In 2015, the United States Congress passed the cybersecurity Act of 2015 (CSA), and within this
legislation is Section 405(d): Aligning Health Care Industry Security Approaches. As an approach to this
requirement, in 2017 HHS convened the 405(d) Task Group leveraging the Healthcare and Public Health
(HPH) Sector Critical Infrastructure Security and Resilience Public-Private Partnership. The Task Group is
comprised of a diverse set of over 150 members representing many areas and roles, including
cybersecurity, privacy, healthcare practitioners, Health IT organizations, and other subject matter
The Task Group’s charge was to develop a document that is available to everyone at no cost and
includes a common set of voluntary, consensus-based, and industry-led guidelines, practices,
methodologies, procedures, and processes that serve as a resource to meet three core goals to:
1. Cost-effectively reduce cybersecurity risks for a range of health care organizations;
2. Support voluntary adoption and implementation; and
3. Ensure on an ongoing basis that content is actionable, practical, and relevant to healthcare
stakeholders of every size and resource level.
Progress || The Task Group assembled in May 2017 and since then, many achievements have been
made with this effort. The table highlights current accomplishments made by those involved.
The report below elaborates the current health industry cybersecurity best practices.