What they can do for those kind of organizations is to provide
cost-effective, package type solutions that do not require all of the
infrastructure and resources and the sophistication that will be
required if an organization is trying to do something in house
internally on their own,” he says. “If they go in with a solution or a
process or a  framework that really will require as much
commitment from the organization that they are trying to provide the
service to, I think that the whole process breaks down.”