Skip to main content
    MedTech Cyber Tips
    The Ultimate Guide
    Updates
    Standards

    HHS 405(d) HICP 2026 refresh: what changes for MedTech manufacturers

    The Health Industry Cybersecurity Practices (HICP) 2026 refresh from HHS 405(d) tightens the manufacturer-facing sections, especially around SBOM disclosure to HDOs and coordinated vulnerability handling.

    Reviewed by ·Published ·Last reviewed July 2026

    HICP 2026 is out and, while HICP is written for healthcare delivery organizations, three of its practices bind manufacturers indirectly through HDO procurement:

    1. Medical device security practice: HDOs are increasingly asking for SBOMs, MDS2 forms, and end-of-support horizons at RFP time. If you can't deliver, you lose deals.

    2. Vulnerability management practice: HDOs expect a working CVD channel and a published disclosure timeline. They will test it during due diligence.

    3. Third-party risk management practice: HDOs are being asked to keep evidence that their device suppliers operate a security program. Expect security questionnaires to get longer and more prescriptive in the 2026–2027 procurement cycle.

    If your commercial team hasn't seen HICP 2026 yet, hand them the manufacturer-facing sections - the language HDOs use in RFPs is largely lifted from it.

    More updates