In March 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This new law will likely trigger changes to the cybersecurity response plans of many organizations.
While there is not currently a standard to enforce, healthcare providers and the companies that provide support services to them will be affected by this new law.
CIRCIA Background
The attacks on critical infrastructure in America, such as the Colonial Pipeline ransomware attack in May 2021, prompted the passage of CIRCIA. The goal of CIRCIA, (along with recent rules proposed by the Securities and Exchange Commission, and a recent executive order issued by the President) is to bring more transparency and enhanced threat analysis and response to cybersecurity incidents.
The law affects 16 industries deemed part of our nation’s critical infrastructure. One of these industries is healthcare and public health.
A request for information seeking public comment on the proposed rule was issued in September 2022. The director of the Cybersecurity and Infrastructure Security Agency (CISA) is responsible for submitting a rule within two years of it being signed into law, and the final rule must be issued within 18 months of the initial notice of the proposed rule
What Will CIRCIA Do?
While we may not know everything about what the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will do, we know some things. Healthcare organizations and others covered by the law will be required to report two categories of events – covered cyber incidents (CCIs) and ransomware payments in response to ransomware attacks.
CCIs will be defined based on factors:
- Substantial loss of confidentiality, integrity, or availability of information systems or networks
- Serious impact on safety or resiliency of operational systems; disruption of business or industrial operations
- Disruptions accomplished through compromises of cloud service providers, managed service providers, third-party hosting providers, or supply chains
The CCI definition will also consider the sophistication of the attack, the data affected, and the scope of the attack. It’s likely that if the same protected health information (PHI) that is governed by HIPAA rules and regulations is breached by cybercriminals, it would be considered to be a CCI.
The law will require CCIs to be reported to CISA within 72 hours of discovery and to report ransomware payments within 24 hours. Victims of CCIs or ransomware payers must also provide ongoing updates and supplemental reports as information is discovered.
CIRCIA and HIPAA Cybersecurity Response Plans
Now that CIRCIA is law, having a HIPAA cybersecurity response plan is even more critical. Unfortunately, half of the healthcare organizations in the country do not have a cybersecurity response plan.
The HIPAA Security Rule requires organizations to have policies and procedures to respond to attempted and actual security incidents to fulfill the requirements of the Security Incidents Procedures standard. Organizations should also examine their incident response plans as part of the annual HIPAA Security Risk Assessment to help identify possible remediation gaps.
Policies and procedures should address any gaps discovered, and all employees should be trained on how to avoid cybersecurity incidents and when to report unusual things.
Compliancy Group will continue to watch as CIRCIA regulations are developed and keep you updated as things evolve. Users of The Guard, our automated HIPAA compliance software, will be notified if any changes that affect their HIPAA compliance need to be made.
