Start your cybersecurity journey with the 405(d) HICP Assessment

History of HHS and the 405(d)

The 405(d) Program started as a congressional mandate under the Cybersecurity Act of 2015 (CSA), Section 405(d) to strengthen the cybersecurity posture of the healthcare and public health sector.  In the beginning, collaborators had one goal, to develop a document that brought forth cybersecurity awareness and provided best practices for mitigating the most pertinent cyber issues within the healthcare sector to date. As a result, the 405(d) Task Group, (with a collaborative effort of members from the U.S. Department of Health and Human Services (HHS), Health Sector Coordinating Council, and 200+ cybersecurity and healthcare experts) established the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients and its accompanying two technical volumes. Today the 405(d) Program provides organizations across the nation with resources and recommended steps to prepare for threats, offers practices to mitigate cybersecurity threats.


In January 2021, HR 7898 became law as an amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH Act).  Now referred to as, HR 7898 (now Public Law 116-321) requires the U.S. Department of Health and Human Services (HHS) to recognize the adoption of cybersecurity best practices.  However, this law isn’t a safe harbor for healthcare organizations or their business associates (BA) based on HIPAA.  You must still adhere to HIPAA mandates and if your organization is in violation of a HIPAA mandate, you’ll still be subject to an audit or investigation, with fines, penalties, and other potential punitive actions.  However, PL 116-321 may provide your organization some grace when it comes to how long an OCR audit may last as well as its potential impact. 

PL 116- 321 identifies specific security practices from “section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”


These security practices include the NIST Cybersecurity Framework (NIST CSF) and what we’re now commonly referring to as 405(d) Health Industry Cybersecurity Practices (HICP), which are mapped to NIST CSF.

405 (d) HICP Questions

  • What is the 405 (d) HICP?

    The 405(d) HICP assessment includes an evaluation and documentation of how an organization is following the sub-practices of all ten cybersecurity practices as relevant for their organization's size: small, medium or large so it can bridge any gaps and have easy reporting as needed.

  • Is the 405(d) HICP required?

    405(d) HICP is a voluntary set of federally recognized standards; adopting and documenting these practices can help an organization should it be audited by the Office for Civil Rights (OCR). In 2021, a bill named HR 7898 was signed into law as an amendment to the HITECH act and is now known as Public Law 116-321. The law requires HHS to recognize the adoption of cybersecurity best practices, like 405(d) HICP. If an organization can demonstrate that they have had 405(d) HICP in place for no less than 12 months prior to the point of an investigation, it may result in the mitigation of fines and early, favorable regulatory treatment.


  • Does the 405(d) HICP replace the need for a Risk Assessment?

    405(d) HICP does not replace the need for your organization to have established HIPAA policies and procedures, nor does it replace the need for risk analysis. Rather, your risk analysis process can be used to identify and prioritize the rollout of 405(d) HICP controls.

  • What are the 5 Top new threats of 2023

    • Social Engineering
    • Ransomware
    • Loss or Theft of Equipment or Data
    • Insider Accidental or Malicious Data Loss
    • Attacks Against Network Connected Medical Devices

What you get with the 405(d) HICP Risk Assessment

AI Guided Assistance

A step by step guide of the 405(d) HICP requirements will get you moving on your path to compliance, including the Top 5 new threats of 2023.

Automated Tasks

Task lists assigned to the proper resources with automated reminders to ensure tasks are tracked through completion.

Remediation Plan

A fully documented set of steps required to verify the organization has assessed all components of the 405(d) HICP program.

Business Intelligence

One touch reporting on dashboards and compliance for distribution throughout the enterprise and outside agencies.