>I worked for a small medical company that had access to 20,000 PHI records, and I was explicitedly told, "why would anyone want to hack us, we are small potatoes."
I don't think we proactively pentest our stuff either. I've never heard of any security discussions but that may just mean I'm not being included. We have a few more zeroes after our PHI record count too.
I can't even imagine a healthcare company acceding to a proactive pentest. Even if it was compared to a vaccination or a routine health check, they still wouldn't do it. The gaping holes in security that would be uncovered. Unreal. No way in hipaa hell. lolwut, find problems that exist in our current system? Our system is fine. It's not broken, so don't break it.
I don't think we proactively pentest our stuff either. I've never heard of any security discussions but that may just mean I'm not being included. We have a few more zeroes after our PHI record count too.