For many Middle Tennessee businesses such as medical
practices, dental offices, financial institutions, and more, the alphabet soup
of compliance can feel endless. FTC. PCI. HIPAA. NIST. Everyone promises
"complete compliance," but rarely explains what that means and how you can ensure
you aren't spending money on things that don't actually reduce risk.
At Johnson Business Technology Solutions, we take a
security-first approach because compliance is about doing the basics
consistently and proving it. No fluff. No bloat. Just measures that matter.
Below is a practical 2025 playbook that breaks down who's in scope and the minimum viable controls you need to avoid fines, reduce risk, and sleep better at night.
Who's Actually in Scope in 2025?
HIPAA: Medical, Dental & Any Entity Handling ePHI
If your business touches, stores, transmits, bills, or
charts patient data, even indirectly, you fall under HIPAA. That includes
providers, billing partners, IT vendors, shredding companies, and SaaS tools
with access to ePHI.
FTC Safeguards Rule (Financial & "Incidental Financial" Businesses)
You're in scope if you:
- Offer
credit
- Finance
products
- Store
consumer financial information
- Run a
tax prep or accounting practice
- Provide
financial guidance, collections services, or similar functions
Many Tennessee SMBs don't realize they qualify until an
auditor asks for their Written Information Security Program (WISP).
PCI DSS: Anyone Accepting Credit Cards, Even Small Offices
If you take credit card payments you must follow PCI DSS controls. This includes businesses that fall under other compliance standards, such as medical centers, dentist offices, accounting firms, and more. Compliance requirements scale with transaction volume, but the foundational safeguards are universal across all businesses.
The Minimum Viable Controls Every Middle Tennessee Business Needs in 2025
These aren't "nice to have," they're the baseline every
auditor, regulator, and cyber insurer treats as non-negotiable.
Below, are listed the different types of controls needed at a minimum and which frameworks require them.
1) Multi-Factor Authentication, Everywhere
Required by: HIPAA (2025 NPRM), FTC Safeguards, PCI
Why it matters: Password-only logins are the #1
leading cause of breaches. MFA shuts down most account takeover attempts.
Where to enforce MFA:
- Microsoft
365
- EHR/EMR
- VPN /
Remote Desktop
- Payment
terminals with admin access
- Cloud
apps storing sensitive data
Proof auditors want: MFA logs + screenshots of enforced conditional access policies.
2) Encrypt All Devices and Data, at
Rest and In Transit
Required by: HIPAA, PCI, FTC Safeguards
What to encrypt:
- Laptops
and workstations (BitLocker/FileVault)
- Email
and messaging tools
- Backups
- Payment
terminals
- Server
data, file shares, and cloud storage
Why it matters: A stolen laptop should be an inconvenience, not a breach notification.
3) Restricted Access Control
Required by: HIPAA, FTC, PCI
What to do:
- Only
grant access needed for someone's job
- Require
manager approval for elevated access
- Disable
accounts immediately when employees leave
- Review
access quarterly
Why it matters: Excess access is one of the most common and most avoidable audit failures.
4) Quarterly Risk Assessments & Continuous Monitoring
Required by: HIPAA, FTC Safeguards (mandated), PCI
What it includes:
- Vulnerability
scanning
- Asset
inventory updates
- Patch
compliance reports
- Review
of new vendors, workflows, or apps
- Updated
remediation plan
HIPAA specifically asks for documented risk analysis and ongoing risk management—not a one-time checklist.
5) Documented Policies, Procedures & an Incident Response Plan
Required by: HIPAA, FTC Safeguards, PCI
This is the "show me" part of compliance. If it's not
written down, auditors assume it never happened.
Your binder should include:
- Acceptable
Use
- Access
Control
- Security
Awareness
- Device
& Media Sanitization
- Disaster
Recovery
- Incident
Response (with contact tree and timelines)
- Vendor
Management
- WISP
(for FTC)
Most violations come from missing evidence, not missing controls.
6) Backups & Restoration Tests
Required by: HIPAA, FTC Safeguards, PCI
Why it matters: Ransomware is still the biggest
threat in Middle Tennessee, and backups are the difference between paying a
ransom and recovering in hours.
Auditors want:
- Proof
of successful daily backups
- Logs
from quarterly test restores
- Documented Recovery Time (RTO) and Recovery Point Objectives (RPO)
7) Security Awareness Training & Phishing Simulations
Required by: HIPAA, FTC Safeguards, PCI
Training must be:
- Annual
(minimum)
- Role-based
- Documented
- Paired
with phishing simulations
Small teams benefit the most from ongoing training, your people are the perimeter.
8) Vendor Oversight & Signed Agreements
Required by: HIPAA (BAAs), FTC Safeguards (Vendor
Management), PCI
What to maintain:
- Signed
Business Associate Agreements
- WISP
copies from financial vendors
- PCI
Attestation of Compliance
- Proof
your IT provider meets the same standards you are held to
In healthcare, missing BAAs are one of the top reasons practices get fined.
9) Patch Management
Required by: HIPAA, FTC Safeguards, PCI
Why it matters: Outdated systems remain one of the
easiest attack vectors.
This includes:
- Operating
systems
- Browsers
- EHR/EMR
- Payment
software
- Firewalls
- Imaging
equipment PCs
- Anything
running Windows
Automation helps, but a human must review exceptions and failures.
10) Logging, Monitoring & Alerting
Required by: FTC Safeguards (explicit), PCI
(explicit), HIPAA (expected)
Small and mid-sized businesses often skip this step—but
cyber insurers no longer do.
You need:
- Centralized
logging (SIEM or equivalent)
- Alerts
for failed logins, access changes, privilege escalations
- 24/7
monitoring of security systems
This control drastically reduces breach detection time.
What's Changing in 2025?
Here's what Middle Tennessee decision makers need to know
about this year's regulatory pressure:
HIPAA:
Proposed 2025 updates formalize MFA, asset inventory,
incident response testing, and stricter vendor oversight. These are already
considered best practice—implementing them now prevents rework later.
FTC Safeguards:
Enforcement is ramping up. Written documentation, vendor
verification, and continuous monitoring are no longer optional for
financial-sector SMBs.
PCI DSS 4.0:
New logging, authentication, and continuous training
standards apply to anyone processing payment cards—even low-volume small
offices.
None of this is meant to complicate your business. The goal is simple: reduce preventable incidents.
Straight Talk: Compliance Only Works If Operations Support It
At Johnson BTS, we see the same pattern across healthcare,
financial, and small business clients: compliance fails when support is slow,
no one answers the phone, and simple issues linger for weeks.
Compliance is built on discipline. This means triage well, respond quickly, automate what you can, and show up onsite when the situation needs it. That's our operational philosophy because it's what makes these controls real in day-to-day workflows.
Need Reliable FTC, PCI, or HIPAA Support in Middle Tennessee?
If you want to implement these controls without burying your
team in checklists, our security-first approach is designed exactly for that.
- HIPAA-verified
- CISSP/CISA
certified leadership
- Rapid
onsite support
- Compliance
expertise across healthcare, financial, and SMB environments
We help you demonstrate compliance confidently—with
documentation, automation where possible, and clear communication about your
technology "State of the Union."
Click Here or give us a call at 615-989-0000 to Book a FREE 15-Minute Discovery Call
