Healthcare Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP)

Hosted by JANUS Associates, this document was developed when HHS partnered with the Health Sector Coordinating Council (HSCC) to conduct a Landscape Analysis of common attack points used against United States (US) hospitals. This Landscape Analysis was created to better identify the biggest threats facing hospitals. It assesses their cybersecurity capabilities relative to commonly accepted cybersecurity practices and aims to raise awareness of cybersecurity risks, provide best practices, and help set standards in mitigating the most pertinent cybersecurity threats to the sector.

Two separate technical volumes are appended to the primary document. The first is for use by small healthcare entities, while the second is geared towards medium and large healthcare entities. Each volume provides HIPAA compliance recommendations.

The HIPAA Security Rule (45 C.F.R. § 164.306) sets out standards that a covered entity must comply with and provides for a technology-neutral framework that is scalable and flexible. It allows covered entities to comply in a consistent manner based on the specific size and circumstances of their environment.

This document contains recommended practices to help prevent, react to, and recover from possible cybersecurity threats and intrusions. The HICP technical volumes group these into sub-practices based on the size of the organization. It provides guidance across the following areas: