Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit

Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.


Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 


Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.



Trends, best practices and insights to keep you current in your knowledge of third-party risk.


Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

On-Demand Webinars



Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.



Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

State of Third-Party Risk Management 2023!

Venminder's seventh annual whitepaper provides insight from a variety of surveyed individuals into how organizations manage third-party risk today.


Health Industry Cybersecurity Practices (HICP): How You and Your Business Associates Can Implement

4 min read
Featured Image

In January 2021, Congress passed Public Law 116-321 which states the Department of Health and Human Services (HHS) can take into consideration, for both covered entities and business associates, an organization's adherence to certain cybersecurity practices, including those outlined under 405(d) HICP, when determining fines and penalties resulting from violations of the HIPAA Security Rule, specifically data breaches involving Protected Health Information (PHI).

So, what is HICP and how can your organization and your business associates implement HICP to improve your cybersecurity practices?

The Health Industry Cybersecurity Practices, known as 405(d) HICP, or simply HICP, was created by over 150 healthcare and cybersecurity experts. It was designed to integrate effective cybersecurity strategies into a healthcare organization's day-to-day practices. HICP's outline for strategic cybersecurity processes can help you reduce the risk of data breaches involving protected health information in your healthcare organization.

Reasons to Use HICP

Reducing fines and penalties aren’t the only reasons your healthcare organization should implement HICP. HICP can also assist with mitigating the many threats faced by today's healthcare industry. Using HICP will help to ensure that your patient's private health information is protected from cyberattacks that can affect your ability to provide care.

For example, let’s say there’s a ransomware attack that prevents your staff from accessing patient records on your EMR (Electronic Medical Records) system for an extended period. It’s possible that cyberattacks like this could prevent you from providing proper and immediate care to your patients.

HICP identifies the top 5 threats to healthcare as follows:

  1. Email phishing attack
  2. Ransomware attack
  3. Theft of equipment or data
  4. Insider, accidental, or intentional data loss
  5. Attacks against connected medical devices that may affect patient safety

Cybersecurity Practices Detailed Within the HICP Technical Volumes

There are 10 cybersecurity practices detailed in the HICP Technical Volumes. It’s the goal of each practice to mitigate risks associated with targeted cyberattacks.

The 10 cybersecurity practices of HICP are:
  1. Email protection systems
  2. Endpoint protection systems
  3. Access management
  4. Data protection and loss prevention
  5. Asset management
  6. Network management
  7. Vulnerability management
  8. Incident response
  9. Medical device security
  10. Cybersecurity policies

HICP implementation

How to Implement HICP Into Your Cybersecurity Framework

Within each of these practices are sub-practices that detail what your organization needs to do to mitigate the associated threats. In all, there are a total of 88 sub-practices. To make implementing these sub-practices easier, HICP has broken them down by organization size. Volume 1 is for small organizations, and Volume 2 is for mid-size and large organizations. In these suggested plans, the sub-practices are written with easy-to-understand descriptions and details about the specific controls that should be implemented.

However, if your organization already has a cybersecurity framework, why should you implement HICP? And, why should your business associates?

Other frameworks, such as NIST CSF or HITRUST CSF, do an excellent job of establishing a secure foundation. Still, they may not be updated enough to meet the challenges of the modern threat landscape. The types of threats that healthcare organizations face today are certainly different from those that existed, or, in some cases, didn’t exist when these frameworks were originally written. In addition to supplementing your current frameworks and practices, HICP helps mitigate modern cyber threats, including phishing, ransomware, and vulnerabilities in medical devices.

HICP provides a detailed explanation of modern cybersecurity threats, including real-world scenarios and other information describing how your organization can implement HICP to work in conjunction with the framework you already use.

In addition to the Technical Volumes, HICP also comes with a user-friendly self-assessment toolkit (in the form of a spreadsheet). Healthcare organizations can use these tools to determine which of the five major threats they should prioritize according to their current practices. Depending on the size of your organization, HICP offers various assessments and integration tools.

Conducting an HICP assessment can help you identify where your organization may lack the necessary controls to address today's cyber threats. Attackers constantly shift and change their tactics and techniques… as should you. An HICP implementation can help your organization modernize its defenses, protect your patients and their PHI, and reduce fines and penalties if a breach occurs.

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo