Blog

Health Information Technology

Print PDF

New Cyber Incident Reporting Requirements

Posted on March 18, 2022 in Health Information Technology

Published by: Hall Render

New cyber incident reporting requirements are forthcoming from the Cybersecurity and Infrastructure Security Agency. Part of the just-signed Consolidated Appropriations Act of 2022 (H.R. 2471) that we wrote about here, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Act”) gives covered entities 72 hours to report to the Agency that a covered cyber incident has occurred. It also requires such entities to report ransomware payments within 24 hours, even if such payments are made in response to a ransomware attack that is not otherwise a covered cyber incident. These timelines are consistent with the trend in recent data security laws to accelerate the deadlines by which entities that maintain sensitive data must report data security incidents.

While final definitions for covered entities and covered cyber incidents will only come in a final rule that the Act requires to be promulgated within 42 months, hospitals should anticipate being subject to the rule. There are reporting exceptions for certain covered entities that already have separate obligations “to report substantially similar information to another Federal agency within a substantially similar timeframe.” However, those exceptions are subject to various conditions and do not apply to the data preservation obligations in the Act.

Among other provisions on which we will provide future updates, the Act also includes various information sharing and reporting requirements for the national cybersecurity and communications integration center. These requirements are designed to provide a more comprehensive view of the threat landscape posed by cybercriminals.

Practical Takeaways

Consistent with legal requirements and industry practices, potential covered entities should already have incident response plans that identify a lead to coordinate responses to potential security incidents, including required notifications to regulators and interested parties. Organizations anticipating that they may be included as covered entities under the Act should review those plans to align them with the new deadlines.

If you have any questions or would like additional information about this topic, please contact:

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot—outside of an attorney-client relationship—answer specific questions that would be legal advice.