Get Demo

HHS 405(d) HICP Explained: Recognized Security Practices

HHS 405(d) HICP Explained explained for US organizations — clear, practical guidance to protect PHI and stay audit-ready. Learn the essentials with CyberSilo.

📅 Published: June 2026 🔐 Cybersecurity • HIPAA • USA ⏱️ 2,200 words

The HHS 405(d) Health Industry Cybersecurity Practices (HICP) is a set of voluntary, consensus-driven cybersecurity practices published by the Department of Health and Human Services (HHS) to help healthcare organizations of all sizes protect electronic protected health information (ePHI) and better align with the HIPAA Security Rule’s administrative, physical, and technical safeguards. Developed in partnership with the healthcare sector and the HHS Office for Civil Rights (OCR) and the Assistant Secretary for Preparedness and Response (ASPR), the HICP translates the high-level requirements of the HIPAA Security Rule (45 CFR §§ 164.308–164.312) into concrete, actionable guidance for defending against the most common cybersecurity threats facing the industry today.

Key Takeaways: HHS 405(d) HICP at a Glance

  • What it is: A voluntary cybersecurity practices framework tailored for the healthcare sector, aligned with the HIPAA Security Rule.
  • Who it helps: Healthcare providers, health plans, clearinghouses, and their business associates.
  • Core structure: Organized into five threat-based sections—Email Phishing, Ransomware, Data Breach Response, Medical Device Security, and Network Protection.
  • Compliance benefit: Adopting the HICP’s practices can serve as evidence of “recognized security practices” under the HITECH Act (42 U.S.C. § 17934), potentially reducing fines or audit scrutiny during an OCR investigation.
  • Why it matters now: With healthcare data breaches exceeding 500,000 records per incident frequently, and OCR increasingly applying the HICP as a benchmark for due diligence, the HICP is the practical roadmap every covered entity and business associate needs.

What Is the HHS 405(d) HICP and Why Was It Created?

The HHS 405(d) Program originated from Section 405(d) of the Cybersecurity Information Sharing Act (CISA) of 2015, which tasked HHS with establishing a public-private task force to improve cybersecurity in the healthcare industry. The result was the Health Industry Cybersecurity Practices (HICP), first published in 2018 and updated periodically, most notably in 2022.

The HICP addresses a critical gap: while the HIPAA Security Rule mandates that covered entities and business associates implement safeguards for ePHI and conduct a security risk analysis (45 CFR § 164.308(a)(1)(ii)(A)), it does not specify exactly which technical controls or operational processes to deploy. The HICP fills that gap by providing specific, prioritized cybersecurity practices derived from real-world breach data and input from the sector.

The HICP is not a regulation itself, but it is officially recognized by HHS as a set of “recognized security practices” under the HITECH Act. This designation is critical: if an organization experiences a HIPAA breach and can demonstrate that it was following the HICP’s practices, OCR must consider that as a mitigating factor during the penalty determination process (42 U.S.C. § 17934).

Who Should Follow the HHS 405(d) HICP?

The HICP is designed for the entire healthcare ecosystem. While the primary audience includes covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates, the practices are also highly relevant for medical device manufacturers, health information exchanges (HIEs), and any subcontractor handling ePHI.

For US-based organizations, the HICP is especially important because it directly supports compliance with the HIPAA Security Rule’s implementation specifications. For Canadian organizations handling ePHI of US patients (for example, a Canadian hospital treating US medical tourists or a Canadian software provider serving US healthcare clients), the HICP offers a practical bridge between the HIPAA Security Rule and the organization’s domestic privacy obligations under PIPEDA or Ontario’s PHIPA.

How Is the HICP Structured? (HICP 2022 Main Practices)

The HICP is organized into two core volumes plus supporting materials. The primary volume is “Main Practices – Cybersecurity Practices for the Healthcare Industry,” which groups actions into five threat-based areas. Each practice area includes a set of specific, measurable implementation steps.

Threat 1: Email Phishing Attacks

Phishing remains the top vector for healthcare breaches. The HICP recommends specific technical controls and training programs designed to reduce the risk of credential compromise and unauthorized ePHI access.

Threat 2: Ransomware Attacks

Ransomware is the most financially devastating threat for healthcare organizations. The HICP provides detailed guidance on maintaining offline backups, implementing network segmentation, and deploying security monitoring to detect ransomware early. These practices directly support the HIPAA Security Rule’s requirement for data backup and disaster recovery at 45 CFR § 164.308(a)(7).

Threat 3: Data Breaches and Unauthorized Access

This section addresses insider threats, misconfigured systems, and external intrusions that lead to unauthorized ePHI disclosure. The HICP recommends implementing a robust incident response plan, access controls, and continuous monitoring to meet HIPAA’s information access management requirements (45 CFR § 164.312(a)).

Threat 4: Medical Device Security

Connected medical devices—from infusion pumps to imaging systems—represent a growing attack surface. The HICP provides guidance aligned with the FDA’s 524B provisions under the Federal Food, Drug, and Cosmetic Act, which requires device manufacturers to demonstrate they have a coordinated vulnerability disclosure (CVD) program and appropriate security controls. For US-based hospitals and health systems, this section is critical for ensuring that both legacy and new devices are properly inventoried and secured.

Threat 5: Network Protection

This section covers perimeter and internal network security, including firewall management, vulnerability scanning, and security log monitoring. It aligns closely with the administrative safeguards of the HIPAA Security Rule (45 CFR § 164.308(a)(1)) and the physical safeguards (45 CFR § 164.310). The HICP recommends a layered approach to network defense, including using a SIEM tool for centralized log management and threat detection—a capability directly supported by ThreatHawk SIEM.

HICP and the HIPAA Security Rule: Mapping the Controls

The HICP is explicitly designed to map to the HIPAA Security Rule’s administrative, physical, and technical safeguards. The table below illustrates how specific HICP practices correspond to required HIPAA implementation specifications.

HICP Practice Area
Example Practice
HIPAA Security Rule Citation
Email Phishing
Implement DMARC, DKIM, and SPF email authentication
§ 164.312(c)(1) (Integrity Controls)
Ransomware
Maintain offline, immutable backups
§ 164.308(a)(7)(ii)(A) (Data Backup Plan)
Data Breach
Implement a formal incident response plan and conduct tabletop exercises
§ 164.308(a)(6) (Response & Reporting)
Medical Device Security
Create and maintain an asset inventory of all connected medical devices
§ 164.312(a)(1) (Access Control) / FDA 524B
Network Protection
Deploy network segmentation to isolate medical devices from IT networks
§ 164.312(a)(1) (Access Control) / § 164.310 (Physical Safeguards)

How Does the HICP Relate to Other Frameworks?

For organizations managing multiple compliance obligations, the HICP integrates well with other major frameworks. The table below highlights key comparisons between the HICP and the NIST Cybersecurity Framework (CSF) 2.0, NIST SP 800-53, and HITRUST CSF.

Feature
HHS 405(d) HICP
NIST CSF 2.0
HITRUST CSF
Primary Audience
Healthcare sector
All critical infrastructure sectors
Healthcare and other regulated industries
Regulatory Alignment
HIPAA Security Rule + HITECH Act
Generic, non-prescriptive
HIPAA, NIST, ISO 27001, PCI DSS
Control Maturity Rating
Medium
Medium
High
Audit Certification
No (self-assessment)
No (self-assessment)
Yes (certification available)
Best For
Covered entities and business associates
Any organization building a broad cybersecurity program
Organizations needing a certifiable, risk-based framework

While the HICP is healthcare-focused, it is effectively a subset of the NIST CSF 2.0 tailored for healthcare. For organizations pursuing comprehensive compliance, the HICP provides a strong sector-specific starting point, while broader frameworks like NIST CSF or HITRUST offer more granularity and maturity models.

Compliance Note: The HICP is updated based on real-world threat intelligence. As of 2025, the most recent update from HHS emphasizes supply chain security for medical devices and expanded guidance for ransomware resilience. Always verify that your organization’s practices reflect the latest published version of the Main Practices document.

How to Implement the HHS 405(d) HICP: A Practical Guide

Adopting the HICP does not require a complete overhaul of your existing security program. The practices are designed to be implemented incrementally, starting with the highest-impact threats. The most common approach for HIPAA compliance is to use the HICP as a “control library” to populate your security risk analysis and remediation plan.

1

Perform a Gap Assessment Against the HICP

Start by mapping your existing security controls—including policies, procedures, and technical safeguards—to the 15 HICP practices listed in the Main Practices document. Identify gaps in areas like phishing defenses, backup strategies, and incident response preparedness. This assessment aligns directly with the HIPAA requirement to conduct a risk analysis (45 CFR § 164.308(a)(1)(ii)(A)).

2

Prioritize Based on Threat Likelihood

The HICP organizes threats by frequency and impact. For most organizations, this means starting with Email Phishing and Ransomware as the two highest-priority threats. Implement technical controls like multi-factor authentication (MFA) for all remote access to ePHI, advanced email filtering, and user training that includes periodic phishing simulation exercises.

3

Establish Security Monitoring and Logging

The HICP recommends that organizations “maintain security monitoring and logging across all systems and networks where ePHI is stored, processed, or transmitted.” This requires a centralized logging strategy. A modern SIEM platform like ThreatHawk SIEM can aggregate logs from medical devices, endpoints, firewalls, and cloud environments, enabling real-time detection of anomalies that could indicate a breach or ransomware precursor. This directly meets HIPAA’s information system activity review requirement (45 CFR § 164.308(a)(1)(ii)(D)).

4

Develop and Test an Incident Response Plan

Document a formal incident response plan (IRP) that includes roles, communication procedures, and steps for containment, eradication, and recovery. The HICP emphasizes the need for tabletop exercises at least annually. An effective IRP not only fulfills HIPAA’s response standard (45 CFR § 164.308(a)(6)) but also positions you to meet HICP expectations for rapid threat mitigation.

5

Document Everything for OCR and HITECH Benefit

To qualify for penalty mitigation under the HITECH Act, you must be able to demonstrate that your cybersecurity practices are consistent with the HICP. This requires evidence—not just assertions. Maintain records of your risk analysis, HICP gap assessment, implemented controls, training logs, and post-incident reports. Consider using a Compliance Standards Automation tool to centralize and map evidence across multiple frameworks, including HIPAA, NIST CSF, and the HICP.

HICP and OCR Investigations: How “Recognized Security Practices” Help

One of the most powerful reasons to adopt the HICP is the potential for penalty mitigation. Under the HITECH Act, as amended by 42 U.S.C. § 17934, OCR is required to consider whether an organization had implemented “recognized security practices” (including the HICP) when determining the penalty amount for a violation. This means that if you can demonstrate your organization was following the HICP at the time of a breach, OCR must weigh that as a mitigating factor during the penalty calculation.

For example, if a phishing incident bypasses your MFA controls but you can show that you had implemented DMARC, conducted quarterly phishing simulations, and had a documented incident response plan consistent with HICP Threat 1 and Threat 3, OCR would be obligated to reduce the penalty accordingly. Not all organizations will need an external assessment for this; many can self-attest if they have robust documentation. However, working with an experienced compliance partner like CyberSilo can help you build defensible documentation faster.

Ready to Align Your Security Program with the HHS 405(d) HICP?

CyberSilo’s cybersecurity experts can perform a comprehensive HICP gap assessment and build a remediation roadmap that maps your controls to the HICP, HIPAA Security Rule, and HITECH Act requirements. Protect your ePHI and reduce regulatory risk.

HICP and Canadian Healthcare Organizations

For Canadian healthcare organizations that handle US patient ePHI—whether as a covered entity (e.g., a Canadian hospital providing services to US patients) or as a business associate (e.g., a Canadian software provider hosting US health data)—the HICP applies just as much as it does to a US-based provider. The HIPAA Security Rule and HITECH Act have extraterritorial reach, meaning any organization creating, receiving, maintaining, or transmitting ePHI is subject to HIPAA enforcement if that data belongs to a US citizen.

For Canadian organizations that do not handle US ePHI but want to adopt a robust, sector-specific cybersecurity framework, the HICP can also serve as an excellent supplement to domestic compliance. It maps well to PIPEDA’s 10 fair information principles, particularly Principle 7 (Safeguards), and aligns with many of the technical security measures recommended by the Canadian Centre for Cyber Security (CCCS) under its ITSG-33 guidelines. However, for Canadian organizations, the primary compliance driver remains PIPEDA (and provincial laws like Ontario’s PHIPA or Quebec’s Law 25), so the HICP should be treated as an overlay rather than a replacement for domestic obligations.

Common Misconceptions About HHS 405(d) HICP

“The HICP Is Mandatory.”

False. The HICP is voluntary. However, adopting it can significantly reduce your risk profile and provide penalty mitigation under the HITECH Act. Many privacy officers also find it practically mandatory because OCR has signaled that it expects organizations to follow these recognized practices during audits.

“I Already Have the HIPAA Security Rule; I Don’t Need the HICP.”

Inaccurate. The HIPAA Security Rule tells you what to do; the HICP tells you how to do it. The Security Rule requires that you “protect against reasonably anticipated threats” (45 CFR § 164.306(a)(2)). The HICP provides the current standard of care for that anticipation. Without the HICP, your risk analysis may be missing the specific threats that are plaguing the industry today.

“The HICP Only Applies to Large Hospitals.”

Incorrect. The HICP includes separate guidance for small/medium-sized healthcare organizations (those with fewer than 15 employees). It provides a tiered approach that allows organizations to start with the highest-priority, lowest-cost controls and scale up as resources allow.

“Once I Implement the HICP, I’m Done.”

Inaccurate. Like all cybersecurity frameworks, the HICP requires continuous improvement. The threat landscape changes, and HHS expects organizations to update their practices as the HICP itself is periodically revised. Annual reviews and ongoing monitoring—including SIEM-based threat detection—are essential.

How CyberSilo Supports HHS 405(d) HICP Adoption

CyberSilo’s Compliance Standards Automation solution is purpose-built to help regulated organizations—especially those in healthcare—map their security controls to multiple frameworks simultaneously. For a client adopting the HICP, the automation platform can:

For organizations requiring real-time monitoring of their healthcare IT and medical device environments, ThreatHawk SIEM provides the centralized log management and threat detection that supports HICP Threat 5 (Network Protection) and the HIPAA requirement for information system activity review.

Don’t Wait for an OCR Audit to Align with the HICP

CyberSilo can help you implement the HHS 405(d) HICP efficiently, whether you are starting from scratch or need to close gaps in an existing program. Our team of compliance and security experts works with US and Canadian healthcare organizations to build defensible, audit-ready security programs.

Our Conclusion & Recommendation

The HHS 405(d) HICP is not optional in practice—it is the de facto standard of care for healthcare cybersecurity in the United States. For organizations subject to HIPAA, adopting the HICP is one of the most effective ways to reduce breach risk and demonstrate due diligence to OCR during an investigation. For Canadian organizations handling US ePHI, the HICP is equally essential as a risk management and compliance tool. The practices are practical, threat-aligned, and designed for incremental implementation.

We recommend that every covered entity and business associate conduct an HICP gap assessment at least annually as part of their HIPAA Security Rule compliance program. Pairing this assessment with continuous monitoring via a SIEM platform like ThreatHawk and using compliance automation to map evidence will give your organization the strongest possible defense—and the best possible outcome if OCR comes calling. CyberSilo is ready to help you build that program today.

Get a Compliance Assessment

Contact CyberSilo to schedule an HICP gap assessment and learn how our compliance automation solutions can help you protect ePHI and reduce regulatory risk.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!