A Caution Flag for the Electronic-Medical Records Bandwagon

There has been a buzz about healthcare information technology (HIT) building for several years, and it got even louder after $18 billion for HIT was allocated in the American Recovery and Reinvestment Act passed in February (Pharmaceutical Commerce, March, p. 26). Adding even more buzz has been the ongoing debate over healthcare reform, with various proponents of healthcare efficiency or waste reduction pointing to HIT as being a key enabler.

An annual survey of healthcare industry information-security policies from Deloitte doesn’t exactly throw cold water on all this, but it does raise some important cautionary warnings. The IT networks that operate today connecting life sciences manufacturers, healthcare providers and payers to each other have not been built with strong security from the outset. Despite such rules as the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA), patient data are poorly secured, especially when organizations hire third parties for data or program management. Ironically, the part of the healthcare system with the most to lose—insurers and payers—have the least well-developed security systems.

“The industry is heading into a period of massive opportunity as it seeks to maximize the value of data and the promise of new automation. But it is our view that the industry is not yet prepared to meet the challenges of managing the risk as this opportunity emerges,” say the study authors, Amry Junaideen and Ted DeZabala.

The Rise of the Chief Information Security Officer

Called “The Time is Now: 2009 Life Sciences and Health Care Security Study,” the report benchmarks industry practices worldwide, and includes life sciences manufacturers, healthcare providers and insurers.

Most organizations have approached information security from a hardware perspective—having secured data centers, limited access to information networks and organizational policies to manage security. But the data-theft business has become much more sophisticated, with network intrusions, malicious attacks or simple “data leakage” becoming a growing problem. Information-security specialists and hackers are in an arms race, with new technologies for access control or identity management arising as new threats emerge. The challenge to health organizations of all stripes is how well they can keep up with the arms race.

For life sciences specifically, the leading challenge is lack of budget and resources, followed by an even split between the increasing sophistication of threats, and the emerging technologies for communications (such as peer-to-peer network and the host of new “social media” technologies—see figure).

The Deloitte survey found that 50% of life sciences companies worldwide have a chief information security officer (CISO)—which sits squarely between healthcare providers (71% has a CISO) and payers (43%). In many organizations, the CISO reports to the CIO—which can set up a conflict between investing in new IT and investing in IT security. At “the most evolved” organizations, says Deloitte, the CISO reports to a Chief Risk Officer. PC