Different framework documents. Same underlying control. Device inventory shows up first in every one of them.
Healthcare cybersecurity has accumulated a dense stack of framework documents since the HITECH Act amendments in 2021 introduced safe-harbor recognition for HICP-aligned programs. The frameworks differ in scope and audience, but they share one load-bearing assumption: the program already knows what is on the network. We produce that input once, in a form every framework's first control consumes. A short tour of the documents below.
HHS 405(d) Health Industry Cybersecurity Practices (HICP), 2023 Edition.
The HHS-recommended cybersecurity framework for healthcare. Two versions: Technical Volume 1 for small organizations, Technical Volume 2 for medium and large. Both contain ten Practices. The first one — and the prerequisite for most of the others — is device identification. Practice #2 (Endpoint Protection Systems) and Practice #9 (Medical Device Security) make this explicit. The Public Law 116-321 amendments to the HITECH Act mean that following HICP gives you mitigation credit if OCR investigates you. We feed the device-identification step that the rest of the practices build on.
HSCC HIC-MaLTS — Managing Legacy Technology Security.
The Health Sector Coordinating Council is the public-private group HHS coordinates with on healthcare-specific cybersecurity. HIC-MaLTS is its publication on what to do about medical devices that are past vendor support but still in clinical use. The document is candid: those devices will keep being used, manufacturers will not fix them, and the responsibility for compensating controls falls on the hospital. The first compensating control on every checklist is identification of the legacy device. We identify them by fingerprint, including devices whose vendor support ended before they were deployed to your floor.
HHS HPH Sector Cybersecurity Performance Goals (CPGs).
"HPH" stands for Healthcare and Public Health. The CPGs are voluntary baselines HHS published for the sector in 2024, with two tiers — Essential and Enhanced. They are increasingly being written into contracts between health systems and their business associates. The Essential tier opens with asset inventory; the Enhanced tier deepens the device-specific requirements. We produce the same inventory regardless of which tier you are working toward this fiscal year.
NIST IR 8374 — Cybersecurity Framework Profile for Ransomware Risk Management.
NIST's ransomware-specific application of the broader Cybersecurity Framework. It anchors on two Asset Management controls — ID.AM-1 (physical devices and systems inventoried) and ID.AM-2 (software platforms and applications inventoried). The HIPAA Security Rule crosswalk to the NIST CSF treats these as foundational. We feed both with a continuous source of truth rather than an annually refreshed spreadsheet.
FDA Premarket Cybersecurity Guidance (2023) and SBOM.
The FDA's 2023 guidance shifted cybersecurity responsibility upstream to medical-device manufacturers, including requirements for Software Bill of Materials — the manufacturer's list of every software component inside the device. The downstream effect on hospitals: you now have a manufacturer-supplied component list to reconcile against the devices we identified on your network. The combination is more useful than either source alone.
HITRUST CSF (e1, i1, r2).
HITRUST is a third-party certification framework popular in healthcare contracting. It has tiers — e1 (entry), i1 (intermediate), r2 (rigorous) — that scale in scope and evidence requirements. All of them require asset inventory evidence. We supply the underlying inventory; your HITRUST assessor evaluates how it is used in your controls evidence. Note that HITRUST certification applies to your environment, not to the inventory tool — we are an input to your HITRUST submission, not a HITRUST-certified product.
A live walk-through and a conversation about your framework stack.
Bring the framework crosswalk you are working against this cycle and the gap-analysis your assessor flagged.
Book a demo30-day pilot, no fee.