Two Federal Laws, One Message: Get Your Cybersecurity Together

The Walls Are Closing In on Cybersecurity — And That's Actually Good News for Your Business

By Matt, DirectLine-IT Wayfinder Technology Partners

March 2026

I'm going to tell you something that might make you uncomfortable for about five minutes. But by the end of this, I think you'll actually feel better about where things are heading. Stick with me.

If you run a dental practice, a bookkeeping firm, a tax preparation office, a financial advisory practice, or really any small business that touches other people's money or health information — there are two things happening in Washington right now that you need to know about. Not because I want to sell you something. Because I don't want you to be blindsided.

Two Trains, Same Track

Here's what's converging right now at the federal level:

Train #1: The HIPAA Security Rule Update. The Office for Civil Rights — that's the agency that enforces HIPAA — proposed a major update to the Security Rule. It would turn a lot of things that are currently "addressable" (which most people read as "optional") into hard requirements. Multi-factor authentication. Encryption. Regular security audits. Documented incident response plans. Not suggestions. Requirements.

Train #2: The Health Care Cybersecurity and Resiliency Act. A bipartisan group of senators introduced this bill, and it just passed the Senate HELP Committee with a 22-1 vote. That's about as close to unanimous as anything gets in Washington these days. It calls for many of the same things — MFA, encryption, penetration testing, regular audits — plus new breach reporting requirements and better coordination between HHS and CISA.

And over in the financial services world, the FTC Safeguards Rule has already been in effect since June 2023. If you're a bookkeeper, accountant, tax preparer, or financial advisor, you're already required to have an information security program with documented safeguards. That deadline didn't get a lot of press, but the law doesn't care whether you heard about it.

Here's the point: whether you're in healthcare or financial services, the regulatory walls are closing in from multiple directions at once. And they're all asking for the same things.

What They're All Asking For

I find it interesting that whether you're reading the HIPAA Security Rule, the proposed HIPAA update, the Health Care Cybersecurity and Resiliency Act, or the FTC Safeguards Rule, you keep seeing the same list:

• Multi-factor authentication on everything

• Encryption of sensitive data, at rest and in transit

• Regular security assessments and vulnerability scanning

• Audit logs that show who accessed what and when

• Written incident response plans

• Security awareness training for your staff

• Documented evidence that you're actually doing all of this

These aren't exotic, cutting-edge requirements. This is basic cybersecurity hygiene. The kind of thing that most people know they should be doing but haven't gotten around to yet because it felt complicated, expensive, or like something that only big companies needed to worry about.

That last part isn't true anymore. It probably never was.

Why Now? What Changed?

You might be wondering why the federal government suddenly cares so much about whether your dental practice has multi-factor authentication turned on.

The answer is Change Healthcare.

In February 2024, Change Healthcare — one of the largest health data processors in the country — was hit by a ransomware attack. It disrupted claims processing, payment systems, and pharmacy operations across the entire U.S. healthcare system for weeks. The personal health information of over 100 million people was compromised. It was the single largest healthcare data breach in American history.

That was the wake-up call. Not for people like me who work in IT security — we've been saying this for years. But for Congress. For regulators. For insurance companies. The Change Healthcare breach made it impossible to keep pretending that cybersecurity in healthcare and financial services was someone else's problem.

And here's what matters for your business: the regulatory response to that breach is now arriving. It's not coming someday. It's here.

"But I'm a Small Practice. They're Not Coming After Me."

I hear this a lot. And I understand why it feels that way. The OCR isn't going to send auditors to every three-chair dental office in rural Oregon. The FTC isn't staking out bookkeeping firms in Hood River.

But here's the thing. You don't need a federal auditor to show up at your door for this to matter. You need one of these three things to happen:

A breach. If patient data or client financial data gets compromised — and a single phishing email can make that happen — you are now in a world where you need to prove what safeguards you had in place. If you can't prove it, the penalties escalate. Your cyber insurance claim gets denied. And under the proposed legislation, your corrective actions and security practices get published for the world to see.

An insurance renewal. Cyber insurance carriers are already tightening requirements. Many now require MFA, endpoint detection and response, and documented security policies just to get a policy. If you can't check those boxes, your premium goes up dramatically or you can't get coverage at all.

A patient or client who asks. This is the one people don't think about. But it's coming. Patients are becoming more aware of data breaches. Business clients are starting to ask their service providers about security practices. When a client asks your bookkeeping firm "what are you doing to protect our financial data?" — you need an answer that isn't "well, we have antivirus."

What "Good Enough" Used to Look Like

Five years ago, "good enough" cybersecurity for a small practice looked like this: you had antivirus on your computers, you backed up to a USB drive or a NAS in the closet, you had passwords on everything, and you called your IT guy when something broke.

That's not good enough anymore. Not because I say so — because the threat landscape changed and the regulations followed.

Today, the attacks targeting small practices are automated. They don't care that you only have 15 employees. A phishing email doesn't know your revenue. Ransomware doesn't check whether you're a solo practitioner or a hospital system. The tools attackers use are sophisticated, cheap, and deployed at scale. The average ransomware attack takes less than 24 hours from initial access to encryption.

And the regulators have caught up to that reality. The new requirements aren't arbitrary. They're the minimum set of controls that actually work against modern threats.

Here's the Good News

I promised you good news, so here it is.

The things these regulations require are the same things that actually protect your business. This isn't a situation where compliance and security are pulling in different directions. MFA stops credential theft. Encryption protects data on lost devices. Audit logs let you prove what happened. Backup and disaster recovery get you back on your feet after an incident. Training keeps your staff from clicking the phishing email in the first place.

When you invest in these controls, you're not just checking a compliance box. You're actually making your business harder to attack. That's the rare situation where the regulation and the practical reality line up perfectly.

Most of what you need is probably already included in software you're paying for. If you have Microsoft 365 Business Premium — which a lot of small businesses do — you already have access to multi-factor authentication, conditional access policies, data loss prevention, disk encryption management, and built-in email threat protection. The tools are there. They just need to be turned on and configured properly.

You don't have to do it all at once. Every regulation allows for a phased approach. The FTC Safeguards Rule expects you to have a program — not perfection on day one. HIPAA uses the concept of "reasonable and appropriate" safeguards based on your size and complexity. The proposed legislation includes financial assistance for under-resourced providers. The goal is progress, not overnight transformation.

The 12-Month Head Start

Here's something most people don't know. The Consolidated Appropriations Act of 2021 included a provision that says when OCR is deciding penalties after a breach, they must consider whether the organization had "recognized security practices" in place for at least 12 months prior to the incident.

Read that again. Twelve months of documented security practices can directly reduce your penalties if something goes wrong.

That clock starts when you start. Not when the breach happens. Not when the new law passes. When you begin implementing and documenting your security program.

Every month you wait is a month you don't have on that 12-month clock.

What This Looks Like in Practice

I'm not going to pretend this is simple. But it's also not as overwhelming as it feels when you're staring at a 100-page regulation. Here's what a small practice getting serious about compliance actually looks like:

Month one: Turn on MFA for everyone. Deploy proper email security. Get a password manager in place. Encrypt your hard drives. Start security awareness training for your staff. Name someone responsible for the security program.

Month two through four: Get a security monitoring and logging system in place so you can actually see what's happening in your environment. Run a data discovery scan to find out where sensitive information actually lives. Deploy proper backup with a clear recovery plan. Conduct a risk assessment and write it down.

Month four through six: Document your incident response plan. Review your vendor agreements. Build your annual reporting framework. Assemble your compliance evidence package.

Six months. Not six years. And at the end of it, you have a program that satisfies the current HIPAA Security Rule, the FTC Safeguards Rule, the proposed HIPAA update, and the Health Care Cybersecurity and Resiliency Act — because they're all asking for the same things.

The Question Isn't Whether. It's When.

The regulatory direction is clear. Both parties in Congress agree on it. The insurance industry is enforcing it independently. The threat landscape demands it.

The only question is whether you get ahead of it now — on your terms, at your pace, with a plan — or scramble later when something forces your hand. A breach. An audit. An insurance letter. A client asking uncomfortable questions.

I've been doing this long enough to know that most people will read this, nod, and put it on the list of things to get to eventually. That's human nature. Cybersecurity avoidance works exactly like financial avoidance — you know it matters, but it's complicated and uncomfortable, so you deal with what's in front of you today and figure you'll get to it later.

But some of you are going to read this and think "okay, it's time." And if that's you, the path forward isn't as scary as it looks. Start with the basics. Build from there. Document as you go.

The walls are closing in. But they're closing in on the threats too. And that's the part that actually protects your patients, your clients, and your business.

Matt is the founder of DirectLine-IT Wayfinder Technology Partners, a managed IT security provider based in Hood River, Oregon. DirectLine-IT specializes in cybersecurity and compliance for healthcare practices, financial services firms, and small businesses in regulated industries. If you have questions about how these regulations apply to your business, reach out — the conversation is free.