In January 2021, Congress passed Public Law 116-321 which states the Department of Health and Human Services (HHS) can take into consideration, for both covered entities and business associates, an organization's adherence to certain cybersecurity practices, including those outlined under 405(d) HICP, when determining fines and penalties resulting from violations of the HIPAA Security Rule, specifically data breaches involving Protected Health Information (PHI).
So, what is HICP and how can your organization and your business associates implement HICP to improve your cybersecurity practices?
The Health Industry Cybersecurity Practices, known as 405(d) HICP, or simply HICP, was created by over 150 healthcare and cybersecurity experts. It was designed to integrate effective cybersecurity strategies into a healthcare organization's day-to-day practices. HICP's outline for strategic cybersecurity processes can help you reduce the risk of data breaches involving protected health information in your healthcare organization.
Reasons to Use HICP
Reducing fines and penalties aren’t the only reasons your healthcare organization should implement HICP. HICP can also assist with mitigating the many threats faced by today's healthcare industry. Using HICP will help to ensure that your patient's private health information is protected from cyberattacks that can affect your ability to provide care.
For example, let’s say there’s a ransomware attack that prevents your staff from accessing patient records on your EMR (Electronic Medical Records) system for an extended period. It’s possible that cyberattacks like this could prevent you from providing proper and immediate care to your patients.
HICP identifies the top 5 threats to healthcare as follows:
- Email phishing attack
- Ransomware attack
- Theft of equipment or data
- Insider, accidental, or intentional data loss
- Attacks against connected medical devices that may affect patient safety
Cybersecurity Practices Detailed Within the HICP Technical Volumes
There are 10 cybersecurity practices detailed in the HICP Technical Volumes. It’s the goal of each practice to mitigate risks associated with targeted cyberattacks.
The 10 cybersecurity practices of HICP are:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
How to Implement HICP Into Your Cybersecurity Framework
Within each of these practices are sub-practices that detail what your organization needs to do to mitigate the associated threats. In all, there are a total of 88 sub-practices. To make implementing these sub-practices easier, HICP has broken them down by organization size. Volume 1 is for small organizations, and Volume 2 is for mid-size and large organizations. In these suggested plans, the sub-practices are written with easy-to-understand descriptions and details about the specific controls that should be implemented.
However, if your organization already has a cybersecurity framework, why should you implement HICP? And, why should your business associates?
Other frameworks, such as NIST CSF or HITRUST CSF, do an excellent job of establishing a secure foundation. Still, they may not be updated enough to meet the challenges of the modern threat landscape. The types of threats that healthcare organizations face today are certainly different from those that existed, or, in some cases, didn’t exist when these frameworks were originally written. In addition to supplementing your current frameworks and practices, HICP helps mitigate modern cyber threats, including phishing, ransomware, and vulnerabilities in medical devices.
HICP provides a detailed explanation of modern cybersecurity threats, including real-world scenarios and other information describing how your organization can implement HICP to work in conjunction with the framework you already use.
In addition to the Technical Volumes, HICP also comes with a user-friendly self-assessment toolkit (in the form of a spreadsheet). Healthcare organizations can use these tools to determine which of the five major threats they should prioritize according to their current practices. Depending on the size of your organization, HICP offers various assessments and integration tools.
Conducting an HICP assessment can help you identify where your organization may lack the necessary controls to address today's cyber threats. Attackers constantly shift and change their tactics and techniques… as should you. An HICP implementation can help your organization modernize its defenses, protect your patients and their PHI, and reduce fines and penalties if a breach occurs.