The HICP was developed in response to a mandate set forth by the Cybersecurity Act of 2015 (CISA). In Section 405(d) of CISA, HHS was directed to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the health care industry. The publication was the result of a two-year effort that brought together more than 150 cybersecurity and health care experts from the industry and government.

The HICP provides certain basic cybersecurity practices and is further explained in three additional documents. The main document (the HICP) explores the five most relevant and current threats to the industry and recommends ten cybersecurity practices to help mitigate these threats. Organizations should implement all ten recommendations.

The publication also includes two technical volumes geared for IT and IT security professionals. Technical Volume 1 focuses on cybersecurity practices for small health care organizations (generally a group with less than ten providers), while Technical Volume 2 focuses on practices for medium and large health care organizations. The final document provides resources and templates that organizations can leverage to assess their own cybersecurity posture as well as reassess their current documented policies and procedures. Organizations must pay close heed to the applicable volume as it outlines threshold expectations and will likely be used as an "industry standard and/or reasonableness test" for contracting and government enforcement.

Cybersecurity remains a top priority for HHS. HHS has stated it intends to continue working with the industry and will work with stakeholders to raise awareness and implement the recommended cybersecurity practices across the entire sector. For more information on this effort and to download a copy of the publication, please visit www.phe.gov/405d.