Health Industry Cybersecurity Practices (HICP)

What is HICP?

The Health Industry Cybersecurity Practices: Handling Risks and Safeguarding Patients article was created as a result of the Cybersecurity Act of 2015, which brought together more than 150 cyber-experts, physicians, and healthcare administrators. The HICP article offers useful, affordable techniques that may fortify your business against online thieves, effortlessly incorporate cybersecurity into your team’s day-to-day activities, and lay out a sound plan for lowering your enterprise’s cybersecurity risk.

The Healthcare Industry Cybersecurity Practices (HICP) is a publication to provide guidance to organizations, companies and manufacturers in the healthcare industry, helping them to practically implement cybersecurity best practices. 

HIPAA has been a legal requirement for more than 25 years. The procedures and regulations governing cybersecurity and the safeguarding of patient data have undergone substantial changes throughout that time. Even so, HIPAA is quite ambiguous, and healthcare companies of all sizes frequently struggle with it since the regulations don’t specify how they should be applied in line with an organization’s resources, threats and capabilities. 

The practices outlined in 405(d) HICP bring clarity to organizations and arrange mediations based on their size: small, medium or large. It takes into account the resources likely to be available at each level and it clearly explains threats and mitigation measures. The publication also provides recommended metrics guiding users with what to measure in order to maintain security best practices. This helpful addition builds control monitoring into the program and even explains the goals of the metrics and how to interpret the data. 

According to their official documentation, it can additionally be used to raise awareness for executives, health care practitioners, providers, and health delivery organizations, such as hospitals. It is applicable to health organizations of all types and sizes across the sector. It also provides technical implementation recommendations for IT and information security professionals.

What are the requirements for HICP?

As the publication is for ‘informational purposes only’ and to provide guidance, users can set their own targets and implement as much or as little as they see fit. Ideally, users can aim to implement all of the recommended practices and build a robust cybersecurity program. 

The guidance itself is split into 2 publications:

Technical Volume 1 – For Small Organizations

  • This volume speaks at a high level and is excellent for non-technical audiences, providing practical guidance and education to strengthen a small organization’s cybersecurity posture and put vital controls in place. It serves to guide organizations on what to ask their IT and/or IT security teams or vendors.

Technical Volume 2 – For Medium and Large Organizations

  • This more advanced volume provides more in depth and skilled practices to implement. It divides them into those suitable for medium sized organizations, with their manpower and resources, and those that large organizations will benefit from implementing. It is intended for IT and/or IT security professionals.

How Do I Decide Which Technical Volume to Implement?

HICP provides a handy table that directs users in how to choose which level is recommended for them to implement:

The complexity of your cybersecurity requirements may decrease or increase depending on your organization’s characteristics and the kind of the goods and/or services you offer. You may wish to take into account practices other than those that fall within your “best fit” size category.

Each technical volume is divided into 10 best practices:

Cybersecurity Practice #1: Email Protection Systems

Cybersecurity Practice #2: Endpoint Protection Systems

Cybersecurity Practice #3: Identity and Access Management

Cybersecurity Practice #4: Data Protection and Loss Prevention

Cybersecurity Practice #5: IT Asset Management

Cybersecurity Practice #6: Network Management

Cybersecurity Practice #7: Vulnerability Management

Cybersecurity Practice #8: Security Operations Center and Incident Response

Cybersecurity Practice #9: Medical Device Security

Cybersecurity Practice #10: Cybersecurity Policies

Why should you be HICP compliant?

The aim of aligning with and implementing the guidance is to achieve 3 core goals:

1. Cost-effectively reduce cybersecurity risks for a range of healthcare organizations; 

2. Support the voluntary adoption and implementation of its recommendations; 

3. Ensure, on an ongoing basis, that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

All healthcare-related organizations will benefit from using this common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes’ to achieve the above goals, as well as strengthen their overall cybersecurity posture, minimize risk and align globally with other healthcare organizations.

How do you implement HICP?

The best way to implement the HICP guidance is by following the best practices laid out in the technical volumes. The Centraleyes platform has pre-built HICP questionnaires for small, medium and large organizations, to guide you methodically through each of the 10 Cybersecurity Practices, tracking your alignment and flagging tasks for remediation. Each question is made up of a specific task as well as providing education and guidance for its implementation. This aligns directly with the implementation steps provided by HICP listed below.

Implementing all of the HICP best practices is ideal, but can be overwhelming or outside of the scope for many organizations. The HICP documentation recommends the following steps when deciding which sections to implement and provides the information tables:

  1. Enumerate and Prioritize Threats.

The top 5 threats HICP focuses on are:

  • Email Phishing Attack
  • Ransomware Attack
  • Loss or Theft of Equipment or Data 
  • Accidental or Intentional Data Loss 
  • Attacks Against Connected Medical Devices and Patient Safety

Every organization needs to evaluate for themselves which of these threats are most prevalent- taking into account both the likelihood of occurrence and the impact such a threat would ultimately have on the organization. A comprehensive risk assessment can help organizations identify their key threats and other risks. Centraleyes can provide this too. 

  1. Review Practices Tailored to Mitigate Threats. 

Once you have chosen which threat to mitigate first, the next step is to review the series of practices that exist to mitigate that threat. The Centraleyes HICP questionnaires enumerate each of the 10 practices and breaks them down into individual tasks.

The best way to implement the HICP guidance is by following the best practices laid out in the appropriate technical volumes written specifically for your size organization. The Centraleyes platform has pre-built HICP questionnaires to guide you methodically through each of the 10 Cybersecurity Practices, tracking your alignment and flagging tasks for remediation. Each question is made up of a specific task as well as guidance for its implementation. 

Each organization can see their threat vulnerability from their own angle, thus resulting in differences to how they prioritize the risks to be mitigated. As the practices of HICP mitigate multiple threats, it is advisable to consider the practices that provide the best breadth of protection, followed by the practices that provide the most depth to mitigate the threat. 

  1. Step 3: Determine Gaps Compared to Practices and
  2. Step 4: Identify Improvement Opportunity and Implement

After working through the questionnaire, you need to compare your posture to the HICP best practices. Centraleyes’s automated remediation planner identifies gaps and produces actionable remediation tickets. The Centraleyes platform will provide your organization with a risk score using an easy and adaptable process, based on a proprietary weighting and grading algorithm. Once scores are collected, the pre-populated Centraleyes HICP questionnaire, featuring automated workflows and alerts, will assist to remediate the areas vulnerable to risk. 

  1. Step 5: Repeat for Next Threats

This easy and repeatable process can be followed for all or any of the threats you decide to mitigate. 

The HICP framework has been integrated into the Centraleyes platform to help organizations in the healthcare industry safeguard patients and their data. The platform also maps the controls of this framework back to the extensive control inventory of other frameworks and standards, using our SmartMapping feature. The Centraleyes platform saves time and resources, generates more accurate, measurable data and brings you peace of mind when working towards HICP compliance. 

Read more: HICP Main Document. • The Main Document discusses the current cybersecurity threats facing the healthcare industry. It sets forth a call to action for the healthcare industry, especially executive decision makers, with the goal of raising general awareness of the issue.

Start implementing Health Industry Cybersecurity Practices (HICP) in your organization for free

Related Content

AI Governance

What is the Centraleyes AI Governance Framework? The AI Governance assessment, created by the Analyst Team…

ISO 42001

What is ISO 42001 (AI)? Artificial intelligence (AI) has emerged as a transformative technology, imbuing machines…


What is NIST AI RMF? As artificial intelligence gains traction and becomes increasingly more popular, it…
Skip to content