MedTech Terms
    The authoritative reference
    All terms
    CybersecurityConnected & Cyber-Physical DevicesStartup LifecycleHICP

    Health Industry Cybersecurity Practices

    Consensus cybersecurity practices for healthcare published under HHS Section 405(d), the recognized 'reasonable practices' safe-harbor reference.

    Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

    Definition

    Health Industry Cybersecurity Practices (HICP) is a publication series produced by the HHS 405(d) Task Group, a public-private collaboration of the Department of Health and Human Services and more than 200 healthcare and cybersecurity organizations. HICP defines voluntary, consensus-based cybersecurity practices scoped to small, medium, and large healthcare organizations. The 2023 edition (HICP 2023) updated the original 10 practice areas and aligned them to the NIST Cybersecurity Framework.
    What the regulation says
    HHS 405(d) HICP is explicitly named in HHS guidance on 'recognized security practices' for purposes of HIPAA enforcement discretion under PL 116-321. CISA's Healthcare and Public Health Sector Cybersecurity Performance Goals (HPH-CPG) are derived from and aligned to HICP practices.

    What this means in practice

    HICP matters legally as well as technically: under Public Law 116-321 (the HITECH Safe Harbor amendment), HHS Office for Civil Rights (OCR) is required to consider whether a covered entity or business associate has, for at least the prior 12 months, adequately demonstrated 'recognized security practices' when calculating HIPAA penalties or audit outcomes. HICP is the most commonly cited recognized-practices framework. For medical device manufacturers selling to hospitals, conformance to HICP, and the ability to provide MDS2 documentation that maps to it, is increasingly a procurement requirement.
    Common pitfalls
    • Confusing HICP with the HIPAA Security Rule, HIPAA sets requirements, HICP describes how to meet them.
    • Manufacturers ignoring HICP because it's hospital-facing, your products must enable hospital HICP conformance, particularly around asset management, identity, and vulnerability management.
    • Citing HICP 2018, the current edition is HICP 2023, with updated technical volumes and a separate Cybersecurity Framework Implementation Guide.

    Primary references

    3 sources
    Link health: 3 verified· last checked 2026-06-20
    HHS·2HSCC·1
    1. 1
      405(d) Program, HICP 2023
      Verified
      HHS405d.hhs.gov
    2. 2
      HHS 405(d) Program
      Verified
      HHS405d.hhs.gov
    3. 3
      HSCC - Health Sector Coordinating Council
      Verified
      HSCChealthsectorcouncil.org

    Inline markers like [1] jump to the matching reference above.