pasted image 0We covered the release of HICP or Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients back in Feb in the episode we called 5 Threats and 10 Protection Practices – Ep 189.  HICP has now been out for a bit and the next phases of the project are in process.  Today we discuss all things HICP with Erik Decker who is the Health Sector Coordinating Council Co-Lead of the 405(d) Task Group that developed this tool to help our sector follow solid cybersecurity practices.

Erik Decker, Chief Security and Privacy Officer, University of Chicago School of Medicine joined us to discuss the reception of HICP along with its development and where it goes next.  There is a great deal of value in using the tools and guidance included in the publications.  We highly recommend you evaluate it for use in your privacy and security program.

The CSA directives for the group were to define a common set of voluntary, consensus-based, and industry-led guidelines, best practices, methodologies, procedures, and processes to achieve three core goals:

1. Cost-effectively reduce cybersecurity risks for a range of healthcare organizations;

2. Support the voluntary adoption and implementation of its recommendations; and

3. Ensure, on an ongoing basis that content is actionable, practical, and relevant to health care stakeholders of every size and resource level.

At the NIST/OCR conference the panel Erik and Julie sat on mentioned the release of HIC-SCRiM.  In the opening it says “The JCWG Supply Chain Cybersecurity Task Group developed this supply chain cybersecurity risk management guide as a tool particularly targeted at smaller to mid-sized health organizations.”  We haven’t had an opportunity to spend a great deal of time reviewing it just yet but we are excited to see another tool aimed for SMB groups.  It does work from the NIST CSF which we also include in our recommendations and tools as often as possible.

We will dig deeper into HIC-SCiM and do an episode on it soon for all our listeners to reference.  Since we had you just wanted to throw in a quick question.  We know it isn’t your specific working group but I found it particularly interesting that there is a template contract in the appendix that references the HICP 10 practices and sub practices as expectations for vendors to meet.

This episode includes a lot of discussion outside our normal show notes process.  We just started talking with about three or four things to make sure we cover.  The conversation included so much great information we have him back for part 2 of the discussion next week.  Instead of reading the details you really should listen to this episode.  At some point we may have detailed transcripts available but, for now, listen in for some great information.

We realize how much effort this whole project has required and appreciate the work put in by all the members of the task force.  Erik is one of many involved but his name and face are out there associated with HICP more than most. We are thrilled to have him on our show!

Resources we mentioned with Erik Decker about HICP

To contact the task force send a note to

Cybersecurity Act of 2015 Section 405(d) Task Group

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients