As a lucky boon, these steps can be performed with a minimal investment of time, energy, and cost. Current commercial antivirus software for the small-office market is relatively inexpensive, and commercial-grade firewalls are freely available, as are vulnerability scanning programs used to perform security assessment and check host configuration. A trained information security professional should be able to accomplish these tasks in a relatively short timeframe.
Taking the initiative to perform these steps can add numerous layers of defense to protect sensitive client data, as well as show regulators (and insurance firms and lawyers) the seriousness with which client data security is handled.
Just as taking an umbrella on a walk is the surest way to avoid the downpour, being prepared for the new laws can help avoid countless hours of productivity lost to achieving and proving compliance after the fact.