In March 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This new law will likely trigger changes to the cybersecurity response plans of many organizations.
While there is not currently a standard to enforce, healthcare providers and the companies that provide support services to them will be affected by this new law.
CIRCIA Background
The attacks on critical infrastructure in America, such as the Colonial Pipeline ransomware attack in May 2021, prompted the passage of CIRCIA. The goal of CIRCIA, (along with recent rules proposed by the Securities and Exchange Commission, and a recent executive order issued by the President) is to bring more transparency and enhanced threat analysis and response to cybersecurity incidents.
The law affects 16 industries deemed part of our nation’s critical infrastructure. One of these industries is healthcare and public health.
A request for information seeking public comment on the proposed rule was issued in September 2022. The director of the Cybersecurity and Infrastructure Security Agency (CISA) is responsible for submitting a rule within two years of it being signed into law, and the final rule must be issued within 18 months of the initial notice of the proposed rule