What Is 405(d) and How It Impacts Healthcare Cybersecurity?

The 405(d) Health Industry Cybersecurity Practices (HICP) initiative is a federal public-private partnership led by the U.S. Department of Health & Human Services (HHS) to improve cybersecurity across the healthcare and public health sector.

Commonly referred to as “405(d),” “HHS 405(d),” or “HICP,” the program provides practical, implementation-focused cybersecurity guidance designed specifically for healthcare organizations.

As cybersecurity expectations from regulators, cyber insurers, governing boards, and business partners continue to increase, interest in 405(d) guidance and HICP best practices continues to grow.

What Is the 405(d) Program?

The 405(d) Program was established under the Cybersecurity Act of 2015 to advance healthcare cybersecurity through practical, voluntary guidance developed collaboratively between government and industry.

Unlike broad cybersecurity frameworks that can be complex or resource-intensive, 405(d) focuses on:

  • The most common cybersecurity threats facing healthcare
  • Practical safeguards that reduce risk
  • Scalable implementation guidance
  • Operationally realistic security practices

The program’s primary publication is the Health Industry Cybersecurity Practices (HICP) guidance.

The Health Industry Cybersecurity Practices (HICP) guidance identifies the most significant cybersecurity threats facing healthcare organizations and provides ten prioritized cybersecurity practices with implementation guidance scaled for organizations of different sizes.

HICP helps healthcare organizations strengthen resilience against threats including:

  • Ransomware
  • Social engineering attacks, including phishing and business email compromise
  • Insider threats
  • Medical device vulnerabilities
  • Data loss and system downtime

Rather than serving as another regulatory framework, HICP provides practical recommendations that align with widely recognized cybersecurity frameworks such as the NIST Cybersecurity Framework while remaining healthcare-specific and implementation-focused.

Organizations searching for terms like “HICP framework,” “405(d) guidance,” or “healthcare cybersecurity best practices” are typically looking for practical, prioritized recommendations that can be implemented without overengineering their security programs.

Since the publication of HICP, HHS has introduced the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs) to help organizations prioritize foundational cybersecurity improvements.

The HPH CPGs build upon and align with 405(d) guidance by identifying high-impact cybersecurity practices that organizations can implement to reduce cyber risk and improve operational resilience. Many healthcare organizations use HICP together with the HPH CPGs as complementary resources for strengthening cybersecurity programs.

Healthcare remains one of the most frequently targeted sectors for ransomware and other cyberattacks. At the same time, expectations from regulators, cyber insurers, governing boards, and business partners continue to increase.

Healthcare organizations face:

  • Increased scrutiny from regulators
  • Heightened expectations from executive leadership and governing boards
  • Greater accountability for third-party and supply chain risk
  • Growing operational disruption from cyber incidents

As a result, many organizations are turning to 405(d) and HICP guidance as a practical, federally developed starting point for strengthening cybersecurity programs.

Search interest in terms such as:

  • “405(d) healthcare cybersecurity”
  • “HHS 405(d) guidance”
  • “Health Industry Cybersecurity Practices PDF”
  • “405(d) implementation”

continues to grow as healthcare leaders seek trusted guidance.

No.

405(d) guidance is voluntary and is not a regulatory requirement or formal compliance mandate.

However, it is widely recognized as authoritative federal guidance for healthcare cybersecurity and is increasingly used to support:

  • Risk management programs
  • Board-level cybersecurity reporting
  • Cybersecurity maturity initiatives
  • Ransomware preparedness
  • Prioritization of cybersecurity investments

While organizations are not required to implement 405(d), aligning with its recommendations can help demonstrate due diligence and adoption of recognized cybersecurity best practices.

The 405(d) Health Industry Cybersecurity Practices guidance is particularly valuable for:

  • Hospitals and health systems
  • Community hospitals
  • Rural and critical access hospitals
  • Physician practices
  • Public health agencies
  • Healthcare technology vendors
  • Managed service providers supporting healthcare

Small and mid-sized healthcare organizations often find HICP especially valuable because it translates cybersecurity concepts into practical, achievable safeguards.

Healthcare organizations commonly implement 405(d) by:

  • Conducting a 405(d) gap assessment
  • Mapping current security controls to HICP recommendations
  • Developing a prioritized remediation roadmap
  • Aligning cybersecurity initiatives with organizational risk
  • Integrating 405(d) into governance and reporting processes

Because HICP focuses on real-world healthcare threats, it bridges the gap between high-level cybersecurity frameworks and day-to-day operational execution.

The official 405(d) Program, Health Industry Cybersecurity Practices (HICP) guidance, and Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs) are published by the U.S. Department of Health & Human Services.

Organizations can access:

  • Health Industry Cybersecurity Practices (HICP) publications
  • Technical volumes
  • Healthcare and Public Health Cybersecurity Performance Goals (CPGs)
  • Educational resources and implementation materials

This page is provided for informational purposes and is not affiliated with or endorsed by the U.S. Department of Health & Human Services.

Understanding 405(d) guidance is only the first step. Successfully implementing HICP recommendations requires:

  • Structured risk assessments
  • Executive alignment
  • Operational integration
  • Ongoing performance monitoring

We help healthcare organizations operationalize 405(d), HICP, and related cybersecurity best practices in ways that strengthen resilience while supporting organizational objectives.

Strengthen Your 405(d) Cybersecurity Strategy

If your organization is evaluating 405(d) guidance or seeking to align with Health Industry Cybersecurity Practices, we can help you:

  • Perform a 405(d) maturity assessment
  • Identify priority risk gaps
  • Build a practical implementation roadmap
  • Align cybersecurity investments with organizational risk