The country's cyber watchdog regulatory agency, CISA, plans to conduct a rule-making regarding proposed cyber incident reporting rules applicable to the “critical infrastructure” entities that fall within CISA's domain. Healthcare is one such area.
Hospitals, drug manufacturers, and medical device manufacturers could all be included in the proposed rules. The rules would require “covered entities” to report “substantial cyber incidents” to regulators within 72 hours in many cases.
Why It Matters
The scope of the CISA reporting rules could affect entities more broadly than other existing sector-specific rules such as HIPAA. Service providers would be part of the reporting chain, although not directly regulated in most cases; however, they can expect that their service contracts with covered entities will require them to adhere to the reporting requirements. In this way, the reporting rules will function much like HIPAA's business associate rules.
In addition, the types of incidents that could trigger a required report are defined broadly. In the notice of rulemaking, CISA proposes a definition of a “substantial cyber incident” that leads to any of the following:
- A substantial loss of confidentiality, integrity or availability of a covered entity’s information system or network;
- A serious impact on the safety and resiliency of a covered entity’s operational systems and processes;
- A disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services;
- Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by a:
(i) Compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; or
(ii) Supply chain compromise. - A “substantial cyber incident” resulting in the impacts listed in paragraphs (1) through (3) in this definition includes any cyber incident regardless of cause, including, but not limited to, any of the above incidents caused by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider; a supply chain compromise; a denial-of-service attack; a ransomware attack; or exploitation of a zero-day vulnerability.
/Passle/61f3627a0c51c3165820f0e7/MediaLibrary/Images/5ff4a070535488111cdbfec9/2024-01-17-18-25-18-859-65a81b8e3f5d760a89621ac7.png)
