HHS 405(d) Cybersecurity Assessment

Evaluate alignment with Health and Human Services voluntary cybersecurity practices for the healthcare industry

HealthcareBiotechResearch15 minutes21 questions

1. Asset Management

Do you maintain an inventory of all devices, systems, and applications?*

Complete asset inventory is foundational to cybersecurity

Are medical devices and IoMT (Internet of Medical Things) included in your asset inventory?*

Medical devices are frequent attack vectors in healthcare

Do you classify assets by criticality and PHI/ePHI access?*

2. Risk Management

Have you conducted a cybersecurity risk assessment in the past 12 months?*

Annual risk assessments required by HIPAA and recommended by 405(d)

Do you have a documented risk management strategy?*

Strategy should address identify, protect, detect, respond, recover functions

Are vulnerability scans performed at least quarterly?*

3. Access Control

Is multi-factor authentication (MFA) required for all remote access to PHI/ePHI?*

MFA is a critical control highlighted in 405(d) practices

Do you enforce role-based access control (RBAC) for clinical systems?*

Users should only access data necessary for their job function

Are privileged accounts monitored and reviewed regularly?*

Do you disable accounts immediately upon employee termination?*

4. Data Protection

Is ePHI encrypted at rest and in transit?*

Encryption is addressable under HIPAA but strongly recommended by 405(d)

Do you have secure backup and recovery procedures for critical systems?*

Ransomware recovery depends on secure, tested backups

Are backups tested for restoration at least annually?*

Do you implement secure email practices (encryption, DLP) for PHI transmission?*

5. Incident Response

Do you have a documented incident response plan?*

Plan should cover detection, containment, eradication, recovery, post-incident activities

Have you conducted incident response tabletop exercises in the past year?*

405(d) recommends regular testing of IR plans

Do you have 24/7 security monitoring or SIEM capabilities?*

Are security incidents logged and reviewed for lessons learned?*

6. Third-Party Risk

Do you assess cybersecurity risks of Business Associates before engagement?*

Third-party breaches are a leading cause of healthcare data incidents

Are Business Associate Agreements updated with cybersecurity requirements?*

Do you conduct periodic reviews of vendor security posture?*

Annual security assessments of critical vendors recommended

Please answer all required questions to see your results