Exploring the Health Industry Cybersecurity Practices (HICP) Publication, How to Use It

February 27, 2024 - The “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” publication, known as “HICP” for short, is the product of healthcare industry leaders and government representatives coming together to tackle mounting healthcare cybersecurity threats.

First published in January 2019 and updated in 2023, HICP is a four-volume publication that served as the industry’s response to the Cybersecurity Act of 2015 Section 405(d)’s requirement to develop practical cybersecurity guidelines to reduce cyber risk in the healthcare industry in a cost-effective manner.

In a notoriously under-resourced and highly targeted sector, the document remains a welcome free resource for the sector. But with multiple volumes and a variety of content areas, healthcare security practitioners may ask themselves – how do I best use the HICP?

Below, HealthITSecurity will provide an overview of the HICP’s sections and highlight some of the ways in which the publication’s authors intended for it to be used.

Key Elements of HICP

HICP offers a set of voluntary, industry-led guidelines and best practices to reach three central goals, as stated in the main document:  to cost-effectively reduce cyber risk for the sector, to support the voluntary adoption of its recommendations, and to ensure that the content is actionable and relevant to healthcare stakeholders of all sizes and resource levels.

HICP consists of a main document, two technical volumes, and a resources and templates volume. Each serves a unique purpose and can be leveraged by healthcare organizations of varying sizes and security program complexity.

The main document outlines current cyber threats facing the healthcare sector and establishes a call to action, encouraging healthcare security leaders to raise awareness of cyber risk and recognize cybersecurity as a patient safety issue.

“Given the increasingly sophisticated and widespread nature of cyber-attacks, the HPH sector must make cybersecurity a priority and make the investments needed to protect its patients,” the main document states.

“Like combatting a deadly virus, cybersecurity requires mobilization and coordination of resources across myriad public and private stakeholders [including hospitals, IT vendors, connected medical device manufacturers, and governments (state, local, tribal, territorial, and federal)] to mitigate the risks and minimize the impacts of a cyber-attack. HHS and the HPH sector are working together to address these challenges.”

While the main document makes the case for the importance of tackling cyber risk in the healthcare sector, the two technical volumes are more granular.

Technical Volume 1 identifies and defines ten cybersecurity practices and sub-practices for small healthcare organizations. Technical Volume 2 follows the same format but is geared toward medium- and large-sized organizations. Both technical volumes are intended to be used by IT and cybersecurity professionals.

The technical volumes address the following ten cybersecurity practices (CSPs) along with strategies for mitigating risk in these areas:

• Email Protection Systems
• Endpoint Protection Systems
• Access Management
• Data Protection and Loss Prevention
• Asset Management
• Network Management
• Vulnerability Management
• Security Operation Centers and Incident Response
• Network Connected Medical Devices
• Cybersecurity Oversight and Governance

Lastly, the resources and templates volume offers resources and references to supplement the content in the main document and the technical volumes.

Healthcare security practitioners can use these volumes to guide organizational best practices and improve their organization’s security practices, raising the bar for the entire sector in the process.

How to Use HICP

“This Main Document and the accompanying Technical Volumes are intended to be descriptive, rather than prescriptive,” the main document states.

“All the practices presented can be reviewed for applicability within your organization to reduce the potential impacts of the five current threats discussed in the previous sections.”

Rather than introducing another new framework or regulatory requirement, the HICP publication is meant to serve as a best practices guide. The practices are not prioritized, and organizations can pick and choose what practices to focus on, adopt, and implement at their own pace.

“An organization should assess its current security and risk posture to determine how to prioritize the practices and should allocate resources accordingly,” the HICP advises.

What’s more, the two technical volumes are aligned with the outcomes outlined in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), a framework that many healthcare organizations are already familiar with.

The HICP hinges on two central approaches to cybersecurity: zero trust and defense-in-depth. The document encourages organizations to use the practices addressed in the HICP to assist them in implementing the controls that each of those strategies revolve around.

For example, organizations can bolster their zero trust strategy using guidelines described in CSP number three: access management. Technical Volumes 1 and 2 provide guidance on how to apply least privilege access processes, which is the foundation of a solid zero trust architecture.

Essentially, organizations of all sizes and resource levels can leverage different elements of the HICP to enhance their existing security strategies and improve their security posture. The HICP is a dynamic document that can be applied in different ways as the threat landscape shifts.

“To adequately maintain patient safety and protect our sector’s information and data, there must be a culture change and an acceptance of the importance and necessity of cybersecurity as an integrated part of patient care,” the document continues.

“The changes and the resulting effort required will not abate, but will rather change with the times, technologies, threats, and events. Now is the time to start, and, together, we can achieve real results.”