On March 27, the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the Homeland Security Agency, released a proposed rule on cybersecurity incident reporting requirements related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) which was signed into law in 2022. CIRCIA requires covered entities to report to CISA covered cyber incidents within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred, and ransom payments made in response to a ransomware attack within 24 hours after the ransom payment has been made. This proposed rule implements and defines the requirements in CIRCIA.

What is a covered entity that applies to pathology?

• Hospitals
• Manufacturers of class II and III devices (which include digital pathology devices)
• Laboratories with annual revenue of over $41.5 million

What is a covered cyber incident?

• A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
• A serious impact on the safety and resiliency of a covered entity’s operational systems and processes.
• A disruption of a covered entity’s ability to engage in business or industrial operations or deliver goods or services.
• Unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise.

Implementation of CIRCIA will improve CISA’s ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns in real-time, fill critical information gaps, rapidly deploy resources to help entities that are suffering from cyber-attacks, and inform others who would be potentially affected. Read more.

In a recent Washington Post article highlighting the reasons why medical providers are so vulnerable to hackers like the recent Change Healthcare ransomware attack, Deputy national security adviser Anne Neuberger said “The White House is examining what laws it can use to impose standards on a reluctant industry, while telling executives that they are expected to comply with voluntary guidelines immediately. The Hill has not passed any legislation providing authorities to mandate minimum standards, which is why we have been using sector emergency authorities or rulemaking.” She also said some requirements will come soon for providers that accept Medicare and Medicaid.

The CAP will continue to engage with the federal government on critical issues related to cybersecurity standards and reforms.