About HICP and Why it Matters

The publication of the HHS 405(d) Health Industry Cybersecurity Practices (HICP) in 2019 outlines a healthcare-specific approach to cybersecurity. It was developed by the HHS in partnership with organizations across the healthcare industry and is designed to provide “practical, understandable, implementable, industry-led, and consensus-based voluntary cybersecurity guidelines to cost-effectively reduce cybersecurity risks” for “healthcare organizations of varying sizes.” To achieve this, HICP focuses on the five most prevalent cybersecurity threats and ten cybersecurity practices that address those threats.

HICP Cybersecurity Threats

  • E-mail phishing attack
  • Ransomware attack
  • Loss or theft of equipment or data
  • Insider, accidental or intentional data loss
  • Attacks against connected medical devices that may affect patient safety

HICP Practice Areas

  • E-mail Protection Systems
  • Endpoint Protection Systems
  • Access Management
  • Data Protection and Loss Prevention
  • Asset Management
  • Network Management
  • Vulnerability Management
  • Incident Response
  • Medical Device Security
  • Cybersecurity Policies

Helping Providers Assess Their Capabilities

Censinet RiskOps for HICP is designed for IT, Security, Risk and GRC teams within healthcare organizations of varying sizes, ranging from local clinics and regional hospital systems to large healthcare systems, as well as the third parties that support them. It delivers an easy-to-use solution that enables you to assess and improve your organization’s cybersecurity posture while demonstrating the use of HICP in accordance with the law. It creates, in essence, another layer of insurance for healthcare organizations trying to mitigate the impact of cyberattacks by focusing on the threats and most prevalent threats to patients and their data.



“The Health Sector Coordinating Council established HICP to reduce cybersecurity risk cost-effectively, support organizational adoption, and deliver actionable guidance for protecting patient safety and data. A solution such as Censinet gives healthcare providers the means to easily and effectively support the creation and management of HICP, resulting in a more protected healthcare system”

-Erik Decker, Chief Information Security Officer at Intermountain Healthcare,
Co-Lead of the 405(d) Task Group,
and Chair of the Healthcare and Public Health Sector Coordinating Council Cyber Security Working Group.


How Censinet RiskOps for HICP Works

Censinet streamlines the 200+ pages of HICP documentation into an easy-to-use and powerful workflow that ensures you have a clear picture of your HICP coverage and the actions needed to improve your organization’s cybersecurity posture.

  • HICP-based questionnaires aligned to organization size
  • Automated generation and tracking of findings and remediations
  • Peer benchmarking
  • Forecasts projecting future risk coverage based on identified corrective actions completion
  • Evidence uploading to demonstrate best practice adoption
  • Report generation for Department of Health and Human Services (HHS), Office for Civil Rights (OCR), and insurance
  • Assessment segmentation for evaluating regional or practice area risk exposure
  • Custom scheduling of assessments and reassessment to match organizational requirements
  • Scoping assessments to address unique organizational structure
  • Importation of previous assessments for establishing a single repository
  • Executive dashboard that reports on overall cyber posture

The assessment workflow guides your organization through an internal audit that maps directly to the 405(d) HICP documentation. It automatically generates a report for your board or HHS that demonstrates your cyber posture.

The Censinet RiskOps for HICP Command Center dashboard automatically populated by assessment activity, provides an executive-level ready view of your HICP coverage, along with progress tracking and a clear indication of investment opportunities.

HICP - Coverage Dashboard

Getting Started with HICP

With Censinet, everything you need to assess your HICP coverage, identify areas for investment, and capture required evidence needed for the OCR is available right out of the box.

It takes 12 months of demonstrated use of HICP to qualify for OCR consideration for reduction or removal of fines, early, favorable termination of audits, and mitigation of the remedies in settlement agreements. As a result, there is an urgency to get started.

Censinet is allowing all providers and healthcare organizations access to the Censinet RiskOps platform to perform an initial HICP assessment as a means of quickly documenting which best practices are already in place and which actions need to be taken to reach 100% coverage.