HHS and Industry Release Voluntary Cybersecurity Practices for the Health Industry

HHS, in partnership with industry, is pleased to announce the release of the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” publication. The four-volume publication seeks to raise awareness for executives, health care practitioners, providers, and health delivery organizations, such as hospitals. It is applicable to health organizations of all types and sizes across the industry.

This industry-led effort was in response to a mandate set forth by the Cybersecurity Act of 2015 Section 405(d), to develop practical cybersecurity guidelines to cost-effectively reduce cybersecurity risks for the healthcare industry. The publication marks the culmination of a two-year effort that brought together over 150 cybersecurity and healthcare experts from industry and the government under the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

Cybersecurity Practices

Managing Threats and Protecting Patients
Cybersecurity Practices for Small Health Care Organizations
Cybersecurity Practices for Medium and Large Health Care Organizations
Resources & Templates


Hacked! What to Do Following a Cyberattack
A Wicked Problem

Other Important Documents

Assessment of Employee Susceptibility to Phishing Attacks at US Health Care Institutions
Details for title: RMH Chapter 08 Incident Response Appendix K Incident Report Template
FACT SHEET: Ransomware and HIPAA
HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework
NIST Privacy Framework 1.0


Resource Documents