The Health Industry Cybersecurity Practices (“HICP”), also referred to as 405(d), is a set of guidelines and best practices that healthcare providers can leverage to enhance their cybersecurity program and better protect their patient data.

This set of guidelines was developed by U.S. Department of Health & Human Services (HHS) with the assistance of industry experts and provides an incredible resource for healthcare organizations to utilize within their IT security program. According to the HIPAA Security Rule, all covered entities are required by law to conduct an annual risk analysis. This would include areas such as specialists, ambulatory, family care, etc.

“The HIPAA Security Rule mandates that covered entities and business associates must complete an annual risk analysis to identify and document vulnerabilities and reasonably anticipated threats to the confidentiality, integrity, and availability of electronic protected health information (ePHI) that the organization creates, receives, maintains, or transmits.” – (45 CFR 164.308(a)(1)(ii)(A))

The completion of a risk assessment utilizing HICP meets this requirement. Let’s take a look at three reasons why HICP is a game changer for healthcare providers.

1. HICP is Healthcare Focused

HICP was built specifically for healthcare organizations and the threats these organizations most likely face while other guidelines and frameworks such as the NIST Cybersecurity Framework (CSF) are more generalized to apply to multiple industries. For leadership, it can be difficult for organizations to tie areas of the NIST CSF to how well their environment is protected from threats.

HICP’s specificity allows organizations to dedicate focus on five key threats:

  1. Social Engineering
  2. Ransomware
  3. Loss or Theft of Equipment or Data
  4. Insider Accidental or Malicious Data Loss
  5. Attacks Against Network Connected Medical Devices

Each cybersecurity practice section within HICP maps back to one or more of the threats listed above. For example, Cybersecurity Practice #1: Email Protection Systems addresses social engineering, ransomware attacks, and Insider Accidental or Malicious Data Loss.

2. HICP Aligns with Recognized Security Practices

An amendment to the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on Jan. 5, 2021, directing U.S. Health and Human Services (HHS) to consider “recognized security practices” in investigations related to Health Insurance Portability and Accountability Act (HIPAA) (HR 7898, Pub. L. 116-231). If a covered entity or business associate had these recognized security practices in place for at least a year, the Office of Civil Rights (OCR) is required to acknowledge that when determining fines, remedies, or the length of an audit for the respective environment. Currently, HICP and the NIST CSF are the only two covered standards. Developing a security program leveraging a standard like HICP helps to reduce impact and likelihood of a material data breach, and if one does end up occurring would assist in producing evidence for having established appropriate and responsible security practices in place before and during the incident.

3. HICP Fits Your Organization Size

The process of implementing cybersecurity practices will vary by organization size, complexity, and type. For example, the development and implementation of an incident response plan will differ significantly between a large, integrated delivery network and a small two physician practice. To emphasize this variation, HICP describes cybersecurity practice implementations separately for small, medium-sized, and large organizations. Determining your organization size is based on a series of factors including but not limited to cybersecurity investment budget, number of physicians/providers/beds, complexity, number of Health Information Exchange Partners. More information on the sizing guidance is included in the table below.

HICP Sizing Guidance Chart

(HICP-Main-508 2023 Edition)

In comparison, the NIST CSF contains functions, categories, and subcategories but does not include guidance or recommendations on how to implement them at any size organization. This can be very difficult for healthcare leadership to interpret, especially those less technically inclined.

Often, healthcare organizations struggle with determining how specific criteria within the NIST CSF or within the HIPAA Security Rule can be directly applied to further secure their environment. Having a set of recommended practices based on the sizing criteria makes that less ambiguous.

The organization size breakdown is also helpful when determining the scope of a risk analysis. Tailoring the scope down specifically to the org size can reduce time and resource needs for internal or external assessors. The HICP total number of sub practices for a small organization is 22, while the large organization guidelines contain 72 sub practices.


HICP is a powerful resource that is healthcare focused, aligned to regulatory requirements, flexible enough to work with any healthcare organization, and works to accomplish the number one goal of any IT Security program, reducing risk.

If you believe your business could benefit from utilizing HICP, one of the best first steps is to have a Risk Assessment performed. This activity will assess the completeness and maturity of the security-related practices inside your organization. Through a series of interviews with key stakeholders and subject matter experts, as well as a review of select documentation, our team of security professionals will evaluate the people, processes, and technology that contribute to the protection of Protected Health Information.

LBMC can also help you with the review and or creation of Policies and Procedures. Existing policies can be reworked, or completely new policies can be provided to help organizations ensure a focus on healthcare data security.

Finally, LBMC can help you with customized HIPAA Security Consulting services. If you need to improve your existing program, or if you need to start fresh with a brand-new program, our knowledgeable professionals can provide consulting to help you to improve your cybersecurity practices.

If you have any questions, contact the LBMC Cybersecurity team.

Content provided by LBMC Cybersecurity professionals Van Steel and Garrett Zickgraf.