Based on the many stories about data breaches reported by organizations in the healthcare industry, from hospitals to insurance companies and other third-party companies that deal with healthcare data, we could have guessed this is not even close to being a top sector when it comes to data security. A new report released by the Ponemon Institute now brings even further insight into the state of the healthcare industry, showing a spike in data breaches of over 30% and average annual costs of 6.5 billion US dollars.

The “2011 Benchmark Study on Patient Privacy and Data Security,” commissioned by IDExperts, idendified employee error to be one of the main cause for data breaches in hospitals and healthcare providers. These types of organizations in the healthcare industry suffered an average of four data breaches in the past year. Nearly 30 percent of healthcare companies said the breaches they suffered resulted in medical identity theft – an over 25 percent increase over 2010.

The jump is not entirely determined by a larger number of breaches happening in the past year compared to the previous one. It’s actually the effect of better detection capabilities by healthcare organizations, according to Larry Ponemon, chairman and founder of the Ponemon Institute.

“It was not too surprising that the rate of data loss increased … [But] we think that finding may not be as negative as it appears, and could be a discovery-rate increase with more control and governance practices and use of enabling technologies.”

The strong increase of mobile device usage in the healthcare segment is also a high-impact factor. About 80% use such devices to gather, transmit and store patient data, and a troubling 50% don’t secure their mobile devices. The help they provide in patient care is overshadowed by the major risks to data security the patients are exposed to.

Nearly half of the healthcare industry breached were caused by stolen or lost computing or data devices and another 46% were caused by errors by third-party providers. Moreover, the healthcare organizations are just unaware of where patient data is stored – 61% don’t really know where all their patient data is kept. If that’s not enough, over half of them aren’t sure they actually can detect incidents where patient data is exposed.

Hospitals don’t lack written policies when it comes to data breach reporting – about 80% have them. Too bad about 60% consider them ineffective.

A full copy of the report is available here for download.

A recently published study shows that database administrators don’t fully understand security. According to these fresh findings, database administrators and IT decision-makers in general admit to knowing very little about security issues like change control, patch management, auditing etc. This survey was conducted on 214 Sybase administrators belonging to the International Sybase User Group.

“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”

According to the report’s author, Unisphere Research analyst Joe McKendrick, the ISUG survey is the first released of a series of similar database security surveys being conducted across various database user groups, including those running other platforms such as Oracle and SQL Server.

“This [ISUG survey] pretty much follows the same script [as the survey responses in the other database environments,” McKendrick said. “It’s very consistent — with a very common theme across all of these different user groups and technology bases — that there is a disconnect between management and security.”

The biggest problem seems to be the understanding of change management and patch management, as 37of th% e respondents did not know how to correct unauthorised changes to the database or how long this would take.

Another 35% stated that they rarely apply security patches or did not know how frequently these patches were applied. Almost two thirds of database manipulation have no automated software for database setup or patching.

Surprisingly, almost 50% of the respondents do not believe they will experience security breaches in the next year.

These results are not at all surprising according to Rich Mogull the founder Securosis analysys firm.

“We still see very much a split between the database and security worlds — and not nearly the level of communication between the two of them that we’d like,” Mogull says.

Security experts strongly state organizations need to do a better job in increasing access to data assets for both DBAs and IT professionals.

“We need to ask ourselves, ‘Where are these pieces of classified information and bank account numbers and sensitive organizational data being stored in the databases? Can we identify all the databases they’re in?’” Hutton explains. “And then we can figure out how to create a control structure that prevents, detects, and responds to incidents against that database.”

Experts have also pointed out many organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16% of organizations perform regular database audits once a month. Another 32% either say they don’t know how often audits are performed or never perform them at all.

More and more employees chose to overlook data security policies put in place by the companies they work for and engage in activities that could easily lead to data breaches, according to the findings of a new Ponemon Institute survey. The risky activities include taking private records with them on unsecured storage devices, downloading personal software on company systems, turning off security settings and networking on social media sites.

Most members of a company’s staff copy classified data to USB drives or turn off security settings on their work laptops. Compared to the Institute’s 2007 findings, the numbers of those ignoring company policies has increased.

Here are some highlights of the survey findings, as presented by PC World:

• 69 percent of the 967 IT professionals surveyed copied confidential company data to USB sticks
• those who lost said USB sticks with confidential corporate data on them failed to report it immediately
• almost 31 percent of respondents engaged in social-networking practices on the Web from work PCs
• around 53 percent said they downloaded personal software on corporate PCs

Facial recognition is one of the very well known methods employed by biometric security systems. It’s used in different complicated security systems, but also on more day-to-day devices, such as laptops.

A group of white hat security researchers have recently managed to bypass the facial recognition systems employed by several laptops. According to the Register, the laptops that have had their biometric security breached are developed by Lenovo, Asus and Toshiba. The researchers’ team includes and they have also detailed their findings in a presentation called Your Face is NOT your Password during the Blackhat security conference in Washington.

You might wonder if it was hard to breach the facial recognition systems. The team responsible for this breaches used images of laptop owners or photoshopped images:

Nguyen and his team created a large number of images to run what they described a “fake face bruteforce” attack to fool the systems, which in fairness are still in their infancy, into allowing a log-on. The approach can be compared to trying out a huge number of possible text passwords until the right combination is stumbled upon as part of a conventional brute-force dictionary attack.

While trying to find a practical security use for biometric traits, the developers at Lenovo, Asus and Toshiba should reconsider the efficiency of their facial recognition software. We admire the fact that they lead research and implementation in the field, but we’d appreciate safer systems more

According to a  recent Ponemon Institute study, the costs of data breaches rose in the USA to $6.6 million per incident in 2008, although companies put increased efforts in better handling such incidents.

The study, funded by data security firm PGP Corp. and quoted by Security Focus, analyzed data breaches experienced by 43 US-based companies from 17 different industry sectors. The breaches involved a number of records ranging from about 4,200 to more than 113,000. The findings showed the average costs of data breaches are about 2.5 percent higher in 2008, amounting to $202 per record, up from $197 per record in 2007 and $182 per record in 2006. An average breach would require a company to spend $6.6 million in 2008, up from $6.3 million in 2007 and $4.7 million in 20006.

To calculate the total cost of a data breach, the institute added the costs of detecting and responding to the loss of data, legal and administrative expenses, customer defections and opportunity loss. The response costs decrease was a result of businesses learning how to cost effectively handle such incidents:

While legal fees and customer losses moved breach costs higher, companies reduced the costs of dealing with breaches, signaling that firms and their third-party providers are becoming more cost effective in responding to data breaches, the Ponemon Institute stated in the report.