Three Reasons Why HICP is a Game Changer for Healthcare Providers

The Health Industry Cybersecurity Practices (“HICP”), also referred to as 405(d), is a set of guidelines and best practices that healthcare providers can leverage to enhance their cybersecurity program and better protect their patient data.

This set of guidelines was developed by U.S. Department of Health & Human Services (HHS) with the assistance of industry experts and provides an incredible resource for healthcare organizations to utilize within their IT security program. According to the HIPAA Security Rule, all covered entities are required by law to conduct an annual risk analysis. This would include areas such as specialists, ambulatory, family care, etc.

“The HIPAA Security Rule mandates that covered entities and business associates must complete an annual risk analysis to identify and document vulnerabilities and reasonably anticipated threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI) that the organization creates, receives, maintains, or transmits.” – (45 CFR 164.308(a)(1)(ii)(A))

Completing a risk assessment that leverages HICP can significantly support an organization’s HIPAA Security Rule risk analysis requirements when applied appropriately and documented thoroughly. HICP should be viewed as a practical implementation guide that complements frameworks like the HIPAA Security Rule and the NIST Cybersecurity Framework, not a replacement for them.

Healthcare cybersecurity risk has expanded significantly due to increased third-party exposure, AI-enabled phishing, and a growing number of connected medical devices across clinical environments. 

1. HICP is Healthcare Focused

HICP was built specifically for healthcare organizations and the threats these organizations most likely face while other guidelines and frameworks such as the NIST Cybersecurity Framework (CSF) are more generalized to apply to multiple industries. These risks are compounded by the reliance on electronic health records (EHRs), third-party vendors, and integrated clinical systems across most healthcare environments. For leadership, it can be difficult for organizations to tie areas of the NIST CSF to how well their environment is protected from threats.

As healthcare cyber threats continue to evolve, HICP remains a practical, scalable framework that helps organizations translate cybersecurity requirements into actionable steps. HICP’s specificity allows organizations to dedicate focus on five key threats:

1. Social engineering (including phishing and business email compromise)
2. Ransomware
3. Loss or theft of equipment or data
4. Insider data loss (accidental or malicious)
5. Attacks on network-connected medical devices

Each cybersecurity practice section within HICP maps back to one or more of the threats listed above. For example, Cybersecurity Practice #1: Email Protection Systems addresses social engineering, ransomware attacks, and Insider Accidental or Malicious Data Loss.

2. HICP Aligns with Recognized Security Practices

An amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Jan. 5, 2021, directing U.S. Health and Human Services (HHS) to consider “recognized security practices” in investigations related to Health Insurance Portability and Accountability Act (HIPAA) (HR 7898, Pub. L. 116-231). If a covered entity or business associate had these recognized security practices in place for at least a year, the Office of Civil Rights (OCR) is required to acknowledge that when determining fines, remedies, or the length of an audit for the respective environment. Currently, HICP and the NIST CSF are the only two covered standards. Developing a security program leveraging a standard like HICP helps to reduce impact and likelihood of a material data breach, and if one does end up occurring would assist in producing evidence for having established appropriate and responsible security practices in place before and during the incident.

3. HICP Fits Your Organization Size

The process of implementing cybersecurity practices will vary by organization size, complexity, and type. For example, the development and implementation of an incident response plan will differ significantly between a large, integrated delivery network and a small two physician practice. To emphasize this variation, HICP describes cybersecurity practice implementations separately for small, medium-sized, and large organizations. Determining your organization size is based on a series of factors including but not limited to cybersecurity investment budget, number of physicians/providers/beds, complexity, number of Health Information Exchange Partners. More information on the sizing guidance is included in the table below.

In comparison, the NIST CSF contains functions, categories, and subcategories but does not include guidance or recommendations on how to implement them at any size organization. This can be very difficult for healthcare leadership to interpret, especially those less technically inclined.

Often, healthcare organizations struggle with determining how specific criteria within the NIST CSF or within the HIPAA Security Rule can be directly applied to further secure their environment. Having a set of recommended practices based on the sizing criteria makes that less ambiguous.

The organization size breakdown is also helpful when determining the scope of a risk analysis. Tailoring the scope down specifically to the org size can reduce time and resource needs for internal or external assessors. The HICP total number of sub practices for a small organization is 22, while the large organization guidelines contain 72 sub practices.

Conclusion

HICP is a powerful resource that is healthcare focused, aligned to regulatory requirements, flexible enough to work with any healthcare organization, and works to accomplish the number one goal of any IT Security program, reducing risk.

If you believe your business could benefit from utilizing HICP, one of the best first steps is to have a Risk Assessment performed. This activity will assess the completeness and maturity of the security-related practices inside your organization. Through a series of interviews with key stakeholders and subject matter experts, as well as a review of select documentation, our team of security professionals will evaluate the people, processes, and technology that contribute to the protection of Protected Health Information.

LBMC helps healthcare organizations operationalize HICP through gap assessments, tabletop exercises, policy development, and targeted remediation planning. Whether you’re strengthening an existing program or addressing specific risks, our team evaluates people, processes, and technology to help protect patient data and reduce regulatory exposure.

If you have any questions, contact the LBMC Cybersecurity team.

Content provided by LBMC Cybersecurity professionals Van Steel and Garrett Zickgraf.