Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.
While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes, you are not alone. Here is what you need to know about how to comply with CIRCIA’s new requirements.
Who Does the Law Affect?
For the purposes of the law, critical infrastructure refers to any agency, organization or business whose service disruption would impact economic security or public health and safety. Examples include financial services, energy companies and transportation organizations.
Because healthcare organizations directly impact public health and safety, they also fall into this category. This law also defines single-provider offices for large healthcare systems as critical infrastructure.
If your organization has questions about whether you are required to report, then you should contact CISA.
What Does the Law Require?
While some specific details are in flux, the legislation lays out the framework for future incident reporting for healthcare industries. CIRCIA will require:
Organizations falling under critical infrastructure report substantial cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA)
Covered cybersecurity incidents must be reported within 72 hours
Paying a r ..
Support the originator by clicking the read the rest link below.
