HHS 405(d) HICP 2025 edition updates medical device practices

Health Industry Cybersecurity Practices (HICP) 2025 refresh expands medical device practices and adds AI-specific considerations, raising the bar hospitals use during vendor risk reviews.

What changed

Expanded medical device practices section with stronger SBOM and asset inventory expectations.
New AI/ML practices that map directly to FDA's PCCP and SaMD guidance.

Action for manufacturers

Update vendor risk responses to reference HICP 2025 alignment; many large health systems now require a HICP self-attestation appendix.

Primary sources

HHS 405(d) program

Entry metadata

Date: Apr 1, 2025
Agency: HHS 405(d)
Type: Practices update
Status: Active
Impact: Medium
Last reviewed: Jun 5, 2026

Applies to

Health Industry vendors
MedTech providers selling into hospitals

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ FDA submissions.

Book strategy session Explore services