On March 15, the Cyber Incident Reporting for Critical Infrastructure Act was signed into law. This historic law will change how healthcare providers in the U.S. respond to cyberattacks and ransomware.
Gone are the days of an IT professional dictating what constitutes a cyber breach or whether or not a possible cyberattack is a reportable event. The law, in its current form, mandates that healthcare providers and other entities deemed to be part of critical U.S. infrastructure report a cyberattack of any kind to the Cybersecurity and Infrastructure Security Agency (CISA).
This new law creates a partnership between CISA and Health and Human Services. The two organizations will work closely together to gather forensic data from attacks launched against healthcare entities, with the goal of combating future attacks.
The director of CISA has not yet defined what constitutes a covered entity, and until that information is released, private practice dental professionals are not at risk of running afoul of the law by not self-reporting a cyberattack. However, it is likely that all healthcare providers will be deemed covered entities, much like the HIPAA Act of 1996.
Both CISA and the Department of Homeland Security recommend to "report the incident to CISA no later than 72 hours after the entity reasonably believes that such an incident has occurred." In addition, covered entities are also required to report any ransom payments made as a result of a ransomware attack to CISA no later than 24 hours after making the payment.
Covered entities that are required to report cyber incidents or ransom payments must also preserve all forensic data. This means that during or immediately following a cyberattack or ransomware event, a practice or their IT provider cannot change or delete data or programs from any device that was connected to the network at the time of the attack.
What impact does this have on the dental community?
The act was signed amid growing concern of retaliatory attacks targeting the U.S. due to the Russian invasion of the Ukraine. Most cybersecurity experts anticipate an increase in the volume, severity, and sophistication of these threats. Healthcare providers were the No. 1 target for criminal hacking organizations in 2021, and that's not expected to change any time soon.
If the CISA director defines all U.S.-based healthcare providers as part of critical U.S. infrastructure and covered entities, then the law will impact all private dental professionals. The dental community continues to be heavily targeted by hacking groups, which can be attributed to the following two reasons:
- All dental offices store patient records that are very valuable to hackers. Most patient records include enough information that hackers need to compromise a person's identity.
- Most dental practices have little to no effective, preventative cybersecurity measures in place. If having a firewall, antivirus software, and working with an IT provider were effective strategies, then cyberattacks wouldn't be wreaking havoc in the dental industry.
Operating in the cloud and relying on a cloud backup solution is also not an effective preventative strategy. A cloud-based office is only as secure as the workstations and network used to access the cloud. Almost all ransomware groups now steal a target's data before they encrypt it, and major groups have their own dark web auction site.
In most ransomware attacks launched against healthcare entities, a portion of the stolen data is published to these auction sites before the target is aware that their network has been compromised. If the hackers aren't successful in compromising the backup solution, then the target is extorted to pay the ransom for their patient records to be removed from an auction site. These attacks have become a no-win situation for all healthcare providers.
How is this new law different from the current HIPAA law?
The current HIPAA breach notification rule mandates that covered entities must self-report an incident only if there has been a proven breach of unsecured patient health information (PHI). If an investigation determines that there is a low probability that PHI was compromised, the covered entity is not required to self-report. Self-reporting an incident becomes mandatory only if an investigation determines that PHI was likely compromised. The affected entity has up to 60 days to self-report.
The new Cyber Incident Reporting Law mandates that all cyberattacks be reported within 72 hours of discovery. All ransomware payments made to threat actors must be reported within 24 hours of making the payment. The requirement leaves no time for an organization to conduct a full forensic investigation to determine whether or not PHI was compromised. Going forward, all cyberattacks must be reported, which is very different from the current HIPAA laws.
What should you do, and what should you definitely not do?
No one wants to fall victim to an invasive and debilitating cyberattack or ransomware event. Ransomware attacks today have become even more invasive; they are financially crippling and devastating to practices and business' reputation. The new reporting requirement makes an already difficult situation even scarier and will only increase the stress and invasive feeling created by the event.
To avoid finding yourselves in this situation, you must engage with a company that specializes in cybersecurity. Cybersecurity specialists have the tools, training, and experience to help you implement an effective security solution.
Working with a good IT or managed service provider is essential to any dental practice, as they play an important role in the setup and maintenance of your network. However, cybersecurity is not their area of expertise and not something they can implement. New-world problems call for new-world solutions, and engaging with cybersecurity specialists is no longer a "nice-to-have" option -- it is a must have, and it is the cost of doing business in today's world.
The one thing that you should never do under any circumstance is try to hide a cyberattack or ransomware event and/or think that the chances are low that anyone will find out. If you are successfully targeted by a hacking group, the attack will be discovered at some point. These organizations are very difficult to catch, but that doesn't mean that their criminal activities aren't being monitored.
Paul Murphy has over 20 years of experience in the technology field. He regularly leads training, webinars, and educational workshops on the latest trends in data security, particularly as they relate to the dental industry.
The comments and observations expressed herein do not necessarily reflect the opinions of DrBicuspid.com, nor should they be construed as an endorsement or admonishment of any particular idea, vendor, or organization.