Clearwater Introduces New 405(d) HICP Assessment and Related Software Tool to Help Healthcare Organizations Demonstrate Federally Recognized Cybersecurity Practices Are in Place

Clearwater Introduces New 405(d) HICP Assessment and
Related Software Tool to Help Healthcare Organizations Demonstrate Federally Recognized Cybersecurity Practices Are in Place

Healthcare’s Cyber Risk Management Leader Expands Solution Set to Include Consulting Services and a New IRM|Pro® Module Developed to Efficiently Assess Performance Against 405(d) Health Industry Cybersecurity Practices

NASHVILLE, TN (March 1, 2022) – Clearwater, the leading provider of Enterprise Cyber Risk Management and HIPAA Compliance solutions for the healthcare industry, announced today its 405(d) HICP Assessment and IRM|405(d) HICP™ software, an addition to the company’s suite of software products delivered through its SaaS-based platform IRM|Pro®. The new offering, which includes consulting services and software that can be purchased together or independently, can help healthcare organizations position themselves to reduce fines and penalties, shorten or terminate audits, and mitigate remedies that would otherwise be involved in resolving potential violations of the HIPAA Security Rule, by demonstrating recognized security practices have been in place for at least 12 months.

The Cybersecurity Act of 2015 (CSA), Section 405(d), established an industry-led process to develop consensus-based guidelines, practices, and methodologies to strengthen the healthcare sector’s cybersecurity posture against cyber threats. This effort led to the development of the 405(d) Health Industry Cybersecurity Practices (HICP) Guide, which identifies ten practices that are tailored to small, medium, and large organizations.

With the passing of Public Law 116-321 (HR 7898) in early 2021, Congress underscored the importance and value of 405(d) HICP by requiring the Secretary of Health and Human Services to consider it among the recognized security practices of covered entities and business associates when determining fines and penalties related to a breach of protected health information.  Evidence that recognized security practices are in place may be requested in regulatory inquiries and investigations. Additionally, some investors, cyber insurers, and other third parties have begun requiring that healthcare organizations they contract with demonstrate adoption of recognized security practices.

“We developed the 405(d) HICP Assessment and IRM|405(d) HICP to bring clarity and accessibility to the best practices contained within the 405(d) HICP Guide,” says Clearwater CEO Steve Cagle. “Though the guide was published in 2018, many healthcare organizations are unaware of how well their cybersecurity program maps to the practices that are defined. IRM|405(d) HICP and our leading team of cybersecurity experts give healthcare leaders very practical tools and guidance for evaluating their organization’s performance relative to those practices, helping them identify and address gaps that put the organization at risk.”

Through a structured assessment and purpose-built software solution that are directly in alignment with the 405(d) HICP Guide, Clearwater is helping healthcare organizations assess how well they satisfy the guide’s explicit requirements, identify current gaps, and equip teams to address those gaps. Additionally, the solution provides a repeatable, sustainable methodology and platform to complete and document an evaluation of these practices each year.

The assessment and IRM|405(d) HICP tool are available in small, medium, and large editions, aligned to the corresponding 405(d) HICP technical volumes.

“Demonstrating that you are following 405(d) HICP positions healthcare organizations favorably in the case of an audit or inquiry and drives better protection of PHI,” explained Clearwater’s Chief Product Officer Jon Stone, lead architect of the company’s IRM|Pro software solutions. “We developed our new IRM|405(d) HICP software solution to help healthcare leaders streamline and rapidly advance their assessment of those practices so they can strengthen their risk postures and build confidence in their security practices.”

To learn more about Clearwater’s 405(d) HICP solutions, visit these pages on the company’s website:


About Clearwater

Clearwater is the leading provider of cybersecurity, risk management, and HIPAA compliance software, consulting, and managed services for the healthcare industry. Our solutions enable organizations to avoid preventable breaches, protect patients and their data, meet regulatory requirements, and optimize cybersecurity investments. More than 400 healthcare organizations, including 70 of the nation’s largest health systems and a large universe of physician groups and digital health companies, trust Clearwater to meet their cybersecurity and compliance needs. For more information about Clearwater, please visit



Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us