In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, “CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors.”
While the law itself is on the books, the reporting requirements for covered entities won’t come into force until CISA completes its rulemaking process. As part of this process, the agency has released a 447-page Notice of Proposed Rulemaking (NPRM), which was opened for feedback on April 4, 2024. As of July 3, 2024, the feedback period has closed — here’s a look at what industry groups and organizations have been saying about the proposed rule, its impact and where it may come up short.
Healthcare: Concerns coalesce over duplicate requirements
Healthcare organizations are raising red flags over what they consider to be duplicate reporting requirements. Both the American Hospital Association (AHA) and the Medical Group Management Association (MGMA) are concerned that new rules under CIRCIA are effectively redundant versions of those outlined by HIPAA.
The AHA and MGMA make the argument that since healthcare agencies are already responsible for reporting breaches under the HIPAA Breach Notification Rule, similar requirements under CIRCIA will add more work with no benefit. They are especially concerned about potential penalties under the rule, which could see unreported incidents sent to the Attorney General and lead to civil actions or contempt o ..
Support the originator by clicking the read the rest link below.
