I agree about lack of basic security, and that's the reason we have security compliance programs. Security Awareness Training, classification of health records as sensitive, and properly segmenting those sensitive health records from the rest of the environment are all appropriate controls that security compliance prescribes. It took me 6 months to decipher PCI and 3 months to implement. To others, compliance may seem like a joke, but I felt very confident that at least I had done 100% my due diligence in protecting our customers and employees. I think that's all they can ask and all we can give, 100% honest due diligence.