What is 405.d and Why is it Important?
Written by Mark Ferrari, CEO of Latitude Information Security
“405.d” refers to section 405.d of the Cybersecurity Act of 2015. This (relatively short) section of the legislation calls for (to sum it up in very general terms) the establishment of common, voluntary cybersecurity guidelines for healthcare and public health organizations. The end result of this public and private collaborative initiative are the “Health Industry Cybersecurity practices (HICP).
By the letter of the law, compliance is voluntary, there is no penalty for not complying, and the law limits the ability to audit and mandate compliance.
That said, compliance with the Health Industry Cybersecurity Practices (HICP) and associated Cybersecurity Performance Goals (CPGs) stemming from 405.d is HIGHLY recommended in our opinion, and for many reasons:
- If you’re operating in the healthcare and public health industry and a breach of PHI occurs due to a security incident, you can count on a scrutiny of your security program by numerous third parties. Depending on the situation, HHS/OCR may very well be one of those third parties. In that case you’ll want to have a firm grasp on where your program stands with respect to the HICP and associated CPGs. Arguably, having that grasp and following the HICP may in fact prevent incidents from occurring.
- The CPGs published by HHS align with the NIST Cybersecurity Framework – something that should be very familiar to those in information security roles.
- The CPGs encompass areas that should be addressed by any security program; dismissal of any of the proposed outcomes of the CPGs would be indicative of a much larger issue with a security program.
- In effect, the main task at hand is to assess the controls and practices already active in your security program against the CPGs. Given it’s alignment with NIST, this is not a heavy lift. Any deficiencies noted would warrant attention not to demonstrate compliance, but to ensure proactive security measures are in place.
As stated directly and appropriately in the HICP, “cyber safety is patient safety.” As one who has many years as a pre-hospital care provider, nothing could be more important.
For those interested in an assessment of 405.d compliance, contact Latitude to get the ball rolling. To learn more about 405.d, visit https://405d.hhs.gov