Cybersecurity risk assessments are the cornerstone of cybersecurity preparedness. They help organizations uncover cybersecurity threats and reduce the chance of a data breach.

The breach or theft of proprietary technologies can cause irreparable reputational harm, legal liability, financial loss, and significant disruption of operations. Therefore, health care, technology, and financial services companies should routinely assess their cybersecurity and data privacy risks in connection with their data collections and platforms.

Cybersecurity risk assessments make good business sense and are typically required by law. For example, organizations covered by the Gramm Leach Bliley Act, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and/or the European Union’s General Data Protection Regulation need to conduct risk assessments. Many state laws also require organizations managing personal data to perform cybersecurity risk assessments.

Read more

Epstein Becker Green’s Data Privacy, Cybersecurity & Data Asset Management Group, with its industry-leading, credentialed privacy and cybersecurity attorneys who blend their top-notch privacy know-how with cybersecurity experience, regularly assists clients across a broad range of industries, including financial service firms, law firms, health care providers, and technology companies, in assessing their cybersecurity threats and risks.

Who We Are

Our Data Privacy, Cybersecurity & Data Asset Management Group is made up of attorneys with a diverse spectrum of certifications and qualifications, including:

  • Certified CSF Practitioners by HITRUST
  • Certified Information Systems Security Professionals (CISSP) by the International Information Systems Security Certification Consortium (see www.isc2.org)
  • Certified Professionals in Healthcare Information and Management Services (CPHIMS) by the Healthcare Information and Management Systems Society (HIMSS)
  • Certified Ethical Hacker (CEH) by EC-Council
  • Certified Information Privacy Professionals by the International Association of Privacy Professionals (IAPP)

Team members have served in high-level cybersecurity and data privacy positions with the Centers for Medicare & Medicaid Services and as Chief Information Security and Compliance Officers in health care and private organizations.

Our attorneys are committed to protecting our clients, who are under constant cyber threat from hackers, employees, and other malicious actors. Our attorneys are thought leaders in anticipating cyberattacks and designing effective strategies to combat and respond to these threats. We partner with our clients to protect all their sensitive data, including personal data, proprietary data, emerging technologies, and trade secrets. We are experienced in translating regulatory standards requiring reasonable and effective cybersecurity measures into practical solutions and programs consistent with risk and operational needs.

Our Services

Our cybersecurity risk assessments are designed to analyze how clients collect, use, and protect the personal and business information of employees, clients, customers, patients, and vendors. We help clients uncover cybersecurity weaknesses to mitigate risks in a practical and legally compliant manner. In addition, our cybersecurity risk assessments are protected by the attorney-client privilege to the fullest extent permitted by law.

Specifically, our cybersecurity risk assessment follows these eight steps:

  1. Determine client data and the network safeguards
  2. Review data privacy policies and information practices
  3. Draft and revise policies, procedures, and training materials to meet legal and compliance standards
  4. Assess the effectiveness of internal auditing procedures, risk reporting, and enforcement activities
  5. Conduct contractual and vendor due diligence and management
  6. Pinpoint weaknesses and compliance gaps that may lead to legal and strategic risks, and recommend compliance requirements and strategies to better protect the client’s data, networks, and systems
  7. Conduct formalized insider threat risk assessments, and develop insider threat programs
  8. Conduct workforce security training

HIPAA Risk Assessments

The HIPAA Security Rule requires all HIPAA-covered entities and business associates to conduct a risk assessment to determine where their protected health information (PHI) could be at risk. Our Data Privacy, Cybersecurity & Data Asset Management Group provides effective and practical counseling relating to HIPAA risk assessments and guides health care clients through formalized and well-documented risk analyses, as required by HIPAA.

Our team is distinguished by its depth, judgment, and technical experience. We draw on our deep bench to put our clients in a defensible cybersecurity posture from a compliance and practical perspective.

Our Services

We assist clients in identifying threats, assessing the risks to their systems and PHI, and implementing effective strategies to manage risks in a prioritized manner. And our risk analyses are protected by the attorney-client privilege to the fullest extent permitted by law.

Specifically, in the course of our risk analysis, we:

  • provide “on the ground” advice after interviewing relevant stakeholders and evaluating information systems;
  • conduct robust and well-documented assessments of administrative, physical, and technical safeguards around PHI;
  • identify gaps in cybersecurity programs;
  • recommend risk mitigation strategies and techniques consistent with operational goals and regulatory requirements; and
  • Develop effective information security programs that provide an in-depth defense.

After the risk analysis is completed, we remain by our clients’ side to guide them in improving their cybersecurity over time.

Read less

Focus Areas







Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.