by Kapua Iao
Article filed in
President Biden signs Cyber Incident Reporting Act of 2022
by Kapua Iao
On March 15, President Biden signed into law the 2022 Consolidated Appropriations Act, a $1.5 trillion omnibus spending bill. One part of this is the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
For critical infrastructure, like the healthcare industry, the protection of sensitive information is crucial. With the growth of cyberattacks, healthcare covered entities must do everything possible to safeguard protected health information (PHI).
SEE ALSO: HIPAA compliant email
Strong cybersecurity policies and measures, such as those that address breach notification, are essential.
The Cyber Incident Reporting Act
The Consolidated Appropriations Act provides money to federal agencies to carry out government programs. Much of the funding goes toward supporting the Ukrainian people and general challenges within the U.S.
A small part is the Cyber Incident Reporting Act, which imposes breach reporting requirements. It applies to “covered cyber incidents” and ransomware payments against critical infrastructure sectors defined by the Presidential Policy Directive 21.
The act imposes reporting and related requirements in the event of an incident or payment. Organizations must report to the Cybersecurity and Infrastructure Security Agency (CISA):
- Covered cyber incidents no later than 72 hours after an incident
- Ransomware payments no later than 24 hours after payment
- Updates or supplemental information promptly
Furthermore, organizations must preserve all data relevant to the reported incident and/or payment.
CISA operates under the Department of Homeland Security and will be responsible for clarifying the law. The Cyber Incident Reporting Act will more than likely not go into effect this year. Failure to comply may result in civil penalties and/or suspension and debarment from federal contracts.
Cyber Incident Reporting Act vs. HIPAA
The healthcare industry has its own reporting regulation the HIPAA Breach Notification Rule (2009). HIPAA (Health Insurance Portability and Accountability Act) protects the rights and privacy of patients.
After a breach, covered entities must follow certain reporting guidelines. This includes notifying
- The Department of Health and Human Services
- Affected individuals
- The media
Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation). Fewer than 500 means logging the incident within 60 days of year’s end. The Office for Civil Rights (OCR) lists the former on its Breach Notification Portal.
RELATED: What is HHS’ Wall of Shame?
The Cyber Incident Reporting Act applies to all critical infrastructure sectors, not just healthcare. This includes public health, communications, critical manufacturing, and financial services.
Healthcare organizations may need to report breaches to both OCR (under HIPAA) and CISA (under the Cyber Incident Reporting Act). However, when and how depends on the type of breach.
A “cyber incident” does not need to involve PHI while a HIPAA breach does. Moreover, the reporting window is much shorter for the Cyber Incident Reporting Act.
Why reporting is a critical part of cybersecurity
So why is it important to properly follow reporting requirements after a data breach?
- The cyber threat landscape evolves daily. Open communication encourages other organizations to improve cybersecurity. Sharing can create a (secure) chain reaction, making it difficult for threat actors to gain access to a network.
- Sharing information forces organizations to critically look at what happened and ensure that it and similar cyberattacks do not happen again. Strong communication creates trusted networks to disclose, discuss, and offer recommendations.
- Proper reporting demonstrates transparency and a willingness to fix things. Sharing information can keep anger, frustration, and possible lawsuits to a minimum.
- Knowing what and how to share information after a breach may save an organization from governmental violations, penalties, and fines.
SEE ALSO: What to do after you violate HIPAA?
Creating meaningful collaborations and dialogue makes it harder for cyberattackers to breach an organization’s network. Something especially important to critical infrastructure industries like healthcare.
Invest in a proper threat sharing program
According to the chief security officer of H-ISAC (the Health Information Sharing and Analysis Center) and HSCC (the U.S. Healthcare and Public Sector) co-chair Errol Weiss, “Information sharing programs . . . produce significant benefit at low risk for the organizations that participate.”
A good sharing plan can shed light on cybersecurity strengths and weaknesses and stop cyber threats from becoming problems. This is why an HSCC sharing guide from 2020 included best practices:
- Develop a program
- Identify goals and objectives
- Examine models for regulatory compliance
- Figure out who to share information with and how
- Obtain internal and legal approvals
- Decide what can (and can’t) be disclosed
IT and security experts understand the importance of strong communication, which laws like the Cyber Incident Reporting Act should encourage.
When addressing the Cyber Incident Reporting Act, President Biden stated that “[the legislation] is . . . going to help face our — our challenges here at home. It sends a clear message to the American people that we’re investing in safety, health, and the future of Americans.”
As healthcare organizations understand, patient engagement and trust are vital for strong patient care.