If you’ve got your ear to the ground, you may have heard about the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). Don’t worry if you didn’t hear about it until now though. It probably slipped by lots of dental practices because you don’t need to take action yet. However, it will impact you in the near future. We’ll break down what you need to know below.
The Cyber Incident Reporting Act is Designed to “Enhance the Situational Awareness of Cyber Threats”
The goal of the law is to give the government the intel it needs to assess cyber threats within critical infrastructure sectors—systems and networks within the United States that are vital to public health, safety, security, and economic security. It essentially states that organizations within these brackets will be required to report specific cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
The New Legislation Impacts Dentists
New reporting guidelines will apply to a variety of industries including energy, communications, emergency services, and healthcare. Dentists are categorized as physicians per the legislation, so the guidelines apply to dental practices too.
The Timeline and Exact Details Are Still Being Worked Out
Although CIRCIA passed as part of the omnibus spending bill on March 15, 2022, many of the details remain unknown. CISA is responsible for identifying what types of triggers require reporting and which entities are required to report, though the agency has a 36-month window in which to do it. It’s possible that full guidelines will be rolled out sooner rather than later due to elevating cyber threat levels.
You’ll Need to Report Incidents and Follow Additional Guidelines
What we do know now is that dentists will be required to:
- Report certain cyber incidents to the CISA no later than 72 hours after you have a reasonable belief that one occurred.
- Report ransom payments made due to cyberattacks within 24 hours of payment.
- Cooperate with CISA investigations of incidents. The CISA may investigate any time it believes an incident occurred.
- Preserve data related to the incident and report new information as it emerges.
But, You May Qualify for an Exception
CIRCIA notes that organizations that are already required to report “substantially similar information to another Federal agency within a substantially similar timeframe” will meet the requirements, provided the agency has an “agency agreement and sharing mechanism” in place with CISA.
As a HIPAA-covered entity, you are already required to report breaches that involve protected health information (PHI) to the U.S. Department of Health & Human Services (HHS). Although no final word has been given by CIRCIA as to whether this reporting will satisfy their needs, it seems likely it will.
Are You Ready?
Dental practices usually believe they are ok. Unfortunately, the majority do not have the most basic security measures in place for HIPAA, let alone the ability to respond within the mandated time limits. If measures are not in place before an incident, practices run the risk of a subpoena.
Take Steps Now to Secure Your Data and Prepare
If the American Dental Association’s recent “security incident” provides only one key takeaway, it’s that any organization is potentially vulnerable to cyberattacks. So, although the new guidelines won’t take effect just yet, now is the ideal time to shore up your security strategy.
- Perform a proper risk analysis. This will help you understand your practice’s unique vulnerabilities, so you know where to start and avoid penalties.
- Back up your data. Good backups (both on and offsite) ensure you’ll have patient data even if you’re taken offline, hacked, or become a ransomware victim.
- Restrict access. Only allow admins to access your server and ensure users only have access to the data they need in your software.
- Run encryption and antivirus programs. An antivirus program can help keep hackers out, while encryption of your server and backups means they won’t be able to read or use the data should they manage to gain access anyway.
- Stay updated. Update your software and computers whenever updates become available. They often include security patches that eliminate vulnerabilities hackers might otherwise use to gain access.
- Work with an IT Specialist. There are lots of working parts in cybersecurity. This may be something you want to outsource to ensure your systems are as secure as possible and that you have someone on hand to help if an incident occurs.
- Consider a cloud-based option. A cloud-based solution like ThriveCloud handles a lot of the heavy lifting. For example, backups and updates happen automatically in the background. You can even leverage tools like two-factor authentication and location-based login restrictions to improve HIPAA compliance and cybersecurity further.
You can also read “6 Computer Security Measures Your Practice Should Implement Today” or watch our on-demand webinar “Dental HIPAA Compliance and Cybersecurity Made Easy” for more tips and insights.
Get Help Prepping for the Cyber Incident Reporting Act
- Sign Up: Practice-Web is loaded with features to help keep your data secure. Click here for a complimentary demo.
- Get Support: Already using Practice-Web but not sure how to leverage our security features? Contact Support. (You will need Paid support. If your agreement expired, renew here.)
- Explore the Cloud: If you want to skip things like backups and take advantage of advanced security features, explore ThriveCloud.
- Talk to an IT Specialist: This blog was co-written by Practice-Web and HIPAA and IT specialist John Zanazzi. If you’d like a free IT security audit with him, visit SanDiegoHIT.com.