Skip to main content

What Can HICP Do to Help Mitigate the Top Cybersecurity Threats in Healthcare?

Healthcare Industry Cybersecurity Practices (HICP) were updated in April 2023 to help healthcare entities mitigate cyber threats. Read on for details.
banner background

With the top cybersecurity risks threatening the healthcare industry, how does a healthcare entity help mitigate those threats?

One way is to use the approaches promulgated under Section 405(d) of the Cybersecurity Act of 2015. The 405(d) task force released the Healthcare Industry Cybersecurity Practices (HICP) in late 2018 to address the top cybersecurity threats. HICP was updated just recently in April 2023. HICP’s goal is to develop consistent approaches to address the top cybersecurity threats specific to healthcare. HICP identifies 10 Cybersecurity Practices to help mitigate threats.

These 10 Cybersecurity Practices are:

  • Cybersecurity Practice #1: E-mail Protection Systems
  • Cybersecurity Practice #2: Endpoint Protection Systems
  • Cybersecurity Practice #3: Identity and Access Management
  • Cybersecurity Practice #4: Data Protection and Loss Prevention
  • Cybersecurity Practice #5: IT Asset Management
  • Cybersecurity Practice #6: Network Management
  • Cybersecurity Practice #7: Vulnerability Management
  • Cybersecurity Practice #8: Security Operations Center and Incident Response
  • Cybersecurity Practice #9: Medical Device Security
  • Cybersecurity Practice #10: Cybersecurity Policies

HICP was developed and continues to be updated by a wide spectrum of professionals—such as CEOs, CISOs, hospital administration, doctors, and nurses—across the healthcare industry from both private and public sectors. This process focused on keeping the cybersecurity practices simple and prescriptive along with providing a starting point for addressing cybersecurity threats.

Not only was the process developed for broad consumption, but HICP has two technical volumes with the first focused on Small Healthcare Organizations and the second focused on Medium and Large Healthcare Organizations. This helps organizations compare themselves to their peers. Remember not to be intimidated by the word “technical” in technical volume; these technical volumes are written in plain English for all professionals who work in healthcare.

HICP provides general guidance where an organization would fit:

Size (provider)1–10 physicians11–50 physiciansMore than 50 physicians
Size (acute/post-acute)1–25 providers26–500 providersMore than 500 providers
Size (hospital)1–50 beds51–299 bedsMore than 300 beds
ComplexitySingle practice or care siteMultiple sites in extended geographic areaIntegrated delivery networks

Participate in accountable care organization or clinically

Each of the Cybersecurity Practices is broken down into Sub-Practices and Threats Mitigated, and for the Medium and Large Healthcare Organization technical volumes, it provided Suggested Metrics.

Each Cybersecurity Practice can have multiple Sub-Practices. For example, Cybersecurity Practice #1: E-mail Protection Systems has the following:

  • Three Sub-Practices for Small Healthcare Organizations:
    • 1.S.A Email System Configuration
    • 1.S.B Education
    • 1.S.C Phishing Simulation
  • Four Sub-Practices for Medium Healthcare Organizations:
    • 1.M.A Basic E-mail Protection Controls
    • 1.M.B MFA for Remote Access
    • 1.M.C E-mail Encryption
    • 1.M.D Workforce Education
  • In addition, there are three Sub-Practices for Large Healthcare Organizations:
    • 1.L.A Advanced and Next Generation Tooling
    • 1.L.B Digital Signatures Practices
    • 1.L.C Analytics Driven Education

The expectation would be that a Large Healthcare Organization would implement all 10 sub-practices for Cybersecurity Practice #1: E-mail Protection Systems.

Each Cybersecurity Practice will help mitigate key threats. For example, Cybersecurity Practice #1: E-mail Protection Systems addresses 1) social engineering, 2) ransomware attacks, and 3) insider, accidental, or malicious data loss.

Finally, each Cybersecurity Practice within the Medium and Large Healthcare Organizations technical volume lists out Suggest Metrics, which can be used to answer the proverbial question of how well you are doing.

Some of the Suggested Metrics include:

  • Number of malicious phishing attacks prevented on a weekly basis, compared to total email volume
  • Percentage of users in your organization who are susceptible to phishing attacks based on the results of internal phishing campaigns
  • Percentage of users who report suspected messages received during a phishing campaign

Not only does HICP address the top cybersecurity threats, but it also is a recognized security practice as noted in the 2021 HIPAA amendment.

HICP identifies 10 Cybersecurity Practices to address most of the risk to a healthcare organization. These 10 Cybersecurity Practices prescribe a simple starting point, a way to evaluate what your organization should do at a minimum; and provide Suggested Metrics to measure how well the Cybersecurity Practices are functioning.

If you have any questions or need assistance, please reach out to a professional at FORVIS or use the Contact Us form below.


Related FORsights

Like what you see?
Subscribe to receive tailored insights directly to your inbox.