This week, Hacking Healthcare™ is all about cyber incident reporting. We begin with a brief update on the state of the Cyber Incident Reporting for Critical Infrastructure (CIRCIA) proposed rule. Next, we take a longer look at an European Union (EU) & United States (US) effort meant to help address the proliferation of divergent cyber incident reporting regimes.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF Version:
TLP WHITE - 3.29.2024 -- Hacking Healthcare™
Text Version:
Welcome back to Hacking Healthcare™.
Cyber Incident Reporting for Critical Infrastructure (CIRCIA) Proposed Rule Arrives!
After a long two-year wait, the CIRCIA proposed rulemaking has arrived.[i]
As a reminder of what this is, CIRCIA was passed by Congress and signed into law in March 2022. It requires the Cybersecurity and Infrastructure Security Agency (CISA) “to develop and implement regulations requiring covered entities to report to CISA covered cyber incidents and ransom payments.[ii] While Congress laid down some required inclusions and guardrails for what this incident reporting regime would look like, such as requiring covered entities to report covered incidents within 72 hours, the details of who would be covered, what incidents would be covered, and the nature and content of the reports was broadly left up to a CISA rulemaking process.
The Health-ISAC and Healthcare and Public Health Sector Coordinating Council (HSCC) Cybersecurity Working Group have been engaged on this issue since the process started, and you can find their initial comments on how CISA should approach the initial draft in the following public comments submitted in late 2022:
https://www.regulations.gov/comment/CISA-2022-0010-0123
Now with the proposed rulemaking landing in the Federal Register, we finally get to see CISA’s current thinking. We plan to examine all 447-pages of the CIRCIA draft to assess its impact on the healthcare sector in an upcoming issue of Hacking HealthcareTM, so stay tuned.
For those attending the upcoming Health-ISAC Spring Summit, we just added a roundtable discussion to the agenda on this subject so we hope to see you there.
US & EU Cyber Incident Reporting Initiative
Among the most significant issues with cyber incident reporting for the private sector is the number of unaligned reporting regimes that entities are subject to. This problem is so significant that within the US, a special government council was created just to try and help coordinate and harmonize federal cyber incident reporting requirements.[i] However, this issue extends beyond national borders. Entities that operate globally face the increasingly daunting prospect of trying to comply with potentially dozens of different cyber incident reporting regimes with varying requirements. In recognition of this issue, the US and EU have taken the first steps towards potentially ameliorating this burden.[ii]
DHS and DG Connect Initiative
On March 20, the European Commission’s Directorate General for Communications, Networks, Content, and Technology (DG CONNECT) and the US Department of Homeland Security (DHS) jointly published a statement announcing an initiative to compare and try to align cyber incident reporting approaches.[iii], [iv] Officials from both organizations touted the effort as means to further collaborate on cybersecurity issues while also “[minimizing] the administrative burden on reporting entities.”[v]
The first step in this effort was to publish a report alongside the announcement. The report, titled, Comparative Assessment of the DHS Harmonization of Cyber Incident Reporting to the Federal Government Report and the Rules on Incident Reporting in the EU Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS 2 Directive), may not roll off the tongue, but it does accurately describe what it is.[vi]
The 16-page report provides an easy-to-follow comparison of DHS’s cyber incident reporting guidance with NIS 2 in terms of definitions, reporting thresholds, reporting triggers, timelines, reporting mechanisms, report contents, and more.
Next Steps
Iranga Kahangama, DHS Assistant Secretary for Cyber, Infrastructure, Risk and Resilience, has laid out where DHS and DG Connect may go from here.
“Over the next year our teams plan to continue our cooperation on a more technical level, including by mapping elements such as cybersecurity incident taxonomies, reporting templates, and the content of reports and formats. We will conduct an in-depth crosswalk of the DHS-developed Model Reporting Form against the NIS 2 required contents of reports to identify where there is overlap and disparities in the types of data being requested.”
Action & Analysis
**Included with Health-ISAC Membership* *
Upcoming International Hearings/Meetings
EU
- – No relevant meetings at this time
US
- – No relevant meetings at this time
Rest of World
- – No relevant meetings at this time
[i] https://public-inspection.federalregister.gov/2024-06526.pdf
[i] https://www.dhs.gov/news/2022/07/25/readout-inaugural-cyber-incident-reporting-council-meeting