HHS 405(d) Health Industry Cybersecurity Practices
HHS 405(d) provides voluntary, consensus-based Health Industry Cybersecurity Practices (HICP) scaled by organization size. Adopting these recognized security practices can reduce penalties and audit scope under the HIPAA Security Rule.
What HHS 405(d) Is
The HHS 405(d) program, mandated by Section 405(d) of the Cybersecurity Act of 2015, is a collaboration between the U.S. Department of Health and Human Services (HHS) and the healthcare sector to align security approaches and reduce cybersecurity threats. Its centerpiece is the Health Industry Cybersecurity Practices (HICP) publication, which offers practical, consensus-based guidance scaled to organizations of different sizes. It exists because healthcare is a frequent ransomware and data-breach target, and many organizations lack the resources to design programs from scratch.
While HICP is voluntary, it has taken on regulatory weight: under a 2021 amendment to the HITECH Act, HHS must consider an organization's use of "recognized security practices," which include HICP, when handling HIPAA Security Rule investigations and audits.
Who It Applies To
The program targets the healthcare and public health sector broadly, including hospitals, clinics, physician practices, health plans, pharmacies, medical device makers, and their service providers. HICP provides tailored guidance for small, medium, and large organizations, recognizing that resources and threat exposure differ widely across the sector.
Key Requirements
HICP organizes guidance around the most impactful threats and corresponding practices, including:
- Email protection — Defend against phishing and email-based attacks.
- Endpoint protection — Secure workstations, servers, and devices.
- Access management — Enforce identity, authentication, and least-privilege access.
- Data protection and loss prevention — Protect protected health information (PHI) and sensitive data.
- Asset and network management — Maintain inventories and segment networks.
- Medical device security — Address risks in connected clinical devices.
- Incident response — Prepare for and respond to cybersecurity incidents.
Penalties for Non-Compliance
HICP is voluntary, so it carries no direct penalties. However, failing to adopt recognized security practices can increase exposure under the HIPAA Security Rule, since demonstrating their use for at least 12 months can reduce penalties and audit scope in HHS enforcement. Conversely, organizations without such practices may face the full weight of HIPAA penalties after a breach.
How to Comply
Adopt HICP practices proportionate to the organization's size and risk, prioritizing high-impact areas such as email and endpoint protection, access management, and medical device security. Document the implementation of recognized security practices over time so they can be evidenced during HIPAA investigations. Integrate HICP with HIPAA Security Rule compliance and broader frameworks like the NIST Cybersecurity Framework to build a coherent, defensible program.