Evolving Healthcare Cybersecurity Practices: The 2023 Updates to 405(d) HICP

If HHS’s 405(d) Health Industry Cybersecurity Practices (HICP) guidelines have been on your organization’s radar or already implemented in your organization, you likely know that updates were recently released for 2023 that reflect changes in healthcare risks and vulnerabilities and how organizations should respond to the changing threat landscape.

If you’re unfamiliar with 405(d) HICP, start here for an overview, what it means for healthcare organizations, and why implementing recognized security practices can make or break the outcomes of an Office for Civil Rights (OCR) investigation.  

As a recap, 405(d) HICP is a voluntary set of federally recognized standards, and according to Public Law 116-321, which was signed into law in 2021, HHS must recognize the adoption of cybersecurity best practices, like 405(d) HICP, during an investigation. If an organization can demonstrate that they have had 405(d) HICP in place for no less than 12 months prior to the point of an investigation, it may result in the mitigation of fines and early, favorable regulatory treatment. Don’t mistake 405(d) HICP for regulatory relief from HIPAA; it offers organizations more specific controls and best practices to mitigate cyber risk where HIPAA has been more ambiguous.

The NIST Cybersecurity Framework (CSF) is another federally recognized security framework, and one 405(d) HICP is aligned to. In the event of an OCR investigation, OCR will ask which framework you’ve adopted and expect that you can demonstrate the implementation and use of these best practices.  

Who Should Implement 405(d) HICP?

The short answer is that 405(d) HICP was designed for all healthcare covered entities and business associates. “405(d) Health Industry Cybersecurity Practices (HCIP): Managing Threats and Protecting Patients (HICP 2023 Edition),” is a free publication that examines cybersecurity threats and vulnerabilities that affect the healthcare industry. The related technical volumes go on to outline 10 cybersecurity practices to mitigate them:

• Technical Volume 1 is for small entities and is stand-alone.
• Technical Volume 2 is for medium and large healthcare entities:
  • Medium-size entities must follow medium cybersecurity practices
  • Large entities must follow medium and large cybersecurity practices

While 405(d) HICP has a strong healthcare provider focus, the guidelines are also for other organizations, like practice management and management services organizations, small device manufacturers, health plans, pharmaceutical organizations, and others. All covered entities and business associates can utilize it as part of their ongoing cybersecurity lifecycle.

Top Five Security Threats for Healthcare

The 405(d) HICP 2023 edition was updated to reflect the changes in the healthcare threat landscape and is a good indicator of what healthcare organizations of all sizes and structures are coming up against. 405(d) outlines the following top five healthcare cybersecurity threats for 2023:

1. Social engineering (New in the 2023 edition): This top threat was previously email phishing but was expanded to encompass similar threats in addition to email phishing, like smishing, whaling, business email compromise, and more. Social engineering refers to an attempt to trick someone into giving out personal information or infecting a device by clicking on a link that gives hackers access to various sources of data.
2. Ransomware: refers to an attack that gives hackers control of data or a computer system that they hold hostage until a ransom is paid.
3. Loss or theft of equipment or data: Everyday devices such as laptops, smartphones, and USB/thumb drives are lost or stolen and could end up in attackers’ hands.
4. Insider, accidental, or intentional data loss: These threats exist within every organization where employees, contractors, or other users access your organization’s technology infrastructure, network, or databases.
5. Attacks against network-connected medical devices: connected medical devices represent a growing attack vector many organizations have yet to adequately address in their risk management strategies. One study found that 53% of hospital connected medical devices and other IoT devices have a known critical vulnerability.

2023 Updates to HICP’s Recommended Practices and Sub-Practices

405(d) HICP recommends 10 best practices your organization can use to mitigate common threats and aligns them with organization size. These recommendations are not intended to be a list of controls all organizations must implement. Instead, it’s a series of recommended practices for risk mitigation.

The 405(d) practices are described in volume 1 for small organizations and volume 2 for medium and large organizations. Each practice also has sub-practices and controls. Medium-sized organizations should start with sub-practices for medium-sized organizations. Large organizations should review sub-practices for both medium-sized and large organizations.

The HICP 2023 edition includes updates to two of the practices and three new sub-practices:

• Practice #9: Network Connected Medical Device Security: this section has been fully updated with new sub-practices to account for the growing use of connected medical devices.
• Practice #10: Cybersecurity Oversight and Governance: this was previously referred to as Cybersecurity Policies but was updated to account for the oversight and governance structures that organizations should have in place as part of their cybersecurity programs. 
  • Cybersecurity Insurance is new under Practice #10. With the prevalence of cyberattacks on healthcare organizations, cybersecurity insurance has become an important component of your overall cyber risk management strategy. The HICP guidelines offer information on what your insurance policies should cover.
  • Cybersecurity Risk Assessment and Management is new under Practice #10: The new HICP edition now includes guidance on how to perform risk assessments and offers free federal tools you can use to perform them on your own.
• Attack Simulation is new under Practice #7. The guidelines stress the importance of simulating attacks to test your controls and safeguards and outline what to include in your simulations.

While these are the major changes reflected in the 2023 update, other minor changes and updates were made throughout the HICP guidelines, so it’s a good idea to read the entire 2023 edition if you are thinking about or have already implemented the 405(d) practices.

You can read the full list of practices and sub-practices as they apply to your organization’s size and type of business at the links below:

• Technical Volume 1:small entities and stand-alone.
• Technical Volume 2:medium and large healthcare entities

The 405(d) HICP 2023 edition also highlights two recommended practices every covered entity and business associate should consider as part of their overall cybersecurity strategy:

1. Zero Trust: Building a zero trust architecture encompassing multi-layer protections strengthens your security posture. This means validating all device and user identities, both internal and external, before granting access to network resources. You can use this approach to mitigate vulnerabilities that network trends create, including bring your own device (BYOD), cloud-based services, and remote workers. Your organization can enable a zero trust strategy at all network levels to ensure a strong security posture. Implementing an access and identity management solution and leveraging a least-privilege access process together are good starting points to a zero trust model.
   
2. Defense in depth: A holistic cybersecurity approach, such as defense-in-depth, can slow attacks and minimize damage. Defense-in-depth layers multiple security safeguards rather than relying on a single layer. If one layer is inadequate, another layer will hopefully prevent a full breach. This is a best practice strategy you can implement in different ways (for different entity sizes) based on relevance across your entire infrastructure. The 405(d) HICP guide recommends that you include identity and access user controls, perimeter security, network security, patch management, intrusion prevention, and endpoint solutions. These are covered in more detail under their relevant practices in technical volumes 1 and 2.

Demonstrating Adequate Protections

To take full advantage of a 405(d) program in your organization, you’ll need to have a process for documenting that the HICP guidelines have been implemented and for how long. This is because in the event of an OCR investigation and according to Public Law 116-321, an organization must demonstrate that they have had recognized cybersecurity best practices in place for no less than 12 months before the point of an incident or investigation. Here are some recommended forms of documentation suggested by HHS:

• A copy of policies and procedures on practice implementation
• Completed project plans or similar documentation showing implementation date(s)
• Documentation of sufficient detail explaining how your organization implemented these practices (including implementation of specific elements or sub-practices and scope of implementation throughout your organization)
• Name of individual(s) responsible for implementation
• Training materials provided to your workforce and training dates
• Other documentation for OCR consideration
  • OCR will consider all documentation that adequately demonstrates the recognized security practices have been in place for at least the previous 12 months

Clearwater’s IRM|405(d) HICPÔ software module simplifies documenting and reporting the implementation of your 405(d) HICP program. Even more importantly, the software can be used independently or by Clearwater’s team of 405(d) experts to assess your program against the 405(d) HICP guidelines so you can quickly identify any gaps and remedy them.

Here are some highlights of Clearwater’s 405(d) HICP assessment:

• Gap assessment against all 10 best practices in the 405(d) HICP guidelines, relative to organizational size
• Built-in wizard-style guide that walks the assessor through the process
• Automated expert remediation plan
• Ability to assign work/dynamic dashboard to effectively manage accountability, due dates, and remediation progress
• Upload and store all documentation
• Audit ready reports

405(d) is not a Replacement for Risk Analysis

405(d) is not a replacement for ensuring the appropriate HIPAA policies and procedures are in place for your organization; rather, for 405(d) success, your risk management strategies should be comprehensive in scope.

All organizations associated with developing the 405(d) program recommend beginning with a risk analysis, the results of which can help you identify and prioritize the rollout of your 405(d) HICP controls.

Ready to get started? Whether you need help demonstrating your organization’s use of 405(d) HICP or you’re just getting started, our team of cybersecurity and compliance experts can help. Let’s connect.