Start your cybersecurity journey with the 405(d) HICP Assessment
History of HHS and the 405(d)
The 405(d) Program started as a congressional mandate under the Cybersecurity Act of 2015 (CSA), Section 405(d) to strengthen the cybersecurity posture of the healthcare and public health sector. In the beginning, collaborators had one goal, to develop a document that brought forth cybersecurity awareness and provided best practices for mitigating the most pertinent cyber issues within the healthcare sector to date. As a result, the 405(d) Task Group, (with a collaborative effort of members from the U.S. Department of Health and Human Services (HHS), Health Sector Coordinating Council, and 200+ cybersecurity and healthcare experts) established the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients and its accompanying two technical volumes. Today the 405(d) Program provides organizations across the nation with resources and recommended steps to prepare for threats, offers practices to mitigate cybersecurity threats.
In January 2021, HR 7898 became law as an amendment to the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Now referred to as, HR 7898 (now Public Law 116-321) requires the U.S. Department of Health and Human Services (HHS) to recognize the adoption of cybersecurity best practices. However, this law isn’t a safe harbor for healthcare organizations or their business associates (BA) based on HIPAA. You must still adhere to HIPAA mandates and if your organization is in violation of a HIPAA mandate, you’ll still be subject to an audit or investigation, with fines, penalties, and other potential punitive actions. However, PL 116-321 may provide your organization some grace when it comes to how long an OCR audit may last as well as its potential impact.
PL 116- 321 identifies specific security practices from “section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”
These security practices include the NIST Cybersecurity Framework (NIST CSF) and what we’re now commonly referring to as 405(d) Health Industry Cybersecurity Practices (HICP), which are mapped to NIST CSF.
949-994-9689
CALL US TODAY TO SCHEDULE A DEMO
405(d) HICP Questions
What is the 405(d) HICP?
The 405(d) HICP assessment includes an evaluation and documentation of how an organization is following the sub-practices of all ten cybersecurity practices as relevant for their organization’s size: small, medium or large so it can bridge any gaps and have easy reporting as needed.
Is the 405(d) HICP required?
405(d) HICP is a voluntary set of federally recognized standards; adopting and documenting these practices can help an organization should it be audited by the Office for Civil Rights (OCR). In 2021, a bill named HR 7898 was signed into law as an amendment to the HITECH act and is now known as Public Law 116-321. The law requires HHS to recognize the adoption of cybersecurity best practices, like 405(d) HICP. If an organization can demonstrate that they have had 405(d) HICP in place for no less than 12 months prior to the point of an investigation, it may result in the mitigation of fines and early, favorable regulatory treatment.
Does the 405(d) HICP replace the need for a Risk Assessment?
405(d) HICP does not replace the need for your organization to have established HIPAA policies and procedures, nor does it replace the need for risk analysis. Rather, your risk analysis process can be used to identify and prioritize the rollout of 405(d) HICP controls.
What are the 5 Top new threats of 2023
- Social Engineering
- Ransomware
- Loss or Theft of Equipment or Data
- Insider Accidental or Malicious Data Loss
- Attacks Against Network Connected Medical Devices
What you get with the 405(d) HICP Risk Assessment
AI Guided Assistance
A step by step guide of the 405(d) HICP requirements will get you moving on your path to compliance, including the Top 5 new threats of 2023.
Automated Tasks
Task lists assigned to the proper resources with automated reminders to ensure tasks are tracked through completion.
Remediation Plan
A fully documented set of steps required to verify the organization has assessed all components of the 405(d) HICP program.
Business Intelligence
One touch reporting on dashboards and compliance for distribution throughout the enterprise and outside agencies.
Cost of Non-Compliance
Streamlinz At a Glance
%
Small businesses report closing their doors 6 months after a large data breach
Average fine PER Breach, for small companies
Streamlinz templates available
Years in the Industry
Streamlinz cuts HIPAA compliance risks and keeps you protected. Prepare, Protect and Prevent - Our solutions save you time with a guaranteed positive ROI.
Get personalized care and expert guidance to achieve your compliance goals.
949-994-9689
Have Questions? Ask Us Anything!
Read the latest tips and news in the compliance world.
2025 HIPAA Security Rule Updates: What Your Practice Needs to Know
https://vimeo.com/1130797421?fl=pl&fe=sh
Cybersecurity Starts With You: 5 Simple Habits to Stay Safe Online
October is Cybersecurity Month: Why Does This Matter? Cyber threats are continuing to...
Why Your IDS/IPS Isn’t Stopping Breaches (and What to Do About It)
You didn’t deploy intrusion detection and prevention systems (IDS/IPS) for false alerts, missed breaches, or compliance fines.
Yet here you are—wondering why threats slip through despite “active” monitoring, paying for tools that can’t keep up with encrypted traffic, and facing auditors asking why your logs show gaps during last quarter’s attack.
If you’re in healthcare, finance, legal, or critical infrastructure, outdated IDS/IPS isn’t just noisy—it’s a compliance time bomb inviting data theft, ransomware, and regulatory hell.
Protected Harbor has overhauled dozens of fragile Internet security deployments. The patterns are identical—and the risks are always worse than teams realize.