Data security is not rocket science, but it's one of those things that takes detailed focus to get the right technology, policy and procedures in place. And it seems that the stories about lost laptops with tens or hundreds of thousands of patient records are not just some fluke or exceptional occurrence.

Sadly, this report notes that organizations still ignoring HIPAA security requirements have risen from 38% in 2005 to 40% in 2006. There some good news in the report: enterprise focus has shifted from throwing technology at the problem to actually implementing policies and procedures to improve security - you know, like, "if you're going to take that laptop home, be sure to encrypt the data first."

You know your information security strategy is working when the
number of successful breaches is low, the amount in financial losses is
negligible and network downtime is kept to a minimum. Unfortunately, a
large percentage of security leaders worldwide have no idea if their
security plans are working because they don't know any of these numbers.

From 2003 to 2005, the percentage of survey respondents saying they
had fewer than 10 negative information security incidents in the past
year remained steady. But this year, we included the option to answer
that you do not know how many negative security incidents occurred.
This year, nearly one-third of respondents admitted that they do not
know how many breaches or unauthorized access events occurred within
their organizations.

To a certain extent, that's understandable. Attacks can be hard to
identify, and networks can be extensive. What's less comprehensible is
that a significant portion of respondents said they have not installed
some of the most rudimentary network safeguards. Only one-third of
respondents have put in place patch management tools or monitor user
activity. Less than half use intrusion detection software or monitor
log files (the two best methods organizations can employ to detect
breaches) and even fewer use intrusion prevention tools. Surprisingly,
more than 20 percent of respondents don't even have a network firewall.

There's lots of good marketing data in the story, and good benchmarking across Finance, Healthcare, Government and Education markets.