The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) on March 27 released a notice of proposed rulemaking (NPRM) for the Cyber Incident Reporting Act (CIRCIA). CIRCIA was signed into law in 2022 and required CISA to develop and implement regulations mandating covered entities to report certain cyber incidents and ransomware payments to the federal government.
The rule applies to covered entities across critical infrastructure sectors, including Healthcare and Public Health. The rule states that entities within the Healthcare and Public Health Sector are essential to the maintenance of public health and uses three criteria to determine covered entities in this sector, including certain entities that provide direct patient care. Specifically, CISA proposes that covered entities include:
- Any entity that owns or operates hospitals with 100 or more beds or critical access hospitals.
- Certain drug and medical technology device manufacturers.
Under the rule, covered entities must submit a Covered Cyber Incident Report to CISA no later than 72 hours after the entity believes the covered cyber incident has occurred. Covered entities should submit Ransom Payment Reports no later than 24 hours after payment has been disbursed. These reports would be submitted through a CIRCIA Incident Reporting Form on CISA’s website or by telephone, email, or fax.
Proposed approaches to noncompliance include:
- Issuance of a request for information.
- Issuance of a subpoena.
- Referral to the Attorney General to bring a civil action to enforce the subpoena or pursue a potential contempt of court.
- Other enforcement mechanisms, including potential acquisition penalties or suspension.
According to the rule, CISA would use the data it receives for trend and threat analysis, incident response and mitigation, and developing strategies to improve resilience.
The proposed rule will be published in the Federal Register April 4. Comments on the proposal are due June 3.
Contact Director of Policy Rob Nelb at rnelb@essentialhospitals.org or 202-585-0127 with questions.
Author