Breaking Down The Health Industry Cybersecurity Practices (HICP)

Posted by Gerry Blass

Gerry Blass, President & CEO, ComplyAssistant

President and CEO Gerry Blass sat down with HIMSS TV host Bill Siwicki on a recent episode of Digital Checkup. This video series features interviews with Bill and healthcare leaders and CEOs that span a range of topics from leadership, patient access, interoperability, telehealth, and more. In this specific episode, Bill asked Gerry about the new Health Industry Cybersecurity Practices (HICP) Final Rule and what it means for leaders who are working to strengthen their organization’s cybersecurity.

Blass explains that Health Industry Cybersecurity Practices was designed to manage cybersecurity threats and patients’ safety. The purpose is to provide small, medium, and large organizations with a guidebook for top threats and specific practices to mitigate them. The beauty of HICP is that it is a voluntary and incentive-based approach, so organizations have the choice to work towards compliance over a 12-month period. The goal is for everyone across the organization to learn measures needed to take steps toward compliance, not just the IT department.

The five most compelling threats as outlined by HICP are email phishing, ransomware, loss and theft of equipment, accidental data loss and attack of patient safety. Blass explained that in the last 25 years since the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed, there has been an uptick of cybersecurity attacks and challenges for IT professionals. The past year especially, with the impact of COVID-19 and the increased number of healthcare employees working remotely, has heightened the need for tighter measures and guidelines to protect patient data and information. HICP brings all of these issues to the forefront along with a clear plan for change.

Blass concluded the interview by sharing the ten best practices that provider organizations can employ to meet the requirements of the HICP law and improve their overall cybersecurity posture. These are discussed in the technical volumes in greater detail for small, medium, and large organizations. They include:

  1. Email protection systems
  2. Endpoint protection systems
  3. Access Management
  4. Data Protection & Loss Prevention
  5. Asset Management
  6. Network Management
  7. Vulnerability Management
  8. Incident Response
  9. Medical Device Security
  10. Cybersecurity Policies

To view the full episode of Blass’s Digital Checkup interview, visit here.