What is the 405(d) effort?

405(d) is a program targeted at tackling the prevalent cybersecurity threat healthcare organizations face nationwide. The program aims to provide healthcare organizations of all sizes with the tools to mitigate these threats. 

Understanding the 405(d) effort

The 405(d) program is a collaborative initiative aimed at improving cybersecurity in the U.S. healthcare sector. The program landing page provides that, “The 405(d) Program is focused on providing organizations across the nation with useful and impactful HPH focused resources, products, and tools that help educate, raise awareness, and provide vetted cybersecurity best practices and strengthen the sector’s cybersecurity posture against cyber threats.”

The 405(d) Task Group brings together diverse stakeholders, including industry experts, government agencies like the Department of Health and Human Services, and members of the Health Sector Coordinating Council (HSCC). The program is especially relevant when considering the prevalence of healthcare data breaches with 34 breaches impacting over 4,000,000 records in September 2024. 

Related: HHS Task Force announces new cybersecurity resources

The output and focus points of 405(d)

• To improve cybersecurity in the healthcare sector to protect patient safety. 
• Provide practical security guidelines through the Health Industry Cybersecurity Practices (HICP). 
• Tailor recommendations are based on the size of the healthcare organization. 
• Address common cyber threats, especially phishing and malware attacks. 
• Encourage the need for identity and access management for system security. 
• Encourage collaboration between government, healthcare, and industry experts. 
• Promote cybersecurity as a shared responsibility across all levels of an organization. 
• Increase the resilience of healthcare operations against cyber attacks. 
• Educate healthcare workers on cybersecurity best practices. 
• Build long term cybersecurity strategies through the Health Industry Cybersecurity Strategic Plan (2024-2029).
  
  

How to apply the 405(d) program in healthcare practices

1. Identify the main cybersecurity threats: It is necessary to recognize the primary threats healthcare organizations face. The CISA is an example of an organization that updates upcoming and prominent threats to the sector. Understanding the risks helps prioritize safeguards. 
2. Follow the HICP guidelines: The HICP breaks down recommended practices for healthcare settings into simple and actionable steps. 
3. Adopt identity and access management (IAM): Secure access to sensitive data through IAM allows for the minimization of potential insider threats and improves system usage. 
4. Improve email security: Since more than 90% of cyberattacks start with phishing, healthcare practices should strengthen email security through means like HIPAA complaint email. 
5. Promote user-centric security practices: Staff should be able to recognize and report suspicious activity to handle patient information as well as potential cybersecurity situations. 
   
   

FAQs

What are Health Industry Cybersecurity Practices? 

These are guidelines that help healthcare organizations protect themselves against cyber threats. 

What is the role of the HHS? 

The HHS oversees public health, health policy, and programs like Medicare. 

What are the most common forms of cyberattacks?

The most common forms of cyberattacks in healthcare are phishing, ransomware, and malware attacks.