What does HIPAA's Security Rule actually require from a medical practice's IT setup?

HIPAA's Security Rule requires unique user credentials for every workforce member, role-based access controls, audit logs tracking PHI access, encryption for all PHI transmitted over a network, and encryption for stored PHI. It also requires a written contingency plan and an annual Security Risk Analysis documenting threats, vulnerabilities, and control gaps.

How does ransomware affect healthcare practices differently than other businesses?

Healthcare practices face mandatory HIPAA breach notification, patient care disruptions, and PHI exposure on top of file loss and recovery costs. Modern attacks use double extortion — attackers exfiltrate PHI first, then encrypt systems.

What is the FTC Safeguards Rule and what does it require of CPA firms?

The FTC Safeguards Rule (2023 update) requires CPA firms to implement a comprehensive information security program including encryption, MFA, patch management, access controls, a written incident response plan, and vendor security requirements.

How do accounting firms keep systems secure during tax season?

Two parallel tracks: technical readiness (systems patched, backups verified, MFA confirmed, remote access configured before season) and incident readiness (after-hours SLAs and explicit escalation procedures for your season window).

How do real estate brokerages protect clients from wire fraud?

Prevention requires advanced email security detecting spoofing, MFA on all agent email accounts, and a written wire verification policy requiring verbal confirmation before any transfer is made.

Why are ransomware groups targeting construction companies?

Construction firms hold valuable project data, operate on tight margins, and have large attack surfaces from field devices and subcontractor access. Effective controls: EDR, MFA, network segmentation, tested off-site backups, and a written incident response plan.

What is the difference between a managed IT provider and break-fix IT support?

Break-fix IT is reactive — you pay when things break. Managed IT is proactive — continuous monitoring, patching, and flat-rate pricing that aligns the provider's incentives with yours. Managed IT also generates the compliance documentation HIPAA, FTC Safeguards, and ABA ethics require.

What should every business ask before hiring a managed IT provider?

Ask for their SLA and read the remedies section. Ask exactly what endpoint protection tool is deployed and whether there is 24/7 SOC monitoring. Ask for industry-specific references. Ask how they onboard clients — a serious provider starts with a full environment audit. Get the escalation path in writing before you sign.

Managed IT & Cybersecurity FAQ

Q: What are law firms' cybersecurity obligations under ABA ethics rules?

ABA Rule 1.1 requires technology competence. ABA Rule 1.6(c) requires reasonable efforts to prevent unauthorized access to client information. ABA Formal Opinion 483 added a proactive duty to monitor for breaches and notify affected clients.

Industry

Healthcare IT

HIPAA compliance, ransomware defense, and PHI protection for medical practices and health systems.

HIPAA's Security Rule establishes enforceable technical safeguards that every covered entity must implement. Most small practices have heard of HIPAA but have never done the work to verify their IT environment actually satisfies it.

The rule requires unique user credentials for every workforce member. Shared logins are a HIPAA violation and a security liability regardless of how small your practice is. Role-based access controls must limit each employee to only the PHI they need for their specific job function. Your EHR, file servers, and email systems must generate audit logs tracking who accessed what patient data and when.

Any PHI transmitted over a network must be encrypted. Unencrypted email containing patient information is a violation even if no one intercepts it. Encryption at rest is required for stored PHI.

You also need a contingency plan in writing: a data backup plan, a disaster recovery plan, and an emergency mode operation procedure. HHS auditors will request these documents. Most small practices have none of them.

Most critically, HIPAA requires an annual Security Risk Analysis (SRA) documenting your threats, vulnerabilities, and control gaps. This is the single most-cited deficiency in HHS enforcement actions. Our healthcare IT services handle these requirements as part of your standard service agreement.

HIPAA Required Annual SRA Encryption Mandatory Audit Logs

Healthcare practices face compounded consequences when ransomware hits. Most businesses lose access to files and face recovery costs. Healthcare practices face all of that, plus mandatory HIPAA breach notification to HHS, potential patient care disruptions, and exposure of protected health information to criminals who specifically target it.

Modern ransomware attacks use double extortion. Attackers infiltrate your network, exfiltrate PHI first, then encrypt your systems. Whether you pay or refuse, you almost certainly have a reportable breach under 45 CFR Part 164.400-414. The ransom payment does not satisfy your notification obligation.

The care disruption is unique to healthcare. When EHR systems go offline, staff reverts to paper, medication errors increase, appointments are canceled, and revenue stops. The financial damage from a single ransomware incident commonly exceeds what a practice spends on IT in two to three years.

Prevention requires layered controls:

Endpoint detection and response (EDR) on every device
Network segmentation isolating your EHR from general internet traffic
Immutable offsite backups tested monthly
A written incident response plan naming your cyber insurance carrier, HIPAA attorney, and managed security provider

Our managed security services include all of these controls with healthcare-specific configuration.

Double Extortion Breach Notification Required EDR Protection Immutable Backups

Industry

Legal Firms

ABA ethics obligations, client confidentiality requirements, and incident response for law firms.

The ABA has established cybersecurity as a core professional obligation with real disciplinary consequences. Three rules define the framework.

ABA Rule 1.1 (Competence) requires attorneys to maintain competence in the technology relevant to their practice. This includes understanding how your firm stores, transmits, and protects client data. Ignorance of your own IT environment does not satisfy this standard.

ABA Rule 1.6(c) (Confidentiality) requires lawyers to make reasonable efforts to prevent unauthorized access to client information. ABA Formal Opinion 477R clarified that "reasonable" scales with data sensitivity. Storing client files on an unencrypted drive or sharing documents through consumer file-sharing apps does not meet this standard.

ABA Formal Opinion 483 extended these obligations further: attorneys now have a proactive duty to monitor for data breaches and a timely obligation to notify affected clients when one occurs. Discovering a breach months after the fact is itself a compliance failure.

In practice, every law firm must:

Implement multi-factor authentication on all systems
Encrypt all client communications and stored files
Conduct documented security risk assessments
Train staff on phishing recognition
Maintain a written incident response plan

State bar associations are increasingly active in investigating firms that fall short. See our IT services for law firms and our full guide to cybersecurity requirements for law firms for a complete breakdown by rule.

ABA Rule 1.1 ABA Rule 1.6(c) Opinion 483 MFA Required

Industry

Accounting & CPA Firms

FTC Safeguards Rule compliance, tax season security, and client financial data protection.

The FTC Safeguards Rule, substantially updated in 2023, requires financial institutions — including CPA firms, tax preparers, and bookkeeping practices — to implement a comprehensive information security program protecting client financial data. This is an enforceable federal regulation, not an industry guideline.

The rule requires designating a qualified individual to oversee your information security program and report to firm leadership at least annually. You must conduct a written risk assessment identifying threats to client financial data, current controls in place, and documented gaps.

The 2023 amendments added specific mandates that many firms assumed were already covered:

Encryption of customer financial data at rest and in transit — now explicitly required
Multi-factor authentication (MFA) required for all systems containing client financial data
A patch management program keeping software and systems current
Access controls limiting data access to staff who need it for their specific role
A written incident response plan covering breach response, notification, and timeline
Vendor management: any third party with access to client data must be contractually required to maintain appropriate safeguards

Firms compliant under the original Safeguards Rule may not be under the 2023 version. See our IT services for accounting firms and our full breakdown of the FTC Safeguards Rule for accounting firms for implementation guidance on every requirement.

FTC Safeguards Rule MFA Required Written Risk Assessment Vendor Management

Tax season creates a specific risk pattern for accounting firms. February through April 15 is when downtime is most catastrophic and when security mistakes are most likely to happen simultaneously.

Staff works extended hours under deadline pressure. Phishing campaigns targeting accounting professionals spike during tax season — with convincing fake IRS notices, fraudulent client document requests, and spoofed software vendor alerts arriving when response time pressure is highest.

Track 1 — Technical Readiness (before January 1):

All systems fully patched
Backup systems verified and tested
MFA confirmed on every account, including tax software portals
Secure remote access configured for extended-hours staff

Track 2 — Incident Readiness:

Explicit escalation procedures for your season window
After-hours coverage confirmed — a four-hour SLA acceptable in August is not acceptable on April 14
Your provider should know your calendar before the season, not during it

Our managed IT services include proactive season preparation and documented SLAs that hold up when stakes are highest.

Tax Season Prep Phishing Risk Spike After-Hours SLA Patch Before January

Industry

Real Estate

Wire fraud prevention, email compromise defense, and transaction security for brokerages and agents.

Real estate wire fraud is one of the fastest-growing financial crimes targeting small businesses. Attackers compromise the email account of an agent, title company, or closing attorney, monitor the inbox for weeks, then send fraudulent wire transfer instructions to buyers at the moment before closing. The FBI's Internet Crime Complaint Center reports wire fraud losses in real estate transactions reach hundreds of millions annually. Recovery is rare once funds leave a domestic account.

The attack begins with a compromised email account through a phishing link or a reused password. The attacker reads email silently for days or weeks, learning names, transaction timelines, and communication patterns. When closing approaches, they send fake wire instructions from a spoofed address that differs from the real one by a single character.

Prevention requires layered controls:

Advanced email security that detects display name spoofing and look-alike domains — standard spam filters do not catch these targeted attacks
MFA on every agent email account — a stolen password alone cannot compromise an MFA-protected account
A written wire verification policy requiring verbal confirmation via a pre-established phone number before any transfer is made
Security awareness training for all agents and staff

The verbal verification policy is the single highest-ROI control available. It stops most wire fraud attempts and costs nothing to implement beyond a written procedure. See our IT services for real estate and our full guide to wire fraud prevention for real estate brokerages.

Wire Fraud Prevention Business Email Compromise Verbal Verification Policy MFA on All Email

Industry

Construction

Ransomware defense, field device security, and subcontractor access control for construction firms.

Construction was considered low-priority by cybercriminals for years. That changed as the industry digitized. Project management platforms, BIM files, bid documents, subcontractor contracts, and financial systems now sit on connected networks often protected by consumer-grade security that has not kept pace with the threat landscape.

Why construction is now a primary target:

Project data including proprietary designs, bid pricing, and financial terms has direct competitive value
Tight margins mean even short downtime creates contractual penalties, cascading schedule delays, and subcontractor conflicts that multiply the financial damage
The operational footprint — field teams, mobile devices, subcontractor access, remote job sites — creates significantly more attack surface than a typical office environment
Mid-size firms are large enough to have money but often lack enterprise-grade security

Most effective controls for construction firms:

EDR on all devices including field laptops and tablets
MFA on all accounts and project management platforms
Network segmentation limiting subcontractor access to only what they need
Tested backups stored off-site and off-network
An incident response plan covering what happens when systems go down at an active job site

Our IT services for construction and manufacturing are built around this operational profile. See also our guide on managed IT for construction companies.

Double Extortion Subcontractor Access Controls EDR on Field Devices Tested Off-Site Backups

General

IT Management & Managed Services

Understanding MSPs, what to ask before you sign, and how to evaluate any IT or security provider.

Break-fix IT is reactive by design. Something breaks, you call someone, they fix it, you pay per incident. The incentive is fundamentally misaligned: the more things break, the more the provider earns. There is no financial motivation to prevent problems, maintain documentation, or care about your environment between calls.

Managed IT is proactive. A managed service provider (MSP) monitors your systems continuously, applies patches before vulnerabilities are exploited, detects hardware failure before it causes downtime, and maintains your infrastructure in a documented, known state. You pay a flat monthly fee regardless of issue volume. The MSP's incentive aligns with yours: fewer problems means less labor cost for them.

The difference compounds over time. Break-fix environments accumulate technical debt: outdated systems, inconsistent configurations, unpatched vulnerabilities, and no documentation. When something serious goes wrong, there is no baseline to restore to.

For regulated industries, this distinction becomes a compliance issue. Break-fix IT cannot produce the documentation that HIPAA, FTC Safeguards, and ABA ethics require. Managed IT generates compliance documentation as a byproduct of normal operations: patch logs, access audit trails, backup test records, and risk assessment documentation.

A quick test: ask your current IT provider for last month's patch compliance report and your endpoint protection coverage percentage. If they cannot produce both within 24 hours, you are paying for break-fix under a different label. See what Cobrix Managed IT includes.

Proactive vs Reactive Flat-Rate Model Compliance Documentation Aligned Incentives

Most businesses evaluate MSPs on responsiveness and price. Neither predicts whether your environment will be secure, compliant, or reliably available over time. Here is what to ask instead.

1. SLAs with real commitments
Ask for their service level agreement and read the remedies section. What response times are guaranteed for critical outages? What happens when they miss those commitments? An MSP confident in their performance backs their SLAs with contractual language.

2. Security stack specifics
"We handle security" is not an answer. Ask exactly what endpoint protection tool is deployed on client machines. Is it a managed EDR solution with 24/7 SOC monitoring, or consumer antivirus that emails you alerts? Ask whether they operate their own security operations center or resell someone else's.

3. Industry-specific experience and references
Healthcare, legal, and accounting have compliance requirements a generalist IT provider may not satisfy. Ask whether they currently serve clients in your industry, ask for references by name, and call those references. Align their security framework to NIST CSF 2.0 or CIS Controls as a baseline. See our full guide on how to choose a managed IT provider for the complete evaluation framework.

4. Onboarding process
A serious provider starts with a full environment audit before deploying any tools. Skip this step and you do not know what you are securing.

5. Escalation path
Know who handles your account day to day and who gets called at 2am for a critical outage. Get both names in writing before you sign.

Ready to put these questions to us? Contact our team or book a free assessment.

Read the SLA EDR + SOC Required Verify References Full Environment Audit

Managed IT & Cybersecurity FAQ

Ready to Protect and Grow Your Business?