Cybersecurity risk assessments are the cornerstone of cybersecurity preparedness. They help organizations uncover cybersecurity threats and reduce the risk of a data breach. The breach or theft of proprietary technologies can cause irreparable reputational harm and financial loss, and can significantly disrupt operations. Health care, technology, and financial services companies should routinely assess their cybersecurity and data privacy risks in connection with their data collections and platforms.
Cybersecurity risk assessments make good business sense and are typically required by law. For example, organizations covered by the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and/or the European Union’s General Data Protection Regulation need to conduct risk assessments. Many state laws also require that organizations managing personal data perform cybersecurity risk assessments.
Epstein Becker Green’s Data Privacy, Cybersecurity, and Data Asset Management Group, with its industry-leading, credentialed privacy and cybersecurity attorneys who blend their top-notch privacy proficiency with cybersecurity experience, regularly assists clients across a broad range of industries, including financial service firms, law firms, health care providers, and technology companies, in assessing their cybersecurity threats and risks.
In addition, Epstein Becker Green is a law firm distinguished in the field of information security, having been designated as a Common Security Framework (CSF) Assessor Organization by the Health Information Trust (HITRUST). As a HITRUST Assessor, Epstein Becker Green is able to leverage the HITRUST methodology to conduct robust security risk assessments and help health care clients achieve HITRUST CSF certification, which can be used as evidence of compliance with both HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Our Data Privacy, Cybersecurity, and Data Asset Management Group is made up of attorneys with a diverse spectrum of certifications and qualifications, including:
- Certified CSF Practitioners by HITRUST
- Certified Information Systems Security Professionals (CISSP) by the International Information Systems Security Certification Consortium (see www.isc2.org)
- Certified Professionals in Healthcare Information and Management Services (CPHIMS) by the Healthcare Information and Management Systems Society (HIMSS)
- Certified Ethical Hackers (CEH) by EC-Council
- Certified Information Privacy Professionals by the International Association of Privacy Professionals (IAPP)
Team members have served in high-level cybersecurity and data privacy positions with the Centers for Medicare & Medicaid Services and the National Security Agency, and as Chief Information Security and Compliance Officers in health care and private organizations.
Our attorneys are committed to protecting our clients, who are under constant cyber threat from hackers, employees, and other malicious actors. Our attorneys are thought leaders in anticipating cyberattacks and designing effective strategies to combat and respond to these threats. We partner with our clients to protect all their sensitive data, including personal data, proprietary data, emerging technologies, and trade secrets. We are well experienced in translating regulatory standards requiring reasonable and effective cybersecurity measures into practical solutions and programs consistent with risk and operational needs.
Our cybersecurity risk assessments are designed to analyze how clients collect, use, and protect the personal and business information of employees, clients, customers, patients, and vendors. We help clients uncover cybersecurity weaknesses in order to mitigate risks in a practical and legally compliant manner. In addition, our cybersecurity risk assessments are protected by the attorney-client privilege to the fullest extent permitted by law.
Specifically, our cybersecurity risk assessment follows these eight steps:
- Determine client data and the network safeguards.
- Review data privacy policies and information practices.
- Draft and revise policies, procedures, and training materials to meet legal and compliance standards.
- Assess the effectiveness of internal auditing procedures, risk reporting, and enforcement activities.
- Conduct contractual and vendor due diligence and management.
- Pinpoint weaknesses and compliance gaps that may lead to legal and strategic risks, and recommend compliance requirements and strategies to better protect the client’s data, networks, and systems.
- Conduct formalized insider threat risk assessments, and develop insider threat programs.
- Conduct workforce security training.
HIPAA Risk Assessments
The HIPAA Security Rule requires all HIPAA-covered entities and business associates to conduct a risk assessment to determine where their protected health information (PHI) could be at risk. Our Data Privacy, Cybersecurity, and Data Asset Management Group provides effective and practical counseling relating to HIPAA risk assessments and guides health care clients through formalized and well-documented risk analyses, as required by HIPAA.
Our team is distinguished by its depth, judgment, and technical experience. We draw on our deep bench with the goal of putting our clients in a defensible cybersecurity posture from a compliance and practical perspective.
We assist clients in identifying threats, assessing the risks to their systems and PHI, and implementing effective strategies to manage risks in a prioritized manner. And our risk analyses are protected by the attorney-client privilege to the fullest extent permitted by law.
Specifically, in the course of our risk analysis, we:
- provide “on the ground” advice after interviewing relevant stakeholders and evaluating information systems;
- conduct robust and well-documented assessments of administrative, physical, and technical safeguards around PHI;
- identify gaps in cybersecurity programs;
- recommend risk mitigation strategies and techniques consistent with operational goals and regulatory requirements; and
- develop effective information security programs that provide a defense in depth.
After the risk analysis is completed, we remain by our clients’ side to guide them to improve their cybersecurity over time.