What Will CIRCIA Do?
While we may not know everything about what the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will do, we know some things. Healthcare organizations and others covered by the law will be required to report two categories of events – covered cyber incidents (CCIs) and ransomware payments in response to ransomware attacks.
CCIs will be defined based on factors:
- Substantial loss of confidentiality, integrity, or availability of information systems or networks
- Serious impact on safety or resiliency of operational systems; disruption of business or industrial operations
- Disruptions accomplished through compromises of cloud service providers, managed service providers, third-party hosting providers, or supply chains
The CCI definition will also consider the sophistication of the attack, the data affected, and the scope of the attack. It’s likely that if the same protected health information (PHI) that is governed by HIPAA rules and regulations is breached by cybercriminals, it would be considered to be a CCI.
The law will require CCIs to be reported to CISA within 72 hours of discovery and to report ransomware payments within 24 hours. Victims of CCIs or ransomware payers must also provide ongoing updates and supplemental reports as information is discovered.
CIRCIA and HIPAA Cybersecurity Response Plans
Now that CIRCIA is law, having a HIPAA cybersecurity response plan is even more critical. Unfortunately, half of the healthcare organizations in the country do not have a cybersecurity response plan.
The HIPAA Security Rule requires organizations to have policies and procedures to respond to attempted and actual security incidents to fulfill the requirements of the Security Incidents Procedures standard. Organizations should also examine their incident response plans as part of the annual HIPAA Security Risk Assessment to help identify possible remediation gaps.
Policies and procedures should address any gaps discovered, and all employees should be trained on how to avoid cybersecurity incidents and when to report unusual things.
Compliancy Group will continue to watch as CIRCIA regulations are developed and keep you updated as things evolve. Users of The Guard, our automated HIPAA compliance software, will be notified if any changes that affect their HIPAA compliance need to be made.