Welcome to 2023. As in 2022, we are likely to see continuing escalation of cyber-intrusion threats to health-care entities and their data.
Health-care data breach already is far from a trivial matter. According to one expert, there have been more than 4,400 breaches during the span of 2009 to 2021 — involving 500 or more records and the disclosure of health-care records topping 300 million in number.
At Bond, we will be tracking how our federal cybersecurity structure changes and adapts to these increased risks, what that means for health-care providers and the regulations that apply to them, and how these changes aim to protect health-care data integrity.
In March 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA. Covered entities under CIRCIA include some health-care organizations . As part of its rulemaking process, CISA issued a request for information last fall intended to inform its development of regulations that fundamentally may change the regulatory landscape. Review of the request for information is underway — and the implications of the results could be vast.
At a high level, CIRCIA ups the ante by indicating companies operating in the health-care space and in other “critical infrastructure” sectors report cyber incidents within 72 hours — and ransomware payments within 24 hours. In addition, by CIRCIA giving CISA the authority to develop those regulations, CISA may potentially include further compliance requirements beyond what is currently required of health-care entities. This important rulemaking development will continue throughout 2023, but it will not be implemented until after CISA’s rulemaking becomes final.
How does CIRCIA mesh with HIPAA and the various reporting requirements within that law? For instance, although CIRCIA seems to provide some allowance for avoidance of duplicative reporting if there already is a functionally similar reporting requirement in place (e.g., HIPAA), it may end up that the existing reporting requirements under HIPAA, (e.g., concerning breach notification, as enforced by the HHS Office for Civil Rights), will fall below the bar and CIRCIA will require more. CISA will have a lot of say on that, and this is the first major rulemaking that this relatively new agency is taking on.
The public comments that were submitted on CIRCIA by health-care entities are particularly telling. Organizations spell out concerns about duplication and unnecessary confusion — a number stressed the importance of cleanly implementing the CIRCIA provision that precludes CISA from requiring duplicative reporting (see CIRCIA at Section 2242(a)(5)(B)). Others emphasized that required reporting only should comprise data absolutely necessary for governmental operations, so as to protect data integrity wherever possible and to, where necessary, allow ongoing “ransom” negotiations to continue out of the limelight when that benefits data-retrieval efforts.
As CISA develops CIRCIA regulations during 2023, Bond will be watching closely. In the meantime, we encourage readers to avail themselves of useful health-care cybersecurity resources, including those of the “405(d)” task group (of which this author is a member). And for those readers in New York state, the New York Healthcare Cyber Alliance (which this author co-chairs) continues its work of linking health-care delivery organizations to the resources that can improve their cyber posture.
Gabriel S. Oberfield, Esq., M.S.J. is a senior counsel in the New York City office of Syracuse–based Bond, Schoeneck & King, PLLC. As an experienced health-care attorney with health-care management expertise, Oberfield guides C-suite leaders on matters ranging from regulatory and legislative affairs to strategic planning, as well as legal issues affecting their organizations. This article is drawn and edited from the law firm’s Cybersecurity and Data Privacy Information Memo.