size mattersOne of the discussions you must always be prepared to have is that size does not matter when it comes to privacy and security issues.  Does size matter?  Not as much as most people think and not in the ways that most people think either.



A 5 star review is all we ask from our listeners.
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy.

In this episode:

Does size really matter?

Today’s Episode is brought to you by:

Kardon and HIPAA for MSPs / Security First IT

Where to meet us [3:15]

  • 4medapproved Healthcare Cybersecurity Officer Live Webinar Workshop – Sept 12, 13, 19, 20, 2018  Use GRINDLE20 to get a 20% discount.
  • Georgia Pediatric Practice Administrators, October 18

Next HIPAA Boot Camp

Live in Tucker, GA

October 25th and 26th

Want to be part of Help Me With HIPAA? Donate to the cause at

HMWH App now has more features.  You can now access a PDF with the show notes ready for your HIPAA training documentation!  Find it under the bonus feature in the app for both the Apple and Android versions.  It is a little gift box on the app bar.

Like us and leave a review on our Facebook page:


Does size really matter?

There are countless articles trying to explain to small business owners how important cybersecurity programs are for their businesses.  Resources exist in more ways you can count trying to encourage small businesses to embrace a culture of security yet we still have a disconnect between the businesses and the resources.  Maybe it is just the head in the sand approach or simple distrust of the messenger but either way, the message isn’t reaching anywhere near the number of businesses that we need to hear it.

Just because small businesses make assumptions doesn’t mean that larger enterprises have it covered cough… Equifax… cough…  There are often just as many disconnects between perception and reality in enterprises and many of them for the exact same reasons just a different basis for the ummm…  misunderstanding.

Small businesses tend to say things like:

  • We have it covered, right.
  • We are too small for them to go after us.
  • We don’t have anything they want.
  • We can just move to someone’s house and be fine until X gets fixed.
  • Requirements don’t apply to me because I am too small, poor, just getting started, etc.

Bigger businesses say things like:

  • We have it covered, right.
  • We spend X so that should cover it.
  • Requirements don’t apply to me because we have so much money, clout, charitable work, etc.
  • We only have to worry about checking off HIPAA, PCI, etc.
  • We are too big to control it all so things are just going to happen.

In reality, most of those statements are almost always wrong.  Size really doesn’t matter when it comes to the reasons and requirements for protecting valuable information.  Data is our most valuable resource these days and making assumptions is not helpful.  Your protections must be related to the attacks you are under and the failures your systems may have in keeping them from impacting your business.

The only difference between sizes is the amount of data you have on file.  If you reference our last episode the costs per record can be significant no matter how many you have on file.

It isn’t just the compliance program we are addressing here.  HIPAA and PCI may be the most common ones but it really doesn’t matter.  That 50/50 deal doesn’t care about industries.  Being in a business where you may get noticed as financial or healthcare only makes you more likely to be targeted and well…..  Remember, compliance isn’t security and security isn’t compliance.

Unless you are specifically targeted, you are equally likely to be hit by a malware, phishing, etc attack.  Spray and pray does not discriminate.  In fact, every report I have seen over the last few years shows it is basically a 50/50 chance of being hit since around 50% of the reported attacks are against small businesses.

If you are specifically targeted, look out because they will get in the only question is how far do they get once they breach your defenses.  Reference our latest news about the electrical grid.  This stuff is serious and very dangerous.

There were hundreds of “victims” and they had enough access to actually throw switches in the core power utilities.

Michael Magrath, director of global regulations and standards at OneSpan Inc., said these electrical grid attacks, like other hacks “exploit the weakest link in the security chain — the people.” Magrath was also concerned about part of The Wall Street Journal report that claimed DHS was investigating if Russian hackers had ways to defeat multifactor authentication.

Guess what… the only difference between small and large businesses in that area is the number of people they have to worry about.  The larger businesses start using tools to manage their people and the smaller ones assume they don’t need them.

DHS claimed it has been warning utilities about potential attacks since 2014. Joseph Kucic, CSO at Cavirin, said via email the utilities “have failed to implement the necessary changes so DHS went public to embarrass the utilities into taking the needed actions (timing was on the DHS side with all the Russia media attention).”

The small EMCs are attacked just like the big guys.  It doesn’t matter when you are a target you have to be way better than the bad guys.  Remember, you have to be right every time and they only have to be right once.

The attackers began by using conventional tools — spear-phishing emails and watering-hole attacks, which trick victims into entering their passwords on spoofed websites — to compromise the corporate networks of suppliers, many of whom were smaller companies without big budgets for cybersecurity.

Once inside the vendor networks, they pivoted to their real focus: the utilities. It was a relatively easy process, in many cases, for them to steal credentials from vendors and gain direct access to utility networks.

No matter what the size of your organization or even the industry you need to be worried about cybersecurity today.  Do the basics which also happen to be part of HIPAA – go figure.

  1. Do a proper Risk Analysis with associated Risk Management plans.
  2. An anti-malware plan that covers all types of malware, not just an antivirus program.
  3. Patch management programs make sure you have security patches in place to prevent them from being used against you.
  4. Formal security policies like the written ones required under HIPAA will make certain that everyone understands what is expected and the proper way to act or react.
  5. Training, training, training on all of the things above and awareness of what to watch out for as things change.

I think we made it clear that size doesn’t matter when it comes to how you should approach privacy and security management.  Everyone can make mistakes no matter where they are accessing information.  Attacks happen no matter the size of the group where the data resides.

Please remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word.  As always, send in your questions and ideas!

HIPAA is not about compliance, it’s about patient care. TM