Comment by June 4. On April 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) will release its proposed rule to implement new reporting requirements outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Through this proposed rule, the CISA is seeking public comment and input on policies requiring Covered Entities to report Covered Cyber Incidents and ransomware payments to CISA within 72 hours of occurrence of cyber-attack incident or 24 hours after the ransom payment has been made. The rule identifies 16 Critical Infrastructure Sectors, which includes the Healthcare and Public Health sector, as being at risk for a Covered Cyber Incident. As part of the Healthcare and Public Health sector, the rule includes a hospital with 100 beds or more, or a Critical Access Hospital as a Covered Entity. Covered Cyber Incidents experienced by a Covered Entity would be reportable regardless of which part of the organization suffered the impact. Other Covered Entities include Class II (moderate risk) and Class III ( high risk) devices as classified by the U.S. Food and Drug Administration and manufactures of drugs listed in Appendix A Essential Medicines Supply Chain and Manufacturing Resilience Assessment developed by the U.S. Department of Health and Human Services and the Administration for Strategic Preparedness and Response. In total, CISA estimates that over 300,000 entities from the 16 sectors would be covered by the Proposed Rule.
