Log in

Archive for October, 2009

Healthy People Maybe, Healthy Laptops No!

October 9th, 2009

doctor-laptop-security Three health trusts in the UK have had 30 data breaches in the past two years, according to reports. According to the BBC, Devon Primary Care Trust, Derriford Hospital, and Torbay Primary Care Trust have reported that they’ve had 30 breaches in total.

Yes, you read those numbers correctly – three organizations and thirty breaches.

The lost information included patient data which may have included NHS numbers, names, medical conditions, and other information, depending on the breach. The losses included laptop thefts and the theft or loss of memory sticks with sensitive data. In no cases were any of the devices protected with hard drive encryption software which could have easily eliminated any instances of a data breach from occurring.

Rest easy, They’ve Learned Their Security Lesson

According to the BBC, “all the health trusts which lost data said they had learned from the cases.” Of course, one has to ask why it took 30 breaches to then create an environment that looked for solutions! But the claim is that now all data is stored on secure servers and all staff have been issued with encrypted memory sticks and associated training. Plus each trust now has an official whose job was make sure information is secure.

A Trust spokesman was unable to say exactly when the theft occurred and if patients were told at the time, but in a prepared statement pointed out that at least some of the laptops had password protection. However, unlike encryption, password protection can be breached in many ways.

Hospital Laptop Safety

medical-computer-security As our recent article Data Loss is the Other Guy’s Problem pointed out, hospital are at high risk for data loss. Yet, they remain slow to adapt and slow to realize that services like Alertsec with hard disk encryption that are so affordable as easy to manage. I just did a Google search on “hospital data breaches” to quickly find reports like:

These losses tie to the fact that “Health care is a treasure trove of personally identifiable information,” says Don Jackson, a researcher at security consulting company Secure Works Inc. Most health-care organizations collect patient’s names, Social Security numbers and dates of birth. Plus they store payment information such as insurance and credit-card data. This is the holy grail for a thief in terms of financial opportunity.

It’s interesting to note that “a unit of hospital purchasing alliance Premier Inc. has begun offering insurance designed to protect members against the cost of data breaches” which highlights why the government regulation is so important. Unless the fines and implications are severe - this industry, which is accustomed to using insurance to alleviate risks is likely to continue to be a data security black hole.

2 comments »

Posted in Encryption, Identity and Information loss

Losses from high-tech security breaches nearly double in 2009

October 5th, 2009

canadian-data-breach A new Canadian study from the Rotman School of Management reveals a major increase in annual losses related to Information Technology (IT) security breaches. According to this study, which surveyed more than 600 IT security professionals across the country, the costs associated with security breaches include:

IT security breaches cost the average Canadian organization an estimated $834,000 in 2009 – a 97 per cent increase from the $423,000 reported by the study last year.
Similarly, the average number of reported IT security breaches also increased 276 per cent to 11.3 per organization in 2009 – compared with an average of three in 2008.

While every type of organization incurred an increase in breach costs during 2009, the increases were different across sectors:

Government organizations more than tripled their average annual cost of breaches to $1,000,000 in 2009, up from $321,000 in 2008.
Private companies more than doubled their cost of breaches to $807,000 up from $294,000 in 2008.
Publicly traded companies reported a moderate increase of only six per cent year-over-year.

These alarming numbers bring with them a silver lining, as the increase in the number of reported cases could be attributed in part to higher detection levels due to compliance regulations. At the same time, it is a shame that IT departments are not adopting data encryption software like they should be. Even with increased reporting, proper use of tools like Alertsec could have led to a decrease is losses due to security breaches.

The study highlighted the value of IT investments in security as the top-performing respondents (those without breaches) spent at least 10 per cent of their IT expenditures on security, with the average security budget was seven per cent of the total IT spending. The study reports that Canadian organizations are finding it difficult to improve their security posture within the current economic climate – but the cost of ownership for hosted encryption services is a drop in the bucket for the millions that are spent on security.

stolen-laptop With a 56-per-cent jump in occurrences of laptop or mobile hardware devices being stolen in Canada alone, encrypting files on laptops should be so obvious a solution! File encryption is not a new technology – it’s an established technology. However, too many organization weigh security and convenience and land on the convenience side – not realizing how simple hosted encryption can be!