According to recent reports, the Cybersecurity and Infrastructure Security Agency (CISA) is expected to finalize the rule implementing the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in September 2026. After the final rule goes into effect, covered entities in all 16 critical infrastructure sectors, including healthcare and public health, will have to report to CISA within 72 hours of when they have a reasonable belief that a covered cyber incident has occurred and ransomware payments within 24 hours.

CIRCIA’s clock does not require completion of a forensic investigation, sign-off from outside counsel, or board briefing. It starts when an organization suspects something big has happened. HIPAA’s 60-day window starts from the discovery of a breach of unsecured PHI, while CIRCIA’s 72-hour window starts from a reasonable belief that a covered cyber incident occurred.

The American Hospital Association has already called attention to the mismatch. In comments on CISA’s proposed rule, the AHA said that the reporting requirements might be contrary to the operational reality of running a hospital in the middle of an attack. The AHA also called for better definitions of asubstantialincident and for exemptions to account for smaller hospitals and critical access facilities, emphasizing that a 300-bed academic medical center and a rural critical access hospital do not have the same ability to respond to incidents.

 

Why the 72-hour window is complicated

Ransomware rarely announces itself the moment it happens. According to a 2026 review in Trauma Surgery & Acute Care Open, modern ransomware can involve a period of undetected access and reconnaissance before encryption becomes visible, mapping connected devices, servers, and backup systems before it ever encrypts a single file. The researchers note it is "not a matter of if but when a healthcare system will be hacked." By the time encryption activates and staff notice the EMR is down, the attacker has often already had long, undetected access, which means the 72-hour clock can start well before anyone has a clear picture of what was actually taken.

According to a review of major breaches in the first quarter of 2026 by Paubox, healthcare organizations need an average of 308 days to detect and contain breaches. The University of Mississippi Medical Center was hit with a ransomware attack on February 19, 2026, that caused its network to go down, including its Epic EHR system. It is the sort of incident that would trigger a 72-hour reporting requirement once CIRCIA is finalized, and it is happening while the response team is still trying to determine the scope.

Confidence and reality also do not align well right now. Paubox's Healthcare Email Security Maturity Index 2026 found that every single IT leader surveyed rated their organization's real-time breach detection asExcellentorGood, yet 58% of the same group said that over the past two years, organizations have experienced breaches through email, with 23% suffering multiple breaches. A regulatory regime that assumes organizations can quickly and accurately assesssubstantialimpact is landing on a sector that, based on Paubox’s survey findings, has been overconfident about how quickly and how well it actually detects incidents.

 

What this means operationally

CIRCIA’s core reporting obligations are not expected to change significantly between now and finalization, so waiting until the final rule to begin preparation is a risk in itself. There are some things worth doing now, regardless of the exact timing of September 2026:

  • Separatereasonably believefromconfirmedby creating a joint IT, legal, and compliance decision point for when a suspected incident starts the reporting clock, instead of waiting for forensic certainty that may take weeks.
  • Do not treat a CIRCIA report as satisfying HIPAA notification duties, or assume that HIPAA notification satisfies CIRCIA reporting.
  • Push vendor accountability into contracts now by requiring business associates to notify the covered entity of a suspected incident within hours, not on the vendor’s own timeline.
  • Treat incident communication as its own governed workflow, separate from detection tools, so IT, legal, compliance, and executive leadership can securely share evolving findings, control access, and preserve reviewable records during a live incident.

Where secure communication actually fits

Encryption has never been just about compliance, and Paubox’s own research shows that healthcare organizations still struggle with even the most basic requirements. Encryption and recipient experience were the lowest-scoring categories of any measured in the Maturity Index. 18% of organizations that had already been breached made no significant changes to their setup afterward.

Default encryption of email, as Paubox does for its customers’ outbound PHI, removes one manual judgment call from a chain that still requires a signed business associate agreement, trained staff, and a documented process for when a suspected incident becomes a reportable one. It is not a substitute for the incident response planning that CIRCIA is about to mandate, but it is part of the infrastructure that a faster reporting timeline requires.

Former OCR Director Melanie Fontes Rainer summed up the stakes simply,Patients have to be able to trust that sensitive health information is protected. CIRCIA bets that faster reporting will help build that trust. Compliance teams have a few months to respond to a question about whether healthcare’s current incident response infrastructure is prepared for how fastfastermeans now.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

 

FAQs

What kinds of incidents are covered as covered cyber incidents?

CIRCIA requires the rule to cover substantial cyber incidents, including those that cause substantial loss of confidentiality, integrity, or availability; have a serious impact on operational systems; disrupt business or industrial operations; are ransomware attacks; are zero-day exploits; or are compromised through a cloud provider, managed service provider, or supply chain provider.

 

Does CIRCIA require supplemental reports after the first filing?

CIRCIA requires the final rule to establish deadlines and criteria for supplemental reports when there is substantial new or different information, while also balancing CISA’s need for situational awareness with the organization’s ability to continue incident response and investigation work.

 

What if a hospital already reports similar information to another federal agency?

CIRCIA includes an exception where a covered entity is legally, contractually, or regulatorily required to report substantially similar information to another federal agency within a substantially similar timeframe.