WASHINGTON, Sept. 15 (UPI) -- Most healthcare companies are investing in security because of legal requirements, not forward thinking, a new study says.
For healthcare, pharmaceutical, biotech and biomedical companies, legal and regulatory requirements as well as potential liability continue to be key drivers behind security investments, and much of this spending is still reactionary, according to the Global State of Information Security study. The report was released Friday by PricewaterhouseCoopers, CIO magazine and CSO magazine.
While improving physician effectiveness and quality of life is a top priority for provider organizations -- prompting a rise in the use of laptops, personal digital assistants and remote access to patient records -- incidents involving the loss or theft of executive laptops and their stored data continue to occur, the report said.
Yet only 29 percent of pharmaceutical companies have security standards or procedures for handheld and portable devices, and 30 percent still do not classify data and information assets according to risk levels, according to the report.
Other key findings from the survey:
-- Only 34 percent of pharmaceutical companies keep an accurate inventory of all third parties using customer data, and 56 percent do not yet require third parties, including outsourcing vendors, to comply with their privacy policies.
-- Despite 54 percent of pharmaceutical respondents indicating current or former employees as the likely source of attack this year, 73 percent of pharmaceutical companies do not yet have an identity-management solution.
-- Eight in 10 U.S. healthcare organizations say business continuity and disaster recovery are the drivers of increased security spending in information security and privacy.
-- Only 46 percent of pharmaceuticals have an overall security strategy, and 73 percent do not integrate information-security safeguards with privacy and compliance plans.