Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.



411 University St, Seattle, USA

+1 -800-456-478-23

Cybersecurity Frameworks
405(d) HICP

The 405(d) HICP Cybersecurity Framework

What is 405(d) HICP?

405(d) Health Industry Cybersecurity Practices (HICP) is a healthcare cybersecurity framework created out of a congressional mandate from the Cybersecurity Act of 2015.  Section 405(d) of this mandate has a goal to strengthen the cybersecurity posture of healthcare and public health sector.  A collective called the 405(d) Task Force was formed from both public and private sectors.  This task force contains members of the U.S. Health and Human Services, over 200 healthcare and cybersecurity experts, and the Health Sector Coordinating Council.  Their deliverable was the 405(d) Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients.  This framework contains 326 cybersecurity controls for organizations within the healthcare industry.

What is a Cybersecurity Framework?

A Cybersecurity framework is a collection of controls that companies can put in place to reduce the risk of a cyber-attack.  An example control could be “Enable Multi-Factor Authentication (MFA) for all Remote Access”.

What Size Organizations Use 405(d) HICP?

Any size organization can use the 405(d) HICP guidance.  The framework is divided into three sections: Small Organizations, Medium Organizations, and Large Organizations.  The framework recommends that healthcare organizations follow the controls specific to their size.  One may ask how the size of an organization is determined.  The framework contains a chart for organizations to use to determine their size.  This chart is shown below.

Organization sizing guide (Department of Health and Human Services)

Is 405(d) HICP Only for Healthcare?

Most of the controls within 405(d) HICP can be used by organizations in any industry.  However, there is one section of the framework, Section 9, which contains 25 controls for Medical Devices.  This section simply would not apply to non-Healthcare industries.

How Can I Follow the 405(d) Guidance?

The 405(d) HICP Framework can be found as a detailed PDF or a basic spreadsheet on the Health and Human Services website: https://405d.hhs.gov/protect/hicp.  Unfortunately, working through the PDF or spreadsheet is not ideal because it takes considerable manual effort to create graphs to show progress and program maturity.  Thankfully, Stern Security has built the 405(d) framework into Velocity.  Within Velocity, the 405(d) framework is easy to use, has a clean interface, contains graphs that depicts an organizations maturity, and has reports for download.  Additionally, the controls for small organizations are completely FREE.  Any organization can quickly sign up for a free Velocity account and start using the 405(d) HICP framework today.

Works Cited

Department of Health and Human Services. (n.d.). Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients. Retrieved from HHS 405(d) Aligning Health Care Industry Security Approaches: https://405d.hhs.gov/Documents/HICP-Main-508.pdf


Jon Sternstein