U.S. HICP (Medium Practice) — Health Industry Cybersecurity Practices
SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting. Framework text may require a separate license unless explicitly provided.
Overview
U.S. HICP (Medium Practice) is a cybersecurity framework tailored for medium-sized healthcare organizations, providing practical guidance for identifying, managing, and mitigating common cybersecurity threats. The framework aims to enhance cybersecurity resilience and protect sensitive health information within medium-sized healthcare settings.
Developed by the U.S. Department of Health and Human Services (HHS) in collaboration with industry and government partners, HICP Medium Practice is designed for organizations with 200 to 500 employees. It provides threat-specific mitigation recommendations organized into ten cybersecurity practice areas, focusing on the five most prevalent cyber threats facing healthcare organizations.
Organizations implement HICP Medium Practice by integrating its recommended practices into existing security and compliance programs, conducting risk assessments, and aligning cybersecurity activities with HIPAA and other applicable regulations.
Why it Matters
HICP (Medium Practice) provides medium-sized healthcare organizations with actionable, threat-focused cybersecurity guidance scaled to their operational environment.
Key benefits include:
Address healthcare-specific threats
Implement targeted controls for the five most prevalent cyber threats to healthcare organizations, including phishing and ransomware.
Support HIPAA compliance
Align security practices with HIPAA Security Rule requirements through practical, implementable guidance tailored to medium healthcare settings.
Improve risk management
Apply a structured risk management approach to prioritize security investments and reduce cybersecurity vulnerabilities.
Enhance incident response
Develop capabilities to detect, contain, and recover from cybersecurity incidents affecting clinical operations and patient data.
How it Works
HICP Medium Practice structures its guidance around five key cyber threats to healthcare organizations and ten cybersecurity practice areas. The framework maps threats to specific technical practices with recommendations scaled to the medium practice size and complexity.
Organizations implement HICP Medium Practice by conducting gap assessments against the ten practice areas, prioritizing improvements based on threat relevance and risk, implementing recommended technical and administrative controls, and monitoring ongoing compliance.
Key Elements
Threat-Focused Practice Areas
Organizes cybersecurity guidance around the five key threats most relevant to healthcare organizations of medium size.
Ten Cybersecurity Practice Areas
Provides structured guidance across ten domains including email protection, endpoint protection, and access management.
Scalable Technical Recommendations
Offers implementation guidance scaled to the capabilities and resources of medium-sized healthcare organizations.
HIPAA Alignment
Connects cybersecurity practices to HIPAA Security Rule requirements to support regulatory compliance.
Framework Scope
U.S. HICP (Medium Practice) is designed for healthcare organizations with 200 to 500 employees handling electronic health information and clinical operations.
Framework Objectives
HICP (Medium Practice) provides medium-sized healthcare organizations with targeted cybersecurity guidance to reduce threats and improve resilience.
Address the five most prevalent cybersecurity threats facing medium healthcare organizations
Support HIPAA compliance through practical, scalable security controls
Enhance cybersecurity risk management and governance practices
Improve detection and response capabilities for cyber incidents
Protect patient data and clinical operations from cybersecurity threats
Enable audit readiness through documented security practices and controls
- ClassicifationCategoryCybersecurityDomainCybersecurityFramework FamilyOther
- Regulatory ContextTypeGuidanceLegal InstrumentFrameworkSectorHealthcare SectorIndustryHealthcare & Life Sciences
- Region / PublisherRegionNorth AmericaRegion DetailUnited StatesPublisherU.S. Department of Health and Human Services (HHS)
- VersioningVersionHICP 2023Effective DateJanuary 2019Issue DateDecember 28, 2018
- AdoptionAdoption ModelSecurity BaselineImplementation ComplexityModerate
- Official ReferenceOpen Link in New TabSource
License included / downloadable: Yes
HICP is published by HHS and is publicly available for free from official HHS and NIST websites. License included with platform
How SmartSuite Supports HICP (Medium Practice)
Strengthen cybersecurity protections for mid-sized healthcare organizations by organizing HICP recommended safeguards, tracking implementation progress, and maintaining documentation supporting healthcare cybersecurity resilience.
HICP Security Practices Library
Organize HICP cybersecurity practices aligned to the top healthcare cybersecurity threats.
Asset and System Risk Visibility
Track medical devices, EHR systems, clinical applications, and supporting infrastructure requiring protection.
Security Risk Assessment and Mitigation Planning
Identify cybersecurity risks affecting healthcare operations and track mitigation strategies.
Identity, Access, and Endpoint Security Governance
Manage authentication controls, endpoint protection, and privileged access to clinical systems.
Vendor and Third-Party Risk Oversight
Monitor cybersecurity risks associated with healthcare vendors, software providers, and connected medical devices.
Healthcare Cybersecurity Incident and Program Maturity Reporting
Track cybersecurity incidents, remediation actions, and program maturity across healthcare security operations.
Related frameworks
CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.
COBIT 2019 is a governance framework that helps organizations govern and manage IT to meet business goals, risks, and compliance.
HITRUST CSF is a certifiable, risk-based cybersecurity and privacy framework for managing regulatory compliance and protecting sensitive data.
ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.
ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.
NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.
Frequently Asked Questions For U.S. HICP (Medium Practice) — Health Industry Cybersecurity Practices
The U.S. Health Industry Cybersecurity Practices (HICP) Medium Practice is designed to assist healthcare organizations in identifying and implementing cybersecurity practices that address common threats. Its goal is to improve organizational cyber resilience and better protect sensitive health information and systems.
U.S. HICP is not a mandatory or certifiable standard but is a voluntary set of cybersecurity guidelines. However, adopting HICP may demonstrate reasonable security practices under regulatory scrutiny, such as during HIPAA audits, and can serve as evidence of due diligence regarding information protection.
The HICP Medium Practice is intended for mid-sized healthcare providers and organizations with moderate resources and cybersecurity maturity. Organizations should assess their environment, resource availability, and risk tolerance to determine if Medium Practice aligns with their needs.
Medium Practice focuses on five top threats: email phishing, ransomware, loss/theft of equipment, insider threats, and attacks against network-connected medical devices. It provides actionable controls, such as multi-factor authentication, endpoint protection, regular backups, access management, and security training.
Implementation involves reviewing organizational risks, mapping HICP’s suggested practices against current controls, and closing identified security gaps. Engagement from leadership, documented policies, technology updates, and employee awareness are critical steps in operationalizing Medium Practice recommendations.
HICP complements regulatory and industry standards like HIPAA Security Rule and NIST Cybersecurity Framework. While it doesn't replace these requirements, it provides practical, threat-informed guidance that can support compliance with broader regulatory obligations.
While not subject to certification, maintaining alignment with HICP involves continually assessing risks, updating controls, training staff, and reviewing cyber incidents. Documenting adherence to HICP practices provides a defensible position during audits or investigations.
SmartSuite can help organizations manage U.S. HICP by enabling effective risk tracking, control implementation, and evidence collection. Its workflow tools support audit readiness, continuous monitoring, and generate reports that facilitate proactive compliance and assurance activities.
Put CRI Profile into action with SmartSuite
Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.