HICP98
Health Industry Cybersecurity Practices (HICP / 405(d)) — voluntary, threat-informed cybersecurity practices for healthcare organizations of varying sizes.
Requirements in this framework
- Access Logging and Monitoring
- Access management
- Access Reviews and Recertification
- Account Provisioning and Deprovisioning
- Antivirus and Anti-Malware
- Application Whitelisting
- Backup and Recovery
- Breach Notification Procedures
- Business Associate Agreements
- Business Continuity Planning
- Cloud Data Protection
- Cyber Insurance Coordination
- Cybersecurity Governance
- Data Classification
- Data Disposal and Sanitization
- Data Inventory and Mapping
- Data Loss Prevention Controls
- Data Minimization
- Data protection and loss prevention
- Data protection and loss prevention operations
- Data Protection Monitoring
- Data Retention Policy
- De-Identification and Anonymization
- DMARC Email Authentication
- DNS Security
- Email Attachment Sandboxing
- Email Data Loss Prevention
- Email Encryption
- Email Protection System Implementation
- Email protection systems
- Email Security Logging and Monitoring
- Email Security Policy
- Encryption at Rest
- Encryption in Transit
- Endpoint Backup and Recovery
- Endpoint Detection and Response
- Endpoint Hardening
- Endpoint Inventory and Visibility
- Endpoint protection
- External Email Tagging
- Firewall and Perimeter Protection
- Full Disk Encryption
- Host-Based Firewall
- Identity Analytics and Risk Scoring
- Identity and access management controls
- Identity Directory Services
- Identity Governance Framework
- Incident Communication Plan
- Incident response and cyber resilience
- Incident Response Automation
- Incident Response Plan
- Incident Response Team
- Intrusion Detection and Prevention
- IoT and Connected Device Security
- Legacy System Compensating Controls
- Manufacturer Disclosure Review
- Medical device and legacy system risk management
- Medical Device Inventory
- Medical Device Lifecycle Management
- Medical Device Network Isolation
- Medical Device Patch Management
- Medical Device Risk Assessment
- Mobile Device Management
- Multi-Factor Authentication
- Network Architecture Documentation
- Network management and resilience
- Network Monitoring and Logging
- Network Segmentation
- Network Vulnerability Management
- Password Policy and Credential Management
- Patch Management
- PHI Data Handling Procedures
- Phishing Simulation and Training
- Post-Incident Analysis
- Privileged Access Management
- Ransomware Response Planning
- Removable Media Controls
- Role-Based Access Control
- Security Awareness Training
- Separation of Duties
- Service Account Management
- Session Management
- Single Sign-On Integration
- Supply Chain Risk Management
- Suspicious Email Reporting
- Tabletop Exercises and Testing
- Third-party and business partner cybersecurity
- Vendor Access Controls
- Vendor Incident Response Coordination
- Vendor Offboarding
- Vendor Risk Assessment
- Vendor Risk Tiering
- Vendor Security Monitoring
- VPN and Remote Access Security
- Wireless Network Security
- Workforce Identity Verification
- Zero Trust Access Principles
- Zero Trust Architecture Planning