HHS 405(d) - Health Industry Cybersecurity Practices

Overview

The Health Industry Cybersecurity Practices (HICP) program, established under Section 405(d) of the Cybersecurity Act of 2015, provides voluntary cybersecurity practices that the Department of Health and Human Services (HHS) has identified as the most valuable for healthcare organizations to protect against cybersecurity threats.

Program Launch: December 2018 (Initial Publication)
Latest Update: 2023 (HICP Framework Update)
Status: Voluntary program with ongoing HHS support

Legislative Authority

Statutory Citation

• Section 405(d) of the Cybersecurity Act of 2015 (Pub. L. 114-113)


• Codified as amendments to the Public Health Service Act

Congressional Direction

Congress directed HHS to:

1. Identify cybersecurity practices that the healthcare industry uses to reduce cybersecurity risks


2. Publish such practices for voluntary adoption


3. Consider these practices as "recognized security practices" under HIPAA enforcement

Managing Agency

• HHS Assistant Secretary for Preparedness and Response (ASPR)


• ASPR Healthcare Threat Unit (HTU)


• 405(d) Program Office

Program Status: VOLUNTARY

Key Characteristics

• Voluntary adoption - NOT mandatory compliance


• Free resources - All materials available at no cost


• Scalable - Practices for organizations of all sizes


• Threat-based - Addresses specific healthcare cybersecurity threats


• HIPAA-aligned - Supports HIPAA Security Rule compliance

"Recognized Security Practices" Designation

Under HIPAA, implementation of 405(d) practices for 12+ months prior to a security incident provides:

• Favorable consideration in HIPAA enforcement decisions


• Potential mitigation of civil monetary penalties


• Demonstration of reasonable and appropriate safeguards


• Evidence of diligent security efforts

Who Can Benefit

Applicable Organizations

The 405(d) program is designed for:

1. Healthcare Providers (HIPAA Covered Entities)

- Hospitals and health systems
- Physician practices (all sizes)
- Clinics and ambulatory care centers
- Long-term care facilities
- Behavioral health providers
- Community health centers

1. Health Plans (HIPAA Covered Entities)

- Commercial health insurers
- Medicare and Medicaid plans
- Self-insured employer plans
- Health Maintenance Organizations (HMOs)

1. Healthcare Clearinghouses (HIPAA Covered Entities)

- Billing services
- Claims processing organizations
- Value-added networks

1. Business Associates

- Electronic Health Record (EHR) vendors
- Medical billing companies
- Cloud service providers
- IT managed service providers
- Health information exchanges (HIEs)

1. Medical Device Manufacturers

- Medical device makers
- Biomedical equipment suppliers
- Health IT companies

Organization Size

Practices tailored for:

• Small practices (1-10 employees)


• Medium practices (11-50 employees)


• Large organizations (51+ employees)

Top 5 Healthcare Cybersecurity Threats

The 405(d) program focuses on the five most significant threats to healthcare:

1. Ransomware

Impact: Locks access to patient data and systems, disrupts patient care

• Encrypts files and demands payment for decryption


• Can shut down hospital operations for days/weeks


• Average healthcare ransomware payment: $1.5M+ (2023)


• Patient care delays and diversions during outages

2. Phishing and Social Engineering

Impact: Credential theft, malware installation, business email compromise

• Impersonation of executives or IT staff


• Fake login pages stealing credentials


• Malicious attachments and links


• Business email compromise (BEC) leading to wire fraud

3. Malware (Non-Ransomware)

Impact: Data theft, system compromise, persistent threats

• Information-stealing trojans


• Remote access tools (RATs)


• Keyloggers capturing passwords and PHI


• Botnet infections

4. Unsecured Medical Devices

Impact: Network backdoors, operational disruptions, patient safety risks

• Legacy medical devices with unpatched vulnerabilities


• Devices using default credentials


• Lack of network segmentation for medical devices


• Internet-connected devices without security controls

5. Insider Threats (Accidental and Malicious)

Impact: Data breaches, privacy violations, system sabotage

• Accidental disclosure of patient information


• Unauthorized access to patient records (snooping)


• Malicious data theft by employees


• Credential sharing and misuse

The 10 Essential Cybersecurity Practices

Practice 1: Email Protection Systems

Purpose: Block phishing emails and malicious attachments

• Email filtering with anti-phishing capabilities


• Attachment scanning for malware


• Link protection to block malicious URLs


• DMARC/SPF/DKIM email authentication


• User training on identifying phishing

Practice 2: Endpoint Protection Systems

Purpose: Protect workstations, laptops, and mobile devices

• Antivirus/anti-malware software


• Endpoint Detection and Response (EDR) solutions


• Mobile Device Management (MDM)


• Application whitelisting (when feasible)


• Automated patching of endpoint software

Practice 3: Access Management

Purpose: Control who can access systems and data

• Multi-Factor Authentication (MFA) for all users


• Principle of Least Privilege - minimum necessary access


• Role-Based Access Control (RBAC)


• Regular access reviews and revocation of unnecessary access


• Strong password policies (12+ characters, complexity)

Practice 4: Data Protection and Loss Prevention

Purpose: Secure data at rest and in transit

• Encryption of data at rest (databases, file servers, backups)


• Encryption of data in transit (TLS/SSL for websites and email)


• Data Loss Prevention (DLP) to prevent unauthorized exfiltration


• USB port controls and removable media policies


• Secure file transfer mechanisms

Practice 5: Asset Management

Purpose: Maintain inventory of all IT assets

• Hardware inventory (computers, servers, network devices, medical devices)


• Software inventory (applications, operating systems, firmware)


• Automated discovery tools for network-connected assets


• Removal of unauthorized devices and shadow IT


• Asset lifecycle management (procurement to decommissioning)

Practice 6: Network Management

Purpose: Secure network infrastructure and segment critical systems

• Network segmentation to isolate medical devices, clinical systems, and administrative networks


• Firewall configuration with restrictive rule sets


• Wireless network security (WPA3 encryption, strong passwords)


• VPN for remote access with MFA


• Intrusion Detection/Prevention Systems (IDS/IPS)

Practice 7: Vulnerability Management

Purpose: Identify and remediate security vulnerabilities

• Regular vulnerability scanning (at least quarterly)


• Patch management - critical patches within 30 days


• Prioritized remediation based on risk


• Penetration testing (for larger organizations)


• Vendor security bulletins monitoring

Practice 8: Incident Response

Purpose: Detect, respond to, and recover from cybersecurity incidents

• Incident Response Plan (documented procedures)


• Incident Response Team with defined roles


• Detection and monitoring tools (SIEM, log analysis)


• Containment and eradication procedures


• Recovery and restoration processes


• Post-incident review and lessons learned

Practice 9: Medical Device Security

Purpose: Secure medical devices and biomedical equipment

• Medical device inventory (networked and standalone)


• Network segmentation for medical devices


• Change default credentials on all devices


• Vendor patch management for medical device firmware


• Risk assessments for new medical device deployments


• FDA recalls and safety alerts monitoring

Practice 10: Cybersecurity Policies and Training

Purpose: Establish security culture and user awareness

• Written cybersecurity policies (acceptable use, remote access, BYOD)


• Annual security awareness training for all workforce


• Phishing simulation exercises


• Role-based training (IT staff, clinical staff, executives)


• Insider threat awareness


• Disciplinary procedures for policy violations

The 8 Enhanced Cybersecurity Practices

For organizations with greater resources and risk profiles:

Enhanced 1: Advanced Threat Protection

• Security Information and Event Management (SIEM)


• Managed Detection and Response (MDR) services


• Threat intelligence feeds


• Behavioral analytics

Enhanced 2: Security Operations Center (SOC)

• 24/7 security monitoring


• Dedicated security analysts


• Automated playbooks


• Threat hunting

Enhanced 3: Zero Trust Architecture

• Identity-based access controls


• Micro-segmentation


• Continuous verification


• Software-Defined Perimeter (SDP)

Enhanced 4: Cloud Security

• Cloud Access Security Broker (CASB)


• Cloud security posture management


• Container security


• Cloud encryption and key management

Enhanced 5: Supply Chain Risk Management

• Vendor security assessments


• Third-party penetration testing


• Business Associate Agreement (BAA) security requirements


• Continuous vendor monitoring

Enhanced 6: Advanced Backup and Recovery

• Immutable backups (ransomware-proof)


• Offsite and offline backups


• Automated backup testing


• Hot/warm disaster recovery sites

Enhanced 7: Deception Technology

• Honeypots and honeytokens


• Decoy systems and credentials


• Early threat detection

Enhanced 8: Security Governance Program

• Dedicated Chief Information Security Officer (CISO)


• Security steering committee


• Risk management framework


• Compliance program management


• Board-level cybersecurity reporting

Implementation Guidance

Small Practices (1-10 employees)

Priority: Essential practices 1-5

• Start with Email Protection and Endpoint Protection


• Implement Multi-Factor Authentication immediately


• Use managed security services for monitoring


• Leverage EHR vendor security features


• Free/low-cost tools available from HHS

Medium Practices (11-50 employees)

Priority: All 10 essential practices

• Implement all essential practices within 12-18 months


• Add Network Segmentation for clinical vs. administrative systems


• Develop Incident Response Plan


• Conduct annual vulnerability scans


• Consider managed security services

Large Organizations (51+ employees)

Priority: All essential + selected enhanced practices

• Full implementation of all 10 essential practices


• Add enhanced practices based on risk assessment


• Consider Security Operations Center (in-house or managed)


• Implement Zero Trust Architecture


• Conduct penetration testing annually


• CISO or dedicated security staff

HIPAA Enforcement Considerations

"Recognized Security Practices" Under HITECH Act

Section 13405(d) of the HITECH Act (part of HIPAA) states that HHS OCR shall consider whether a covered entity or business associate has:

• Recognized security practices in place for 12+ months prior to a breach


• Such practices may result in reduced penalties or no penalties

How 405(d) Provides "Recognized Security Practices"

Implementation of 405(d) practices demonstrates:

1. Industry-recognized standards - HHS-endorsed practices


2. Reasonable and appropriate safeguards - HIPAA Security Rule requirement


3. Diligent security efforts - Good faith compliance


4. Proactive risk management - Addressing known threats

Enforcement Benefits

Organizations implementing 405(d) practices may receive:

• Reduced civil monetary penalties in HIPAA violations


• Favorable consideration in breach investigations


• Demonstration of compliance efforts to OCR auditors


• Shorter corrective action plans

Requirements for "Recognized Security Practices" Defense

• Written documentation of 405(d) implementation


• At least 12 months of implementation prior to incident


• Demonstrated use of practices (logs, policies, evidence)


• Regular updates and improvements

Free Resources from HHS

Official Program Materials

1. HICP Main Document (405d.hhs.gov/Documents/HICP-Main-508.pdf)

- Complete description of all 18 practices
- Threat analysis and mitigation strategies

1. HICP Implementation Guide (405d.hhs.gov/Documents/HICP-Guide-508.pdf)

- Step-by-step implementation instructions
- Size-specific guidance (small/medium/large)
- Budget considerations

1. Technical Volumes (1-5)

- Detailed technical implementation for each threat
- Specific tools and configurations
- Use cases and scenarios

1. Quick Start Guides

- Ransomware Prevention Quick Start
- Phishing Prevention Quick Start
- Medical Device Security Quick Start

Online Resources

• 405d.hhs.gov - Official program website


• Webinars and training - Free online training


• Case studies - Real-world implementation examples


• Tool recommendations - Vetted security products

Compliance Checklist for Healthcare Organizations

Phase 1: Assessment (Months 1-2)

• [ ] Review current cybersecurity posture


• [ ] Identify gaps against 405(d) essential practices


• [ ] Prioritize implementations based on risk


• [ ] Determine budget and resources needed

Phase 2: Quick Wins (Months 3-4)

• [ ] Implement Multi-Factor Authentication (MFA)


• [ ] Deploy email filtering and anti-phishing tools


• [ ] Update endpoint protection (antivirus/EDR)


• [ ] Enforce strong password policies


• [ ] Conduct initial security awareness training

Phase 3: Core Implementation (Months 5-12)

• [ ] Implement network segmentation


• [ ] Establish vulnerability management program


• [ ] Deploy Data Loss Prevention (DLP)


• [ ] Create and test Incident Response Plan


• [ ] Complete asset inventory (hardware and software)


• [ ] Secure medical devices (change defaults, segment)


• [ ] Document all policies and procedures

Phase 4: Ongoing Operations (12+ months)

• [ ] Conduct quarterly vulnerability scans


• [ ] Perform annual penetration testing


• [ ] Update security awareness training annually


• [ ] Review and update Incident Response Plan


• [ ] Conduct phishing simulation exercises


• [ ] Monitor security logs and alerts


• [ ] Track and remediate identified vulnerabilities


• [ ] Review access controls quarterly


• [ ] Test backup and recovery procedures


• [ ] Document "recognized security practices" for HIPAA

Phase 5: Enhanced Practices (As Resources Allow)

• [ ] Implement SIEM or managed detection and response (MDR)


• [ ] Consider Security Operations Center (SOC)


• [ ] Explore Zero Trust Architecture


• [ ] Enhance cloud security controls


• [ ] Implement deception technologies

Relationship to Other Frameworks

HIPAA Security Rule

405(d) practices directly support HIPAA compliance:

• Administrative Safeguards - Policies, training, incident response


• Physical Safeguards - Asset management, device security


• Technical Safeguards - Access controls, encryption, audit logs

NIST Cybersecurity Framework (CSF)

405(d) aligns with NIST CSF functions:

• Identify: Asset management, vulnerability management


• Protect: Access management, data protection, network security


• Detect: Monitoring, incident detection


• Respond: Incident response procedures


• Recover: Backup and recovery, business continuity

NIST SP 800-53 / NIST SP 800-171

405(d) practices map to NIST 800-53 control families for federal healthcare

FDA Medical Device Cybersecurity

405(d) medical device security aligns with FDA premarket and postmarket guidance

Massachusetts-Specific Implementation Considerations

Massachusetts Healthcare Environment

• Small practices: MA has 6,000+ physician practices, most under 10 employees


• Academic medical centers: Boston has 5 major teaching hospitals


• Community health centers: 52 CHCs serving underserved populations


• Biotech and research: High concentration in Cambridge/Boston


• Payer landscape: Mix of commercial, MassHealth, Medicare

Massachusetts Regulatory Alignment

405(d) practices support compliance with:

• 201 CMR 17.00 - Massachusetts Data Security Regulation

- Encryption requirements (Practice 4)
- Access controls (Practice 3)
- Security awareness training (Practice 10)
- Monitoring systems (Practice 8)

• HIPAA - Federal healthcare privacy and security

- All 405(d) practices support HIPAA Security Rule

• MA PATCH Act - Insurance billing privacy

- Access controls ensure only authorized users access billing systems

Massachusetts Threat Landscape

Recent trends affecting MA healthcare:

• Ransomware attacks on MA hospitals (2021-2024)


• Phishing campaigns targeting healthcare workers


• Medical device vulnerabilities in older biomedical equipment


• Business Associate breaches affecting multiple MA providers

Free Massachusetts Resources

• Massachusetts eHealth Institute - State HIE and health IT support


• MassHealthIT - Health IT policy and coordination


• Massachusetts Medical Society - Resources for physician practices


• Boston Healthcare Cybersecurity Working Group

Summary

HHS 405(d) provides FREE, voluntary cybersecurity practices for healthcare organizations of all sizes. Implementation for 12+ months establishes "recognized security practices" for favorable HIPAA enforcement consideration. The program addresses the top 5 threats to healthcare (ransomware, phishing, malware, medical devices, insider threats) through 10 essential and 8 enhanced practices.