Don't Judge a Business by its Size

I am on a bit of a kick lately since I was told by a vendor that size equals security. I can tell you that large healthcare companies are not necessarily secure.  Just because they have $1Billion or more in sales means absolutely nothing for protecting information.  I won’t embarrass them by naming names but here are the facts.  They do not send secure email unless they are forced to by law, not because they care about you.  Even when forced to they only bother to a small percentage of the time banking that they won’t get caught.  Employees are not trained on handling patient information.  They were recently fined $1million dollars for improper disposal of information.

I can also tell you first hand that a small company involved in healthcare with only 10 employees has not only purchased all the right products but they have the policy and procedures to ensure their clients are safe.  If you conduct business with these guys you will exchange information securely every time.  And it is in the employees’ culture to maintain security.  Our help desk gets email from any of the employees that have questions; we can tell they are following procedure.  They truly are rock stars when protecting PHI.  They read the regulations and act proactively to protect information.

Which example would you fall into?