On March 15, President Biden signed into law the 2022 Consolidated Appropriations Act, a $1.5 trillion omnibus spending bill. One part of this is the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
This cyber law joins several other recent U.S. regulations and policies that address the increase in cyberattacks worldwide.
The new law focuses on data breach reporting requirements. For critical infrastructure, like the healthcare industry, the protection of sensitive information is crucial. With the growth of cyberattacks, healthcare covered entities must do everything possible to safeguard protected health information (PHI).
SEE ALSO: HIPAA compliant email
Strong cybersecurity policies and measures, such as those that address breach notification, are essential.
The Consolidated Appropriations Act provides money to federal agencies to carry out government programs. Much of the funding goes toward supporting the Ukrainian people and general challenges within the U.S.
RELATED: The White House warns against possible Russian cyberattacks
A small part is the Cyber Incident Reporting Act, which imposes breach reporting requirements. It applies to "covered cyber incidents" and ransomware payments against critical infrastructure sectors defined by the Presidential Policy Directive 21.
SEE ALSO: What is ransomware and how to protect against it
The act imposes reporting and related requirements in the event of an incident or payment. Organizations must report to the Cybersecurity and Infrastructure Security Agency (CISA):
Furthermore, organizations must preserve all data relevant to the reported incident and/or payment. CISA operates under the Department of Homeland Security and will be responsible for clarifying the law. The Cyber Incident Reporting Act will more than likely not go into effect this year. Failure to comply may result in civil penalties and/or suspension and debarment from federal contracts.
The healthcare industry has its own reporting regulation the HIPAA Breach Notification Rule (2009). HIPAA (Health Insurance Portability and Accountability Act) protects the rights and privacy of patients.
SEE ALSO: Understanding and implementing HIPAA rules
After a breach, covered entities must follow certain reporting guidelines. This includes notifying:
Breaches with more than 500 affected individuals require notification within 60 days of discovery (or directly after an investigation). Fewer than 500 means logging the incident within 60 days of year’s end. The Office for Civil Rights (OCR) lists the former on its Breach Notification Portal.
RELATED: What is HHS’ Wall of Shame?
The Cyber Incident Reporting Act applies to all critical infrastructure sectors, not just healthcare. This includes public health, communications, critical manufacturing, and financial services. Healthcare organizations may need to report breaches to both OCR (under HIPAA) and CISA (under the Cyber Incident Reporting Act).
However, when and how depends on the type of breach. A "cyber incident" does not need to involve PHI while a HIPAA breach does. Moreover, the reporting window is much shorter for the Cyber Incident Reporting Act.
So why is it important to properly follow reporting requirements after a data breach?
SEE ALSO: What to do after you violate HIPAA?
Creating meaningful collaborations and dialogue makes it harder for cyberattackers to breach an organization’s network. Something especially important to critical infrastructure industries like healthcare.
According to the chief security officer of H-ISAC (the Health Information Sharing and Analysis Center) and HSCC (the U.S. Healthcare and Public Sector) co-chair Errol Weiss, “Information sharing programs . . . produce significant benefit at low risk for the organizations that participate.”
A good sharing plan can shed light on cybersecurity strengths and weaknesses and stop cyber threats from becoming problems. This is why an HSCC sharing guide from 2020 included best practices:
IT and security experts understand the importance of strong communication, which laws like the Cyber Incident Reporting Act should encourage.
When addressing the Cyber Incident Reporting Act, President Biden stated that “[the legislation] is . . . going to help face our — our challenges here at home. It sends a clear message to the American people that we’re investing in safety, health, and the future of Americans.”
As healthcare organizations understand, patient engagement and trust are vital for strong patient care.