This week, Hacking Healthcare begins by examining the draft of the European Commission’s Cyber Resilience Act (CRA) to understand the practical challenges it aims to address within the current regulatory framework for digital products and services, as well as where gaps may exist. We briefly break down the document’s contents and explain the impact it may have on the healthcare industry. Then, we cover the Cybersecurity and Infrastructure Security Agency’s (CISA) Request for Information (RFI) soliciting public input on the incident reporting and ransomware reporting aspects of the previously passed Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of Health-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
PDF version:Hacking Healthcare 9.20.22 TLP White
Welcome back to Hacking Healthcare.
1. Overview of the Cyber Resilience Act
On September 15, the European Commission presented a proposal for a new EU-wide cybersecurity regulation, the Cyber Resilience Act (CRA). Described as the “first ever EU-wide legislation of its kind,” the proposal “introduces common cybersecurity rules for manufacturers and developers of products with digital elements, covering both hardware and software.”[i] While the text is far from finalized, it appears likely that it will have both direct and indirect impacts on the healthcare sector organizations.
Broadly, the CRA aims to improve cybersecurity safeguards for digital products on the market to reduce the number of exploited vulnerabilities and to prevent potential entry points for cyberattacks. Last year alone, the EU estimated that the global annual cost of software and hardware attacks amounted to roughly €5.5 trillion.[ii] The commission predicts that if the CRA is implemented, it could reduce the cost of cyber incidents by “roughly €180 – €290 billion annually.”[iii]
Based on the “security by design” approach, the CRA addresses three areas to promote more secure hardware and software: making cybersecurity mandatory; ensuring that manufacturers will remain responsible for their product’s cybersecurity throughout its life cycle; and better informing consumers about these parameters when choosing a product with digital elements.
While the legislation may sometimes be described as primarily affecting manufacturers and vendors of just smart IoT devices, the scope is much larger — covering any software, whether embedded or not, and requiring a mandatory conformance assessment for products that are deemed critical. However, there are notable exceptions that we will cover in the analysis section.
The CRA divides these into two classes of “critical products with digital elements,” reflecting the related level of cybersecurity risk:
- – Those regarded to be of “higher risk” like firewalls, smartcards, token, IoT devices for use by critical infrastructure providers under NIS 2,[iv] robot sensors and controllers, smart meters; and
- – Those regarded as “lower risk,” such as identity management system software, browsers, password managers, mobile device management software, remote access/sharing software.
Under the proposed EU rules, certain products will have to meet various cybersecurity requirements to be sold throughout member states. For example, when placing a product on the market, manufacturers should have “appropriate policies and procedures, including coordinated vulnerability disclosure policies to remediate potential vulnerabilities in the product.”[v] Manufacturers must ensure that vulnerabilities are handled effectively over the expected product lifetime or for five years after being placed on the market, whichever is shorter. Failure to comply with the essential cybersecurity rules can “prohibit or restrict that product being made available on its national market.”[vi] Offending companies may also face fines of up to €15 million or 2.5% of their global turnover, whichever is higher.
Similar to the incident reporting timeline of NIS 2, the CRA imposes short-term reporting obligations on manufacturers to report any actively exploited vulnerabilities contained in a product with digital elements, as well as any incident that impacts the security of products, to the European Union Agency for Cybersecurity (ENISA)[vii] within 24 hours of becoming aware of it. Additionally, the CRA would also require organizations defined as importers or distributors to report cybersecurity vulnerabilities in products with digital elements as they are identified.
Action and Analysis
2. CISA’s RFI on CIRCIA Incident Reporting
On September 12, the Cybersecurity and Infrastructure Security Agency (CISA) published a long-awaited Request for Information (RFI) regarding the cyber incident reporting provisions of the Critical Infrastructure Act of 2022 (CIRCIA).[viii] The RFI is an important opportunity for the private sector to weigh in on various aspects of the forthcoming incident reporting requirements, and they will help CISA understand the burdens and concerns facing private-sector entities across sectors.
As a reminder of how we got here, cyber incident reporting and ransomware payment reporting were elements of CIRCIA, which was passed earlier in the year. However, while the critical infrastructure provisions were written with baseline requirements by legislators, the details of who and what would be covered, along with other aspects, were left to a lengthy rulemaking process to be overseen by CISA. Part of that rulemaking process is the requirement to seek public input to help ensure that CISA understands the complexities of incident reporting and the burdens and concerns of private-sector entities in order to craft a balanced approach. The RFI and its accompanying listening sessions are the primary drivers for this public input.
CISA is particularly interested in:[ix]
- – Definitions for and interpretations of the terminology to be used in the proposed regulations;
- – The form, manner, content and procedures for submission of reports required under CIRCIA;
- – Information regarding other incident reporting requirements, including the requirement to report a description of the vulnerabilities exploited; and
- – Other policies and procedures, such as enforcement procedures and information protection policies, that will be required for implementation of the regulations.
To get more specific, some of the aspects this rulemaking is looking to determine include:
- – The meaning of “covered entity,” “covered cyber incident,” “substantial cyber incident,” and “supply chain compromise”;
- – What constitutes “reasonable belief” that a covered cyber incident has occurred?
- – When should the time for the 24-hour deadline for reporting ransom payments begin?
- – Guidelines or procedures regarding the use of third-party submitters.
This is not by any means an exhaustive list and is not meant to restrict commentators on the recommendations they would like to provide. Comments must be submitted by November 14, 2022 for consideration.
Action & Analysis
Tuesday, September 20th:
– No relevant hearings
Wednesday, September 21st:
– No relevant hearings
Thursday, September 22nd:
– No relevant hearings
– No relevant meetings
– No relevant meetings
Conferences, Webinars, and Summits
Contact us: follow @HealthISAC, and email at email@example.com
[iv] https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333 – The Network and Information Security (NIS) Directive is currently undergoing a revision that will expand its scope and security requirements for EU member states.