405(d): What is it and why should you care?

What is 405(d)? 

With security incidents and breaches increasing year over year within the healthcare sector, it is up to both public and private organizations and cybersecurity experts to build a more secure healthcare system. In 2015, congress passed the Cybersecurity Act to help combat the increase in cyber threats to critical infrastructure. As a more recent provision of the Cybersecurity Act, the Department of Health and Human Services (HHS) established a public-private partner initiative called 405(d) to align healthcare cybersecurity approaches and best practices under a single mission, “to create, manage and lead all industry processes to develop consensus-based guidelines, practices, and methodologies to strengthen the health
care sector’s cybersecurity posture against cyber threats.”  

A task group comprised of public and private organizations collaborated to identify the top 5 threats to healthcare and established 10 Best Practices to guide organizations to become more resilient to common security threats, especially for organizations that struggle with resources, expertise and funding. The task group also issued a publication called Health Industry Cybersecurity Practices (HICP), addressing the security needs of small, medium and large organizations. 405(d) and HICP serve as a best practice framework that can be adopted by any organization regardless of size or cybersecurity program maturity. As healthcare continues to move towards cloud-based systems and greater information-sharing, adopting these cybersecurity best practices is essential to combating the ever-growing prevalence of security threats. 


What does 405(d) mean for your organization? 

If you are a healthcare provider, you are the “steward” of your patient’s data under HIPAA and are responsible for safeguarding PHI/ePHI and ensuring quality care is available to current and future patients. If you are a payer or business associate, you are responsible for protecting PHI/ePHI as you perform healthcare functions on behalf of providers. Cyber-attacks are a threat to patient data, healthcare business processes and care coordination functions. The increasing complexity and innovation of cyber-attacks make it difficult for healthcare organizations to keep up.

405(d) offers implementation guidance for all healthcare organizations, regardless of size. For smaller and mid-size organizations who either haven’t adopted a cybersecurity framework or are early in the process, maintaining HIPAA compliance and adopting 405(d) will increase their compliance and risk management capabilities leading to an elevated security posture, a greater chance of obtaining cyber liability insurance at more reasonable rates and reducing the possibility of a costly breach. 

405(d) is an excellent bridge between HIPAA compliance and a cybersecurity framework. If a healthcare organization is currently unable to adopt a full cybersecurity framework like the NIST-CSF, HITRUST, or other industry-standard security frameworks, then we strongly recommend adopting the 405(d) program as an integral part of a comprehensive cybersecurity plan. Along the path to a stronger and more secure environment, HIPAA Security and Privacy assessments are the first steps but 405(d) takes your organization’s cybersecurity to the next level before adopting a robust cybersecurity framework that incorporates all these requirements, regulations and best practices under one umbrella. 


How do I learn more about 405(d)? 

We recommend
subscribing to the official 405(d) general communications to receive updates as soon as possible. Additionally, our team would be happy to explain how 405(d) can specifically benefit your organization. Reach out to one of Intraprise Health’s Security experts to learn more or look for additional news and content surrounding 405(d) and cybersecurity best practices on our blog.