Skip to Main Content

March 29, 2024
Health Law Weekly

CISA Proposes Cyber Incident Reporting Requirements

  • March 29, 2024

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued March 27 a proposed rule to set forth requirements for “covered entities” in “critical infrastructures sectors,” which would include some hospitals, drug manufacturers, and medical device makers, to report cybersecurity incidents and ransomware payments to the agency.

The proposed rule, which will be published in the April 4 Federal Register, is mandated by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Under the statute, covered entities must report to CISA certain cyber incidents within 72 hours after they reasonably believe such an incident has occurred. Covered entities also must report payments made in response to a ransomware attack within 24 hours of the payment.

“Implementation of CIRCIA will improve CISA’s ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyber attacks, and inform others who would be potentially affected,” the agency said.

CISA acknowledged that many covered entities “may be subject to multiple, potentially duplicative requirements to report cyber incidents.” To minimize the reporting burden as much as possible, CISA is considering ways to harmonize its regulation with other federal reporting regimes. For example, under the proposed rule covered entities that must report cyber incidents to another federal agency under substantially similar timeframes, could be exempt from separate reporting under CIRCIA if the CISA has an information sharing agreement with the federal agency receiving the report.

CISA pegs the cost of the proposed rule at an estimated $1.4 billion for the private sector and $1.2 billion for the federal government over 11 years.

The proposed rule provides a lengthy description of key terms, including “covered entity,” “cybersecurity incident,” and “critical infrastructure sector,” which includes health care and public health.

CISA noted that while many entities in the health care sector currently must report incidents to the Department of Health and Human Services under the Health Insurance Portability and Accountability Act Breach Notification Rule or to the Federal Trade Commission under the Health Breach Notification Rule, those requirements solely involve data breaches and do not require reporting for other types of cyber incidents that do not affect personal health information.

“In light of the sector’s broad importance to public health, the diverse nature of the entities that compose the sector, the historical targeting of the sector, and the current lack of required reporting unrelated to data breaches or medical devices, CISA proposes requiring reporting from multiple parts of this sector,” the rule said.

For example, CISA is proposing that hospitals with 100 or more beds or critical access hospitals be considered covered entities required to report under the statute.

“CISA is proposing to focus on hospitals, as they routinely provide the most critical care of these various types of entities, and patients and communities rely on them to remain operational, including in the face of cyber incidents affecting their devices, systems, and networks to keep them functioning,” according to the proposed rule.

Comments on the proposed rule will be due 60 days after publication in the Federal Register.