>I worked for a small medical company that had access to 20,000 PHI records
I can only imagine the data protection standards at small equipment manufacturers and old-school pharmacies. I'd guess their biggest security measure is keeping paper files in a locked office.
I think that might overall be a better strategy than a really half-assed digitization plan. Paper records aren't that high security, but they are moderately resistant to bulk theft: leaking 20,000 paper patient records takes a lot of physical effort.
A lot of those size companies are offloading their EMR security to larger EMR cloud providers. While it helps to protect the smaller companies, and is more cost effective then trying to manage it internally, I still wonder about security of those records, being how most of those are a web login that most if not everybody on the Internet has access too.
I can only imagine the data protection standards at small equipment manufacturers and old-school pharmacies. I'd guess their biggest security measure is keeping paper files in a locked office.